New HampshireDepartment of JusticeOffice of the Attorney General

News Release

For Immediate Release
September 30, 2020

Contact:
Kate Giaquinto, Director of Communications
kate.giaquinto@doj.nh.gov | 603-573-6103

Brandon H. Garod, Senior Assistant Attorney General Chief
Consumer Protection and Antitrust Bureau
Brandon.Garod@doj.nh.gov | 603-271-1217

New Hampshire Joins Multistate Settlement Over 2014 Anthem Data Breach

Concord, NH – Attorney General Gordon J. MacDonald announces that New Hampshire has joined 43 states in a settlement with Anthem stemming from the 2014 data breach that involved the personal information of 78.8 million Americans. In New Hampshire, 667,866 residents were affected by the breach.

Under the settlement, Anthem will make a payment of $39.5 million and will implement a series of data security and good governance provisions designed to strengthen its practices going forward.

In February 2015, Anthem disclosed that cyber attackers had infiltrated its systems beginning in February 2014, using malware installed through a phishing email. The attackers were ultimately able to gain access to Anthem's data warehouse, where they harvested names, dates of birth, Social Security numbers, healthcare identification numbers, home addresses, email addresses, phone numbers, and employment information for 78.8 million Americans.

Anthem has agreed to a series of provisions designed to strengthen its security practices going forward. Those include:

  • a prohibition against misrepresentations regarding the extent to which Anthem protects the privacy and security of personal information;
  • implementation of a comprehensive information security program, incorporating principles of zero trust architecture, and including regular security reporting to the Board of Directors and prompt notice of significant security events to the CEO;
  • specific security requirements with respect to segmentation, logging and monitoring, anti-virus maintenance, access controls and two factor authentication, encryption, risk assessments, penetration testing, and employee training, among other requirements; and
  • third-party security assessments and audits for three (3) years, as well as a requirement that Anthem make its risk assessments available to a third-party assessor during that term.

In the immediate wake of the breach, Anthem offered an initial two years of credit monitoring to all affected U.S. individuals.

Anthem had previously entered into a class action settlement that established a $115 million settlement fund to pay for additional credit monitoring, cash payments of up to $50, and reimbursement for out-of-pocket losses for affected consumers. The deadlines for consumers to submit claims under that settlement have since passed.

New Hampshire's share of the settlement will be $365,166.

The Consumer Protection and Antitrust Bureau is funded entirely through the consumer protection escrow account and the settlement funds received through lawsuits brought by the State for the protection of New Hampshire consumers. The Bureau's work includes consumer protection and antitrust enforcement, namely investigating and litigating consumer fraud and unfair or deceptive marketing practices as well as ongoing education and outreach for New Hampshire consumers.

RSA 7:6-f, requires that "Any funds received by the attorney general on behalf of the state or its citizens as a result of any civil judgment or settlement of a claim, suit, petition, or other action under RSA 358-A or related consumer protection statutes shall be deposited in a consumer protection escrow account. The consumer protection escrow account shall at no time exceed $5 million, with any amount in excess of $5 million deposited into the general fund."

New Hampshire's participation in this multistate investigation and settlement was led by Senior Assistant Attorney General Brandon H. Garod, Chief of the Consumer Protection and Antitrust Bureau.

New Hampshire Department of Justice
33 Capitol Street | Concord, NH | 03301
Telephone: 603-271-3658