September 30, 2020
Carson City, NV – Today, Nevada Attorney General
Aaron D. Ford announced that his office, along with 42 other attorneys general reached
a $39.5 million settlement with Anthem stemming from their massive 2014 data
breach that involved the personal information of 78.8 million Americans.
Through the settlement, Anthem has reached a resolution with the coalition of
attorneys general. In addition to the payment, Anthem has also agreed to a
series of data security and good governance provisions designed to strengthen
its practices going forward. Nevada’s share of the settlement is $397,306.77.
In February 2015, Anthem disclosed that its network was
compromised in February
2014, using malware
installed through a phishing email. The attackers were ultimately able to gain
access to Anthem’s data warehouse, where they harvested names, dates of birth,
Social Security numbers, healthcare identification numbers, home addresses,
email addresses, phone numbers and employment information for 78.8 million
Americans. In Nevada, 764,039 known residents were impacted by the breach.
“We welcome
the services that Anthem provides to Nevada customers, but the company also
must respect their rights as a consumer,” said AG Ford. “It is
imperative that companies act in the best interest of their consumers, which
includes protecting their personal and health-related information.”
Under the settlement, Anthem has agreed to a series of provisions
designed to strengthen its security practices going forward, including:
A prohibition
against misrepresentations regarding the extent to which Anthem protects the
privacy and security of personal information;
Implementation of a comprehensive
information security program, including regular security reporting to the Board
of Directors and prompt notice of significant security events to the CEO;
Specific security
requirements with respect to segmentation, logging and monitoring, anti-virus
maintenance, access controls and two factor authentication, encryption, risk
assessments, penetration testing and employee training, among other
requirements; and
Third-party security
assessments and audits for
three years, as well as a requirement that Anthem make its risk assessments
available to a third-party assessor during that term.
In the immediate wake of the breach, at the request of the investigating
states, including Nevada, Anthem offered an initial two years of credit
monitoring to all affected U.S. individuals.
In addition to the
Nevada, other states that participated in this settlement include: Alaska,
Arizona, Arkansas, Colorado, Connecticut, the District of Columbia, Delaware,
Florida, Georgia, Hawaii, Idaho, Illinois, Iowa, Indiana, Kansas, Kentucky,
Louisiana, Maine, Massachusetts, Maryland, Michigan, Minnesota, Mississippi,
Missouri, Nebraska, New Hampshire, New Jersey, New York, North Carolina, North
Dakota, Ohio, Oklahoma, Oregon, Pennsylvania, Rhode Island, South Carolina,
Tennessee, Texas, Virginia, Washington, West Virginia and Wisconsin.
###