On September 30, 2020, health insurance company Anthem Inc., reached a $39.5 million multistate settlement and a parallel $8.69 million settlement with California to resolve claims arising from a 2014 data breach, that compromised the personal information of over 78 million customers. In 2015, Anthem disclosed that cyber attackers gained access to its data warehouse in February 2014 by using malware installed through a phishing email, compromising consumers’ names, phone numbers, home addresses, email addresses, Social Security numbers, healthcare identification numbers, employment information, and dates of birth.
A total of 42 states and the District of Columbia joined the multistate settlement, that, in addition to the payment, requires Anthem to change its security policies and governance provisions, in order to strengthen Anthem’s security practices going forward. Like the multistate settlement, Anthem’s California settlement also resolved alleged violations of Health Insurance Portability & Accountability Act (HIPPA) and state consumer protection laws, and contained provisions to improve Anthem’s security program and repair vulnerabilities leveraged in the data breach.
In 2017, Anthem reached a $115 million class action settlement as a result of the 2014 data breach, that established a fund to pay for credit monitoring, cash payments and reimbursements for affected class members.