Agency Checklists

Massachusetts Insurance News & Job Opportunities

You are here: Home / Insurance News | Massachusetts / Massachusetts Shares in $39.5 Million Multistate Settlement Agreement Over Insurance Company Data Breach

Massachusetts Shares in $39.5 Million Multistate Settlement Agreement Over Insurance Company Data Breach

by

$1.4 Million Earmarked For The One Million+ Massachusetts Residents Affected

As part of a $39.5 million multistate settlement involving 44 states including Massachusetts, the Commonwealth will receive approximately $1.4 million from the national insurance company Anthem.

“Companies have a duty to protect our information, especially those entrusted with sensitive health information,” said AG Healey. “We are pleased this settlement will require Anthem to change its business practices and take steps to safeguard consumers’ private information going forward.” 

In the official announcement outlining the terms of the settlement agreement, Attorney General Maura Healey notes that more than a million Massachusetts residents were affected by the insurer’s 2014 data breach.

More than 79 million policyholders across the country were affected by the breach

According to the facts outlined in the assurance of discontinuance, in 2014, cyber attackers were able to infiltrate Anthem’s data network using a phishing email scheme. The phishing email which contained malware allowed the attackers to access the insurer’s data warehouse and to harvest the names, birth dates, Social Security numbers, healthcare identification numbers, home and email addresses, phone numbers, and employment information for approximately 79 million citizens, including approximately one million Massachusetts policyholders.

As a result of the settlement, the AG’s office asserts that Anthem has agreed to make significant business practice changes and to implement several improvements to its security processes, including: 

  • Implementation of a comprehensive information security program, including regular security reporting to the Board of Directors and prompt notice of significant security events to the CEO.
  • Specific security requirements with respect to segmentation, logging and monitoring, anti-virus maintenance, access controls and two-factor authentication, encryption, risk assessments, penetration testing, and employee training, among other requirements; and
  • Third-party security assessments and audits for three years, as well as a requirement that Anthem make its risk assessments available to a third-party assessor during that term.