On September 30, 2020, Anthem, Inc. (“Anthem”) entered into an assurance of voluntary compliance (the “Agreement”) with the attorneys general of 42 states and the District of Columbia to settle claims under state and federal law relating to Anthem’s 2015 data breach (the “Breach”).

As we previously reported, the Breach involved unauthorized access to personal information (“PI”) and protected health information (“PHI”), including names, dates of birth, Social Security numbers, healthcare identification numbers and email addresses, and affected approximately 79 million individuals. The Breach remains the largest breach of PHI in history, according to the U.S. Department of Health and Human Services’ Office for Civil Rights (“OCR”).

Under the Agreement, following Anthem’s full payment of the settlement amount to the respective attorneys general, Anthem will be released from all civil claims that the attorneys general could have brought under relevant consumer protection acts, personal information protection acts and security breach notification acts, as defined in the Agreement, along with HIPAA and any common law claims concerning unfair, deceptive or fraudulent trade practices based on Anthem’s conduct related to the Breach, excluding any enforcement actions related to Anthem’s obligations under the Agreement and any private right of action.

Pursuant to the Agreement, Anthem makes the following assurances:

  • Anthem will not misrepresent the extent to which it maintains and protects the privacy, security or confidentiality of any PI or PHI collected from or about consumers.
  • Anthem will develop, implement and maintain a written information security program reasonably designed to protect the security, integrity and confidentiality of PI and PHI, which must, at a minimum, include specific information security requirements, including those related to segmentation, a cybersecurity operations center, logging and monitoring, antivirus maintenance, access controls, remote access and multifactor authentication, encryption, risk assessments, vulnerability management, penetration testing, network sensors, endpoint detection and response and intrusion detection and prevention.
  • Anthem will obtain an initial and annual information security assessment of its policies and practices pertaining to PI and PHI from an independent third-party professional for a period of three years.
  • Anthem will provide an annual SOC 2 Type 2 Assessment for a period of three years.

Anthem simultaneously entered into a separate settlement with the State of California and had previously entered into record-setting agreements with OCR and class action plaintiffs to settle claims related to the Breach.