Anthem settles states’ lawsuit over data breach that affected 2.3 million Kentuckians; state will get more than $1.9 million

Kentucky will get $1,929,942 from Anthem Inc. as part of a 43-state settlement for a data security breach that “compromised the personal information of 78.8 million Americans,” said a news release from Attorney General Daniel Cameron.

Anthem, the state’s leading health insurer, “also agreed to a series of data security and adequate governance provisions designed to strengthen its practices,” the release said. “Attorney General Cameron’s Division of Consumer Protection served on the executive committee of the multi-state team and was a leader in the investigation.”

In February 2015, Anthem disclosed that its data systems had been infiltrated a year earlier. “The attackers gained access to Anthem’s data warehouse and harvested names, dates of birth, Social Security numbers, health-care identification numbers, home addresses, email addresses, phone numbers, and employment information,” the release said. “The personal information of 2,305,612 Kentuckians was compromised.”

The release said the settlement requires Anthem to:

  • Stop making statements about the extent to which it protects the privacy and security of personal information.
  • Implement a comprehensive information-security program, including principles of “zero trust” architecture, regular security reporting to its board of directors, and prompt notice of significant security events to the CEO.
  • Execute specific security requirements concerning segmentation, logging and monitoring, anti-virus maintenance, access controls and two-factor authentication, encryption, risk assessments, penetration testing, and employee training, among other requirements.
  • Get third-party security assessments and audits for three years, and make its risk assessments available to a third-party assessor.

Soon after its disclosure, Anthem offered an initial two years of credit monitoring to all affected customers, at the request of the Connecticut attorney general.

Anthem then settled a class-action lawsuit by creating a $115 million fund “to pay for additional credit monitoring, cash payments of up to $50, and reimbursement for out-of-pocket losses for affected consumers,” the release said. “The deadlines for consumers to submit claims under that settlement have since passed.”