Indianapolis-based Anthem, the largest U.S. health insurance company, has agreed to a proposed settlement to resolve the multidistrict class action litigation relating to the 2015 cyber attack that compromised the personal information of 78.8 million people. The $115 million settlement, if approved by the Court, will be the largest data breach settlement in history, according to attorneys representing the plaintiffs.
In a statement posted to its website on Friday, Anthem stated that the settlement does not include any finding of wrongdoing, and the company is not admitting any wrongdoing or that any individuals were harmed as a result of the cyber attack.
As previously reported by Healthcare Informatics, an examination of the breach by the California Department of Insurance revealed that very likely, “the cyber attacker was acting on behalf of a foreign government."
According to a Reuters article, the deal must still be approved by U.S. District Judge Lucy Koh in San Jose, California, who is presiding over the case. Judge Koh is scheduled to hear Plaintiffs’ motion on August 17. More than 100 lawsuits filed against Anthem over the breach were consolidated before Judge Koh.
The cyber breach was first discovered by Anthem on Jan. 27, 2015. In early February 2015, Anthem and its affiliates announced the company had suffered a major breach, which compromised 78.8 million consumer records, including records of at least 12 million minors. At that time, the payer announced details in a letter from President and CEO, Joseph R. Swedish. He said that Anthem was the target of a “very sophisticated external cyber attack.” The hackers gained access to current and former members’ names, birthdays, medical IDs/social security numbers, street addresses, email addresses and employment information, and income data. Anthem says that credit card and medical information, such as claims, test codes, and diagnostic codes were not compromised.
When Anthem discovered the cyber attack in 2015, the company offered two years of credit monitoring and identity protection services to all individuals whose data may have been impacted. According to Anthem’s statement, as part of this final resolution of the litigation, class members can receive an additional two years of credit monitoring and identity protection services, along with other significant benefits.
According to a press release from attorneys from Altshuler Berzon, Cohen Milstein, Girard Gibbs and Lieff Cabraser, who were court-appointed to lead the representation of the plaintiffs, the proposed settlement provides for Anthem to establish a $115 million settlement fund, which will be used to provide victims of the data breach at least two years of credit monitoring; cover over out-of-pocket expenses incurred by consumers as a result of the data breach; and provide cash compensation for those consumers who are already enrolled in credit monitoring.
In addition to the monetary fund, the settlement will require Anthem to guarantee a certain level of funding for information security and to implement or maintain numerous specific changes to its data security systems, including encryption of certain information and archiving sensitive data with strict access controls. The settlement is designed to protect class members from future risk, provide compensation, and ensure best cybersecurity practices to deter against future data breaches.
“We are very satisfied that the settlement is a great result for those affected and look forward to working through the settlement approval process,” Andrew Friedman, co-lead plaintiffs’ counsel, said in a statement in the press release.
Anthem executives said in the statement, “Anthem has had, for many years, a strong information security program to protect the personal data entrusted to us. As we have seen in cyber attacks against governments and private sector companies including Anthem over the past few years, many cyber threat actors are increasingly sophisticated and determined adversaries. Anthem is determined to do its part to prevent future attacks. To that end, as part of the settlement, Anthem has agreed to continue the significant information security practice changes that we undertook in the wake of the cyber attack, and we have agreed to implement additional protections over the next three years.”