FRANKFORT, Ky. (KT) -- Kentucky will receive nearly $2 million as part of a multimillion-dollar, multistate settlement with Anthem, Inc., for a data security breach that compromised the personal information of 78.8 million Americans, Attorney General Daniel Cameron announced on Wednesday.
Anthem, Inc. agreed to pay $39.5 million to 43 states and the District of Columbia, with Kentucky’s share at $1,929,942.02. In addition to the payment, Anthem has also agreed to a series of data security and adequate governance provisions designed to strengthen its practices going forward. The attorney general’s Division of Consumer Protection served on the executive committee of the multistate team and was a leader in the investigation.
“To protect the interests of Kentucky consumers, our office investigated whether Anthem had violated Kentucky’s Consumer Protection Act and federal HIPAA laws designed to protect sensitive patient health information,” Cameron said. “This settlement delivers nearly $2 million to Kentucky and requires Anthem to adequately secure confidential health and personal records in accordance with state and federal laws.”
In February 2015, Anthem disclosed that cyber attackers used malware installed through a phishing email to infiltrate its data systems starting in February 2014. The attackers gained access to names, dates of birth, Social Security numbers, healthcare identification numbers, home addresses, email addresses, phone numbers and employment information for 78.8 million Americans. The personal information of 2,305,612 Kentuckians was compromised by the data breach.
The settlement terms require Anthem to:
--Cease making statements regarding the extent to which Anthem protects the privacy and security of personal information.
--Implement a comprehensive information security program, including principles of zero trust architecture, regular security reporting to the board of directors and prompt notice of significant security events to the CEO.
--Execute specific security requirements concerning segmentation, logging and monitoring, anti-virus maintenance, access controls and two-factor authentication, encryption, risk assessments, penetration testing and employee training, among other requirements.
--Procure third-party security assessments and audits for three (3) years. During that time, Anthem is also required to make its risk assessments available to a third-party assessor.
Anthem offered two years of credit monitoring to all those affected after the breach was discovered. In addition to this settlement, Anthem previously entered into a class action settlement that established a $115 million settlement fund to pay for additional credit monitoring, cash payments of up to $50 and reimbursement for out-of-pocket losses for affected consumers. The deadlines for consumers to submit claims under that settlement have since passed.
To read the terms of the settlement in Kentucky, which was approved by Franklin Circuit Judge Phillip Shepherd on Wednesday, click here.