The largest ever data violation settlement has recently been agreed by the health insurer Anthem Inc. Anthem was hit with a cyber attack in 2015 resulting in the theft of 78.8 million records of current and former health plan subscribers. The breach involved names, addresses, Social Security numbers, email addresses, birth dates and employment/income information being accessed with the necessary permission.
A breach of that size inevitably resulted in many class-action lawsuits, with more than 100 lawsuits consolidated by a Judicial Panel on Multidistrict Litigation. Now, two years later, Anthem has agreed to settle the litigation for $115 million. If the settlement is approved, it will be the largest data breach settlement ever – much higher than $18.5 million settlement agreed by Target after its 41 million-record breach and the $19.5 million paid to consumers by Home Depot after its 50-million record violation in 2014.
After experiencing the cyber attack, Anthem offered two years of free of charge credit monitoring services to affected plan members. The settlement will, partly, be used to pay for another two years of credit monitoring services. Alternatively, people who have already enrolled in the credit monitoring services previously offered may be allowed to receive a cash payment of $36 in lieu of the extra two years of cover or up to $50 if money is still available. The settlement also incorporates a $15 million fund to pay out-of-pocket expenses incurred by plaintiffs, which will be decided on a case-by-case basis for as long as there are funds available.
Anthem has also agreed to put aside ‘a certain level of funding’ to make enhancements to its cybersecurity defenses and systems, including the use of encryption to secure data at rest. Anthem will also be making alterations to how it archives sensitive information and will be implementing tighter access controls. While the settlement has been agreed, Anthem has not openly admitted any wrongdoing.
Anthem Spokesperson Jill Becher commented that while data were stolen in the cyber attack, Anthem has not uncovered proof to suggest any of the information taken in the attack was used to commit fraud or was sold on for profit. Becher remarked, “We are pleased to be putting this litigation behind us, and to be providing additional substantial benefits to individuals whose data was or may have been involved in the cyberattack and who will now be members of the settlement class.”
Though the decision to settle has been announced, the settlement must now be approved by the U.S. District judge in California ruling over the legal case. District Judge Lucy Koh will reside over the action on August 17, 2017.