Anthem to stump up record $115 million in data breach lawsuit settlement

Don’t read wrongdoing into the agreement, however…

David bisson
David Bisson

$115 million settlement fund for Anthem data breach awaits court approval

A judge is expected to review a settlement agreement under which Anthem will establish a fund of US $115 million for the massive data breach it suffered in 2015.

Filed on 23 June 2017, the agreement stipulates that Anthem, an American health insurer, will create a fund of $115 million to cover administrative expenses and attorney fees. The fund will also cover a number of additional services.

For instance, the administrator of the agreement will use the fund to pay Experian $17 million for offering free credit services to members of the settlement, set aside $13 million to cover individuals who purchased credit-monitoring services on their own, and designate $15 million for other out-of-pocket expenses.

Sign up to our free newsletter.
Security news, advice, and tips.

Anthem agreed to the agreement more than two years after hackers broke into its systems and stole personal information including names, addresses, dates of birth, medical IDs, Social Security Numbers, street addresses, email addresses, and employment information from 70 million former and then-current members.

Anthem website

The security breach might have also affected at least another 8.8 million individuals who at the time owned healthcare plans maintained by Anthem-owned Blue Cross Blue Shield but run by independent firms. Following the incident, some of those affected individuals filed a class-action lawsuit against Anthem, proceedings to which this agreement directly responds.

Lead attorney Eve Cervantez is pleased with the agreement. As she told The Register:

“After two years of intensive litigation and hard work by the parties, we are pleased that consumers who were affected by this data breach will be protected going forward and compensated for past losses.”

$115 million is certainly a hefty penalty for Anthem to pay. Some might even interpret it as an admission of guilt on the part of the health insurer. But settlement agreements such as these usually exclude considerations of wrongdoing from their terms.

It’s therefore not a surprise to find the following clause in the agreement’s opening section:

“WHEREAS, Defendants deny any wrongdoing whatsoever, and this Agreement shall in no event be construed or deemed to be evidence of or an admission or concession on the part of any Defendant with respect to any claim of any fault or liability or wrongdoing or damage whatsoever, any infirmity in the defenses that the Defendants have asserted or would assert, or to the requirements of Federal Rule of Civil Procedure 23 and whether Plaintiffs satisfy those requirements.”

Lucy Haeran Koh, a United States District Judge of the United States District Court for the Northern District of California, is expected to weigh in on the settlement. If she finds no fault with it, she can sign off on the agreement and order it to come into effect. Otherwise, she can demand a rewrite.

Anyone affected by the 2015 Anthem breach can find out more about the settlement and how they can submit a claim for compensation on the health insurer’s FAQ site.

David Bisson is an infosec news junkie and security journalist. He works as Contributing Editor for Graham Cluley Security News and Associate Editor for Tripwire's "The State of Security" blog.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.