SACRAMENTO, September 30, 2020 —California Attorney General Xavier Becerra today announced a $8.69 million settlement against Anthem, Inc. (Anthem), resolving allegations that the health insurance provider violated consumer protection and privacy laws arising from a 2014 data breach. California’s settlement, reached in parallel with a related multistate settlement, includes injunctive terms that require Anthem to make changes to its information security program and remedy the vulnerabilities that permitted the data breach.
“When consumers must disclose confidential personal information to health insurers, these companies owe their customers the duty to protect their private data,” said Attorney General Becerra. “Consumers are left with little choice but to trust that their personal health information will be safe and secure. Anthem failed in that duty to its customers. Anthem’s lax security and oversight hit millions of Americans. Now Anthem gets hit with a penalty, in the millions, in return.”
In 2015, Anthem announced a data breach affecting the personal information of 78 million consumers, including over 13.5 million Californians. The data included the consumers’ names, addresses, email addresses, Social Security numbers, healthcare identification numbers, and dates of birth. Attackers sent targeted emails containing malware that allowed them to access Anthem’s network and spend months stealing information from Anthem’s most sensitive database containing consumers’ personal information.
The investigation revealed Anthem had numerous deficiencies in basic security, including not limiting access to computers holding sensitive information, not protecting account credentials and passwords from unauthorized use, not updating security tools, and not adequately logging and monitoring network activity to detect malicious activity.
The settlement resolves allegations that Anthem violated California’s consumer protection laws, as well as the federal Health Insurance Portability & Accountability Act (HIPAA), which established national standards and safeguards to protect personal health information.
Attorney General Becerra is committed to protecting consumer and individual privacy through civil prosecution of state and federal privacy laws. Earlier this month, the Attorney General announced a landmark settlement against Glow, Inc., resolving the Attorney General’s investigation of Glow’s app for serious privacy and basic security failures that put women’s highly-sensitive personal and medical information at risk. In 2019, Attorney General Becerra recovered over $1 million for California as part of a multistate settlement against health insurer Premera Blue Cross. In 2017, the Attorney General reached a $2 million settlement with Cottage Health System and its affiliated hospitals in California resolving allegations that they failed to implement basic, reasonable safeguards to protect patient medical information in violation of state and federal privacy laws.
A copy of the complaint can be found here and the proposed judgment, subject to court approval, can be found here.