Tennessee will receive a $39.5 million settlement with Anthem Inc. stemming from a massive 2014 data breach, a news release from Attorney General Herbert H. Slatery III said.
Through the settlement, Anthem has reached a resolution with the 43-state coalition and California. Tennessee will receive $400,556 from the settlement, the news release said.
Anthem, Inc., is a health insurance provider in U.S. It is the largest for-profit managed health care company in the Blue Cross Blue Shield Association. The company had about 40 million members as of 2018.
In February 2015, Anthem disclosed that cyber attackers had infiltrated its systems. The attackers harvested names, dates of birth, Social Security numbers, health care identification numbers, home addresses, email addresses, phone numbers, and employment information for 78.8 million Americans, the news release said.
In Tennessee, 773,763 residents were known to be affected by the breach, the release said.
“Consumers’ sensitive personal health information should always be given the strongest protections. This massive breach at a major insurer affected hundreds of thousands of Tennesseans, and this settlement affirms that it is critical for companies to use the highest levels of security when it comes to this kind of data,” Slatery said in the release.
The release said in addition to the payment, Anthem has also agreed to a series of data security and good governance provisions that include:
- a prohibition against misrepresentations regarding the extent to which Anthem protects the privacy and security of personal information;
- implementation of a comprehensive information security program, including regular security reporting to the board of directors and prompt notice of significant security events to the CEO;
- specific security requirements with respect to segmentation, logging and monitoring, anti-virus maintenance, access controls and two factor authentication, encryption, risk assessments, penetration testing, and employee training, among other requirements; and
- third-party security assessments and audits for three years.
To read the Agreed Final Order, go to https://www.tn.gov/content/dam/tn/attorneygeneral/documents/pr/2020/pr20-43-order.pdf
The Connecticut Office of the Attorney General led the multistate investigation, assisted by the Attorneys General of the other states involved.