Governance & Risk Management , Incident & Breach Response , Managed Detection & Response (MDR)

$115 Million Settlement in Massive Anthem Breach Case

Lawyers Say Proposed Settlement Would Be Largest Ever for a Breach
$115 Million Settlement in Massive Anthem Breach Case

Health insurer Anthem has agreed to a proposed $115 million deal to settle a class action lawsuit over a 2015 cyberattack that resulted in a breach affecting nearly 78.9 million individuals.

See Also: Secureworks Named a Major Player in the 2024 IDC MDR Marketscape

Attorneys representing plaintiffs said in a statement the $115 million deal, if approved by the California federal court handling the consolidated case, would be the largest data breach settlement ever reached.

The proposed settlement provides for Anthem to establish a settlement fund that would be used to:

  • Provide victims of the data breach at least two years of credit monitoring;
  • Cover out-of-pocket expenses incurred by consumers as a result of the data breach; and
  • Provide cash compensation for those consumers who are already enrolled in credit monitoring.

Security Improvements

In addition to the monetary fund, the settlement would require Anthem to guarantee a certain level of funding for information security and to implement or maintain numerous specific changes to its data security systems, including encryption of certain information and archiving sensitive data with strict access controls.

The settlement is designed to protect class members from future risk, provide compensation and ensure best cybersecurity practices to deter against future data breaches, the attorneys' statement says.

"After two years of intensive litigation and hard work by the parties, we are pleased that consumers who were affected by this data breach will be protected going forward and compensated for past losses," said Eve Cervantez, co-lead counsel representing the plaintiffs in the Anthem litigation.

In February 2015, Anthem announced that it had been the target of a cyberattack in which the personal information of 78.8 million individuals was stolen, including, for many of those individuals: names, dates of birth, Social Security numbers and healthcare identity numbers.

100 Lawsuits Consolidated

Plaintiffs filed more than 100 lawsuits against Anthem across the country. Judge Lucy Koh of the Northern District of California consolidated the cases.

The plaintiffs filed a motion for preliminary approval of the settlement on June 23. Judge Koh is scheduled to hear plaintiffs' motion on Aug. 17. If approval is granted, the class members would be notified about the details of the settlement and invited to participate in and comment on it, the attorneys said.

The law firms representing the plaintiffs have set up a website where individuals affected by the breach can obtain information about the settlement.

In January, seven state insurance commissioners released a report on their investigation into the massive cyberattack against Anthem. The insurance commissioners concluded that the attack began with a phishing campaign launched by an unnamed nation-state.

About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity, ISMG

McGee is executive editor of Information Security Media Group's media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeek's healthcare IT media site.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.