Penalty Amount
$8,690,000
Consumers Affected
78,000,000
California Attorney General Xavier Becerra announced an $8.69 million settlement with health insurer Anthem, Inc. resolving allegations that the company violated state and federal privacy laws by failing to protect patient personal data in a 2014 data breach. The breach, announced in 2015, exposed personal information of 78 million consumers nationwide, including 13.5 million Californians, due to Anthem’s inadequate information security practices. The settlement includes injunctive terms requiring Anthem to overhaul its information security program to address vulnerabilities that enabled the breach.
Anthem must pay $8.69 million in monetary penalties. The settlement also includes injunctive terms requiring Anthem to modify its information security program to remediate vulnerabilities that enabled the 2014 data breach, including addressing deficiencies in access controls, account credential protection, security tool updates, and network activity logging and monitoring.
In-house legal teams at healthcare entities, HIPAA-covered organizations, and companies handling sensitive consumer data should review vendor agreements (including HIPAA Business Associate Agreements), customer contracts, and internal compliance policies. Key clauses to audit include information security program requirements, access controls for sensitive data, account credential protection standards, mandatory security tool update schedules, and network activity logging and monitoring obligations. Teams should also verify that breach notification clauses align with state and federal requirements, and that vendor contracts include audit rights to assess compliance with security standards. Additionally, any existing settlement or consent decree compliance clauses should be updated to reflect injunctive requirements for security program remediation.
Entity
Anthem, Inc.
Also known as: Anthem
Industry
HealthcareOfficial Press Release
https://oag.ca.gov/news/press-releases/attorney-general-becerra-announces-869-million-settlement-against-anthem-inc
People v Anthem Complaint
https://oag.ca.gov/sites/default/files/People%20v%20Anthem%20-%20Complaint.pdf
Anthem FINAL Stipulation
https://oag.ca.gov/sites/default/files/Anthem%20-%20FINAL%20-%20Stipulation.pdf
California Attorney General Enforcement Page
https://oag.ca.gov/privacy/privacy-enforcement-actions
"Anthem, Inc."
"$8.69 million"
"California’s consumer protection laws"
"federal Health Insurance Portability & Accountability Act (HIPAA)"
"2014 data breach"
"numerous deficiencies in basic security, including not limiting access to computers holding sensitive information, not protecting account credentials and passwords from unauthorized use, not updating security tools, and not adequately logging and monitoring network activity to detect malicious activity."
$39.5M
New Jersey Attorney General announced a multi-state settlement with Anthem, Inc. over a 2015 data breach that exposed personal information of over 78 million Americans, including 1.15 million New Jersey residents. Anthem will pay $39.5 million to participating states and implement enhanced cybersecurity measures.
California Attorney General Rob Bonta, joined by attorneys general from seven other states, filed a lawsuit to block the $6.2 billion merger between Nexstar Media Group and Tegna Inc. The lawsuit alleges the merger violates Section 7 of the Clayton Act by reducing competition in local TV markets, leading to higher prices, less local news, and job losses.
California Attorney General Rob Bonta filed a lawsuit against the U.S. Department of Education to block the expansion of IPEDS data collection requiring colleges to submit race-linked student data. The lawsuit argues the demand is arbitrary, capricious, and burdensome, and could enable costly partisan investigations. A multistate coalition co-led the challenge.
California Attorney General Rob Bonta and a coalition of state attorneys general announced they will continue their antitrust lawsuit against Live Nation/Ticketmaster after the U.S. Department of Justice settled the case. The states aim to hold Live Nation accountable for anticompetitive conduct that harms consumers, artists, and venues in the live music industry.
$376K
The California Privacy Protection Agency (CalPrivacy) settled with Ford Motor Company requiring the company to pay a $375,703 fine and change its practices. Ford violated the CCPA by requiring consumers to complete an email verification step before they could opt-out of the sale and sharing of their personal information collected through digital properties and connected vehicle services. In addition to the fine, Ford must provide easy methods to submit opt-out requests with minimal steps, audit its tracking technologies, and ensure compliance with opt-out preference signals including Global Privacy Control.
California Attorney General Rob Bonta, co-leading a bipartisan coalition of 21 attorneys general and charitable regulators, sent a letter to GoFundMe demanding the platform remove all plagiarized donation web pages for over 1.4 million charities, disclose information about donations, and ensure pages do not outrank official charity sites in search results. The action follows reports that GoFundMe used charities' information without consent and engaged in deceptive solicitations, violating state charitable solicitation and consumer protection laws.