ATTORNEY GENERAL HERRING SECURES $39.5 MILLION FROM ANTHEM OVER 2014 DATA BREACH

~ Virginia will receive more than $1.4 million as its share of the multistate settlement, nearly 3.8 million Virginians were affected by the breach ~

RICHMOND (September 30, 2020) – Attorney General Mark R. Herring today announced that Virginia has joined a bipartisan 43-state multistate coalition and California in reaching a $39.5 million settlement with Anthem over its massive 2014 data breach that involved the personal information of 78.8 million Americans. As part of the settlement, Anthem has also agreed to implement a series of data security and good governance practices designed to strengthen its practices going forward. As its share of the settlement, Virginia will receive $1,404,487.61 for the nearly 3.8 million Virginians who were affected by the data breach. Anthem is Virginia's largest insurer and the second largest insurer in the nation.

"Almost 3.8 million Virginians had their personal information compromised because of Anthem's failure to implement adequate information security programs,” said Attorney General Herring. "In this day and age, when most of our personal information is digitized, I expect businesses of all sizes to make securing this data a top priority. While I hope that this settlement helps Virginians who were affected by this data breach, I want to also urge consumers to remain vigilant and continue to monitor all health records and financial statements.”

In February 2015, Anthem disclosed that cyber attackers had infiltrated its systems beginning in February 2014, using malware installed through a phishing email. The attackers were ultimately able to gain access to Anthem's data warehouse, where they harvested names, dates of birth, Social Security numbers, healthcare identification numbers, home addresses, email addresses, phone numbers, and employment information for 78.8 million Americans.

Under the settlement, Anthem has agreed to a series of provisions designed to strengthen its security practices going forward. Those include:

• A prohibition against misrepresentations regarding the extent to which Anthem protects the privacy and security of personal information
• Implementation of a comprehensive information security program, incorporating principles of zero trust architecture, and including regular security reporting to the Board of Directors and prompt notice of significant security events to the CEO
• Specific security requirements with respect to segmentation, logging and monitoring, anti-virus maintenance, access controls and two factor authentication, encryption, risk assessments, penetration testing, and employee training, among other requirements
• Third-party security assessments and audits for three (3) years, as well as a requirement that Anthem make its risk assessments available to a third-party assessor during that term

In the immediate wake of the breach, at the request of the states, Anthem offered an initial two years of credit monitoring to all affected U.S. individuals.

In addition to this settlement, Anthem previously entered into a class action settlement that established a $115 million settlement fund to pay for additional credit monitoring, cash payments of up to $50, and reimbursement for out-of-pocket losses for affected consumers. The deadlines for consumers to submit claims under that settlement have since passed.

The Office of the Attorney General works to ensure that companies hit by database breaches comply with Virginia law by notifying affected Virginians. Because data breaches lead to an increased risk of identity theft and fraud, all Virginians should regularly monitor their financial accounts and credit reports. Free credit reports may be obtained here.

In addition, Virginians should use the follow tips to avoid identity theft or fraud:

• Use strong passwords for your email, computer, and financial accounts, including variations of capital and lowercase letters, numbers, and symbols of at least 8 characters
• Install anti-virus programs on your computer and scan files and emails regularly
• Never download software programs from unknown publishers
• Check for regular updates to your operating system
• Install and activate a software and hardware firewall on your computer
• Back-up your data regularly using a USB drive

The Attorney General's Computer Crimes section and Victim Notification program are dedicated to empowering Virginians to protect themselves from identity crime and financial crimes and works with Virginians who find themselves victims to this increasingly common crime. The office publishes the informational resource, How to Avoid Identity Theft - A Guide for Victims.

Additionally, the office offers an Identity Theft Passport, a wallet-sized card that you can carry and present to law enforcement or other individuals who may challenge you about your identity if you have been a victim of an identity crime. The Identity Theft Passport is available to any Virginian who has filed a police report claiming they are a victim of an identity crime or who has obtained a court order expunging their record as a result of an identity crime. The Attorney General's Office conducts investigations to confirm the legitimacy of all passport applications. You may download the Identity Theft Passport from the Attorney General's website or contact the Office of the Attorney General at (804) 786-2071. 

Joining Attorney General Herring in the multistate investigation into Anthem's data breach were the attorneys general of Alaska, Arizona, Arkansas, Colorado, Connecticut, the District of Columbia, Delaware, Florida, Georgia, Hawaii, Idaho, Illinois, Indiana, Iowa, Kansas, Kentucky, Louisiana, Maine, Maryland, Massachusetts, Michigan, Minnesota, Mississippi, Missouri, Nebraska, New Hampshire, New Jersey, Nevada, New York, North Carolina, North Dakota, Ohio, Oklahoma, Oregon, Pennsylvania, Rhode Island, South Carolina, Tennessee, Texas, Washington, West Virginia, and Wisconsin.

# # #