The following is a press release from the Massachusetts Attorney General’s office submitted to SOURCE media.
BOSTON – Massachusetts Attorney General Maura Healey today, September 30, announced Massachusetts will receive $1.4 million as part of a $39.5 million multistate settlement between 43 states and California and the national insurance company Anthem stemming from a massive 2014 data breach at the company that impacted nearly 79 million Americans.
“Companies have a duty to protect our information, especially those entrusted with sensitive health information,” said AG Healey. “We are pleased this settlement will require Anthem to change its business practices and take steps to safeguard consumers’ private information going forward.”
According to the assurance of discontinuance, cyber attackers infiltrated Anthem’s network beginning in February 2014 using malware installed through a phishing email. The attackers were ultimately able to gain access to Anthem’s data warehouse, where they harvested names, birth dates, Social Security numbers, healthcare identification numbers, home and email addresses, phone numbers, and employment information for nearly 79 million Americans, including more than one million Massachusetts residents.
With today’s settlement, Anthem has agreed to make significant business practice changes and to implement several improvements to its security processes, including:
- Implementation of a comprehensive information security program, including regular security reporting to the Board of Directors and prompt notice of significant security events to the CEO;
- Specific security requirements with respect to segmentation, logging and monitoring, anti-virus maintenance, access controls and two factor authentication, encryption, risk assessments, penetration testing, and employee training, among other requirements; and
- Third-party security assessments and audits for three years, as well as a requirement that Anthem make its risk assessments available to a third-party assessor during that term.
Joining AG Healey in today’s settlement are the attorneys general from Alaska, Arizona, Arkansas, Colorado, Connecticut, the District of Columbia, Delaware, Florida, Georgia, Hawaii, Idaho, Illinois, Indiana, Iowa, Kansas, Kentucky, Louisiana, Maine, Maryland, Michigan, Minnesota, Mississippi, Missouri, Nebraska, New Hampshire, New Jersey, New York, Nevada, North Carolina, North Dakota, Ohio, Oklahoma, Oregon, Pennsylvania, Rhode Island, South Carolina, Tennessee, Texas, Virginia, Washington, West Virginia, and Wisconsin.
The AG’s new Data Privacy and Security Division protects consumers and their families from the rise of threats to the privacy and security of their data in the digital economy. The Division aims to empower consumers in the digital economy, ensure that companies are protecting consumers’ personal data from breach, protect equal and open access to the internet, and protect consumers from data-driven technologies that unlawfully deny them fair access to socioeconomic opportunities.
If you believe that you have been the victim of a data breach, you may need to take steps to protect your credit and your personal information. For additional information, consumers may visit the AG’s website. Guidance for businesses on data breaches can be found here.