The biggest data breach settlement ever recorded has recently been agreed by the health insurer Anthem Inc. Anthem suffered the largest healthcare data breach ever reported in 2015, with the cyberattack leading to the theft of 78.8 million records of current and former health plan subscribers. The breach included information such as names, addresses, Social Security numbers, email addresses, birthdates and employment/income information being stolen.
A breach on that scale naturally lead to many class-action lawsuits, with more than 100 lawsuits consolidated by a Judicial Panel on Multidistrict Litigation. Now, two years on, Anthem has agreed to settle the the breach legal action for $115 million. If this settlement is approved, that makes this the biggest data breach settlement ever – much more than $18.5 million settlement agreed by Target after its 41 million-record breach and the $19.5 million paid out to consumers by Home Depot after its 50-million record breach in 2014.
After suffering the data breach, Anthem provided two years of free credit monitoring services to impacted plan members. The settlement will, in part, be used to provide another two years of credit monitoring services. Alternatively, individuals who have already enrolled in the credit monitoring services previously offered may be allowed to avail of a cash payment of $36 in lieu of the additional two years of cover or up to $50 if funds are still in place. The settlement also includes a $15 million finance to cover out-of-pocket expenses incurred by plaintiffs, which will be decided on a case-by-case basis for as long as there are funds available.
Anthem has also said it will put away ‘a certain level of funding’ to make improvements to its cybersecurity defenses and systems, including the use of encryption to secure data at rest. Anthem will also be implementing changes to how it archives sensitive data and will be implementing stricter access controls. While the settlement has been agreed, Anthem has not admitted any liability.
Anthem Spokesperson Jill Becher said, “We are pleased to be putting this litigation behind us, and to be providing additional substantial benefits to individuals whose data was or may have been involved in the cyberattack and who will now be members of the settlement class.”
The settlement must now be giving approval by the U.S. District judge in California presiding over the case. District Judge Lucy Koh will hear the case on August 17, 2017.