Colorado to receive more than $100,000 in multistate settlement over 2014 Anthem data breach

Sept. 30, 2020 (DENVER, Colo.)—Attorney General Phil Weiser today announced that Colorado and 43 other states have resolved their claims against Anthem over a 2014 data breach the health insurance company experienced that may have impacted more than 1.5 million Coloradans. The settlement requires that Anthem establish and maintain substantially improved data protection measures and requires a payment to Colorado of $141,970.

In February 2015, Anthem disclosed that cyber attackers had infiltrated its systems beginning in February 2014, using malware installed through a phishing email. The attackers were ultimately able to gain access to Anthem’s data warehouse, where they harvested names, dates of birth, Social Security numbers, healthcare identification numbers, home addresses, email addresses, phone numbers, and employment information for 78.8 million Americans.

“A data breach of this magnitude can have lasting impacts for Colorado residents,” said Weiser. “This settlement tells businesses that they will be held accountable for protecting the vital information of their customers.”

Through the settlement, Anthem has reached a resolution with the 43-state multistate coalition and California. In addition to the total payment of $39.5 million, Anthem has also agreed to a series of data security and good governance provisions designed to strengthen its practices going forward. These include:

implementation of a comprehensive information security program, incorporating principles of zero trust architecture, and including regular security reporting to the Board of Directors and prompt notice of significant security events to the CEO;
specific security requirements with respect to segmentation, logging and monitoring, anti-virus maintenance, access controls and two factor authentication, encryption, risk assessments, penetration testing, and employee training, among other requirements;
third-party security assessments and audits for three (3) years, as well as a requirement that Anthem make its risk assessments available to a third-party assessor during that term; and
a prohibition against misrepresentations regarding the extent to which Anthem protects the privacy and security of personal information.

In the immediate wake of the breach, at the request of the Connecticut Office of the Attorney General, Anthem offered an initial two years of credit monitoring to all affected U.S. individuals.

In addition to this settlement, Anthem previously entered into a class action settlement that established a $115 million settlement fund to pay for additional credit monitoring, cash payments of up to $50, and reimbursement for out-of-pocket losses for affected consumers. The deadlines for consumers to submit claims under that settlement have passed.

To learn more about Colorado’s consumer data protection laws, go to coag.gov/resources/data-protection-laws/.

###

Media Contact:

Lawrence Pacheco

Director of Communications

(720) 508-6553 office | (720) 245-4689 cell

Lawrence.pacheco@coag.gov

Most Recent

Attorney General Weiser launches crackdown on fraudulent Colorado businesses tied to national and international scam networks

Actions target thousands of fraudulently filed entities, including those linked to cryptocurrency scams, investment fraud, romance scams, and other unlawful activities May 21, 2026 (DENVER) — Attorney General Phil Weiser today announced a major enforcement sweep targeting thousands of allegedly […]

Attorney General Phil Weiser sues U.S. Department of Education over restrictions on student loan access for healthcare professionals

May 19, 2026 (DENVER) — Attorney General Phil Weiser today co-led a coalition of 24 attorneys general and two governors in suing the U.S. Department of Education over a new final rule that would significantly limit federal student loan access for […]

Attorney General Phil Weiser statement on Colorado Supreme Court directing Children's Hospital to resume gender-affirming care

May 18, 2026 (DENVER) — Attorney General Phil Weiser released the following statement regarding the opinion from the Colorado Supreme Court in Boe v. Children’s Hospital Colorado: “With today’s Colorado Supreme Court decision, Colorado families are finally going to get […]