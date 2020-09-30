National-World

Click here for updates on this story

HARTFORD, Conn. (Hartford Business Journal) — Connecticut got its hands on part of a $39.5 million multi-state settlement stemming from Anthem data breach that happened six years ago.

Attorney General William Tong said the breach involved the personal information of 78.8 million Americans.

Through the settlement, Anthem reached a resolution with a 43-state coalition and California.

Tong said Connecticut will receive $3.8 million from the settlement.

In Feb. 2015, Anthem disclosed that cyber attackers had infiltrated its systems beginning in Feb. 2014 and used malware installed through a phishing email.

The attackers were ultimately able to gain access to Anthem’s data warehouse, where they collected names, dates of birth, Social Security numbers, healthcare identification numbers, home addresses, email addresses, phone numbers, and employment information for millions of Americans.

In Connecticut, 1.7 million residents were affected by the breach.

“Connecticut led the multistate investigation into Anthem’s 2014 data breach, culminating [Wednesday] in a $39.5 million multistate settlement,” Tong said. “Nearly half of all of Connecticut residents were impacted by this massive breach. This settlement sends a strong message that state attorneys general will fight to protect consumer privacy and data security.”

Under the settlement, Anthem agreed to a series of provisions designed to strengthen its security practices going forward.

Those included:

-A prohibition against misrepresentations regarding the extent to which Anthem protects the privacy and security of personal information.

-Implementation of a comprehensive information security program, incorporating principles of zero trust architecture, and including regular security reporting to the board of directors and prompt notice of significant security events to the CEO.

-Specific security requirements with respect to segmentation, logging and monitoring, anti-virus maintenance, access controls and two factor authentication, encryption, risk assessments, penetration testing, and employee training, among other requirements.

-Third-party security assessments and audits for 3 years, as well as a requirement that Anthem make its risk assessments available to a third-party assessor during that term.

Please note: This content carries a strict local market embargo. If you share the same market as the contributor of this article, you may not use it on any platform.