Processing Your Payment

Please do not leave this page until complete. This can take a few moments.

Updated: October 2, 2020

Maine joins multistate settlement with Anthem over 2015 data breach

graphic depiction of hands and a computer screen Courtesy / A data breach at Anthem in 2014 impacted more than 513,000 Mainers.

More than five years after a 2015 data breach at Anthem Inc. (NYSE: ANTM) that affected more than 531,000 Mainers, the state's attorney general has joined a multistate settlement with the Indianapolis-based health benefits provider for $39.5 million.

Anthem said in a Sept. 30 news release that it had been the victim of a state-sponsored criminal attack, and that it does not believe violated the law in connection with its data security and is not admitting to any such violations in the settlement reached with state attorneys general.

Through the settlement with 44 states, Anthem has agreed to a series of governance provisions designed to strengthen its practices going forward. Maine will also get resources for consumer protection activities through the settlement.

Mainebiz could not immediately determine the settlement amount for Maine.

The data breach came to light in February 2015, when Anthem disclosed that cyberattackers had infiltrated its systems, using malware installed through a phishing email. 

The attackers were ultimately able to gain access to Anthem's data warehouse, where they harvested names, dates of birth, Social Security numbers, health care identification numbers, home addresses, email addresses, phone numbers and employment information for 78.8 million Americans and 531,717 Mainers.

"It is incumbent on companies like Anthem, which collect and maintain consumers personal data in order to provide essential products such as health insurance, to work diligently to ensure that data is protected," said Maine Attorney General Aaron Frey in Thursday's announcement.

"Anthem needs to be upfront with consumers about what it is doing to protect that data and through this settlement, it has agreed to strengthen its security practices and provide resources to states like Maine to assist our consumer protection efforts," he added.

In the immediate wake of the breach, at the request of the Connecticut Office of the Attorney General, Anthem offered an initial two years of credit monitoring to all affected U.S. individuals.

As part of the settlement, Anthem said in its Sept. 30 announcement that it undertaken commitments that align with its ongoing and consistent focus on protecting information. The company also said it is pleased to have resolved this matter, which is the last open investigation related to the 2015 cyberattack.

Before reaching the settlement with the state coalition, Anthem had settled a class-action lawsuit that established a $115 million fund to pay for additional credit monitoring, cash payments of up to $50, and reimbursement for out-of-pocket losses for affected consumers.

The deadlines for individual consumers to submit claims under that settlement have since passed, according to the Maine Attorney General's office.

The Connecticut Office of the Attorney General led the multistate investigation, assisted by peers in Illinois, Indiana, Kentucky, Massachusetts, Missouri and New York.

They were later joined by Alaska, Arizona, Arkansas, Colorado, the District of Columbia, Delaware, Florida, Georgia, Hawaii, Idaho, Iowa, Kansas, Louisiana, Maine, Maryland, Michigan, Minnesota, Mississippi, Nebraska, New Hampshire, New Jersey, Nevada, North Carolina, North Dakota, Ohio, Oklahoma, Oregon, Pennsylvania, Rhode Island, South Carolina, Tennessee, Texas, Virginia, Washington, West Virginia and Wisconsin.

Anthem says on its website that one in eight Americans receives coverage for medical care through its affiliated plans.

Sign up for Enews

Related Content


Order a PDF