Attorney General Moody Secures Millions Following Multistate Investigation into National Data Breach

TALLAHASSEE, Fla.—Attorney General Ashley Moody secured millions of dollars following a multistate investigation into a major data breach. Florida is part of a $39.5 million agreement stemming from Anthem’s massive data breach involving the personal information of more than 78 million Americans. Florida is receiving more than $600,000 to resolve the multistate investigation. In addition to the payment, Anthem will implement a series of data security and good governance provisions designed to strengthen its practices going forward.

In 2015, Anthem disclosed that cyber attackers infiltrated its systems, beginning in February 2014, using malware installed through a phishing email. The attackers were ultimately able to gain access to Anthem’s data warehouse, where they harvested names, dates of birth, Social Security numbers, health care identification numbers, home addresses, email addresses, phone numbers and employment information for more than 78 million Americans, including approximately 1.5 million Floridians.

Attorney General Ashley Moody said, “Data breaches have far-reaching and long-lasting effects on people’s lives. When companies fail to protect customers’ personal information, they owe it to the public to disclose that information quickly and to take steps to protect them from further damage. I am glad we were able to work with our state partners to resolve this matter and hopefully prevent future breaches and further harm to Anthem customers.”

As part of today’s announcement, Anthem agrees to a series of provisions designed to strengthen its security practices going forward. Those include:

• Prohibiting misrepresentations regarding the extent to which Anthem protects the privacy and security of personal information;
• Implementing a comprehensive information security program, incorporating principles of zero-trust architecture, and including regular security reporting to the Board of Directors and prompt notice of significant security events to the CEO;
• Requiring specific security with respect to segmentation, logging and monitoring, anti-virus maintenance, access controls and two-factor authentication, encryption, risk assessments, penetration testing and employee training, among other requirements; and
• Assessing and auditing security by a third party for three years, as well as requiring that Anthem make its risk assessments available to a third-party assessor during that term.