Attorney General Gurbir S. Grewal announced that New Jersey will receive $527,055 as part of a multi-state settlement with health insurance provider Anthem, Inc.
The settlement resolves an investigation by the participating states into a massive data breach that impacted the personal information of tens of millions of Americans – including more than 1.15 million New Jersey residents.
Overall, Anthem will pay the participating states a total of $39.5 million under the settlement and implement a series of cyber-security and good governance provisions aimed at strengthening its practices going forward.
“Companies have a duty to maintain effective security measures to safeguard the mountains of personal information they collect from consumers,” Attorney General Grewal said. “When they fall short, it becomes all too easy for criminals to steal consumers' sensitive data.”
In February 2015, Anthem disclosed that cyber attackers had infiltrated its systems through a months-long, continuous cyber-attack that began in February 2014 with malware installed through a spear-phishing email.
The states’ investigation revealed that, between December 2, 2014, and January 27, 2015, the cyber attackers used harvested credentials to run numerous unauthorized queries and access personal information in Anthem’s data warehouse.
There, they captured names, dates of birth, Social Security numbers, healthcare identification numbers, home addresses, email addresses, phone numbers, and employment information for 78.8 million Americans.
“Consumers who are asked – and often required – to entrust companies with their highly-sensitive personal data have a right to expect that such information will be protected through appropriate security measures,” Acting Division of Consumer Affairs Director Paul R. Rodríguez, said. “That did not happen here, and more than 1.15 million New Jersey residents had their personal data compromised. This is unacceptable. Going forward, Anthem must do a better job of securing consumers’ personal information, and the terms of today‘s settlement should help ensure that they do.”
Under the settlement, Anthem has agreed to a series of provisions designed to enhance accountability and solidify its security practices. Those include:
- A prohibition against misrepresentations regarding the extent to which Anthem protects the privacy and security of personal information
- Implementation of a comprehensive information security program, incorporating principles of zero trust architecture, and including regular security reporting to the Board of Directors and prompt notice of significant security events to the CEO
- Specific security requirements with respect to segmentation, logging and monitoring, anti-virus maintenance, access controls and two-factor authentication, encryption, risk assessments, penetration testing, and employee training, among other requirements
- Third-party security assessments and audits for three (3) years, as well as a requirement that Anthem makes its risk assessments available to a third-party assessor during that term
In the immediate wake of the Anthem breach, Anthem offered an initial two years of credit monitoring to all affected U.S. individuals.
In addition to the settlement, Anthem previously entered into a class action settlement that established a $115 million fund to pay for additional credit monitoring, cash payments of up to $50 per affected consumer, and reimbursement for out-of-pocket losses for affected consumers.