Florida Attorney General Ashley Moody announced this week that she helped secure millions of dollars for state governments following a multistate investigation into a major data breach.
Florida is part of a $39.5 million agreement stemming from Anthem’s massive data breach involving the personal information of more than 78 million Americans. Florida is receiving more than $600,000 to resolve the multistate investigation. In addition to the payment, Anthem will implement a series of data security and good governance provisions designed to strengthen its practices going forward.
In 2015, Anthem disclosed that cyber attackers infiltrated its systems, beginning in February 2014, using malware installed through a phishing email. The attackers were ultimately able to gain access to Anthem’s data warehouse, where they harvested names, dates of birth, Social Security numbers, health care identification numbers, home addresses, email addresses, phone numbers and employment information for more than 78 million Americans, including approximately 1.5 million Floridians.
“Data breaches have far-reaching and long-lasting effects on people’s lives. When companies fail to protect customers’ personal information, they owe it to the public to disclose that information quickly and to take steps to protect them from further damage. I am glad we were able to work with our state partners to resolve this matter and hopefully prevent future breaches and further harm to Anthem customers,” Moody said.
As part of the announcement, Anthem agreed to a series of provisions designed to strengthen its security practices going forward. Those include:
- Prohibiting misrepresentations regarding the extent to which Anthem protects the privacy and security of personal information;
- Implementing a comprehensive information security program, incorporating principles of zero-trust architecture, and including regular security reporting to the Board of Directors and prompt notice of significant security events to the CEO;
- Requiring specific security with respect to segmentation, logging and monitoring, anti-virus maintenance, access controls and two-factor authentication, encryption, risk assessments, penetration testing and employee training, among other requirements; and
- Assessing and auditing security by a third party for three years, as well as requiring that Anthem make its risk assessments available to a third-party assessor during that term.
In the immediate wake of the breach, Anthem offered an initial two years of credit monitoring to all affected U.S. individuals.
In addition to this agreement, Anthem previously entered into a class action settlement that established a $115 million settlement fund to pay for additional credit monitoring, cash payments of up to $50 and reimbursement for out-of-pocket losses for affected consumers. The deadlines for consumers to submit claims under that settlement have since passed.
In addition to Florida, represented by Consumer Protection Division assistant attorney general Patrice Malloy, the multistate group includes Alaska, Arizona, Arkansas, Colorado, Connecticut, Delaware, the District of Columbia, Georgia, Hawaii, Idaho, Illinois, Indiana, Iowa, Kansas, Kentucky, Louisiana, Maine, Maryland, Massachusetts, Michigan, Minnesota, Mississippi, Missouri, Nebraska, Nevada, New Hampshire, New Jersey, New York, North Carolina, North Dakota, Ohio, Oklahoma, Oregon, Pennsylvania, Rhode Island, South Carolina, Tennessee, Texas, Virginia, Washington, West Virginia and Wisconsin.