Anthem also must strengthen data security practices and schedule third-party assessments and audits for three years, according to a statement by New York Attorney General Letitia James (D).
“This agreement signals that Anthem is committed to protecting consumers’ private information,” James said in the statement.
The settlement involved more than 40 state attorneys general.
The breach began through a phishing email and exposed Anthem’s data warehouse, which hosted names, Social Security numbers, addresses, health care identification numbers, and employment information, among other data. Anthem disclosed the attack one year later, James’ office said.
“The company is pleased to have resolved this matter,” an Anthem spokesperson said in a statement. “Anthem does not believe it violated the law in connection with its data security and is not admitting to any such violations in this settlement.”
California Attorney General Xavier Becerra (D) reached a separate $8.69 million settlement with Anthem in an investigation that ran parallel to the multistate one, his office said.
“Anthem’s lax security and oversight hit millions of Americans,” Becerra said in a statement. “Now Anthem gets hit with a penalty, in the millions, in return.”
To contact the reporter on this story:
To contact the editor responsible for this story:
Learn more about Bloomberg Law or Log In to keep reading:
See Breaking News in Context
Bloomberg Law provides trusted coverage of current events enhanced with legal analysis.
Already a subscriber?
Log in to keep reading or access research tools and resources.