Like many companies hit by data breaches, Anthem, the United States’ largest for-profit health care company, has been forced to watch from the sidelines while the incident plays out in court.
An end finally appears to be in sight however. Late Friday the company agreed to settle a series of lawsuits stemming from the 2015 breach of data belonging to 79 million individuals. As part of the settlement Anthem said it would pay $115 million. The funds will mostly go towards two years of credit monitoring for the breach’s victims.
As part of the settlement the company denies any wrongdoing or that any individuals were harmed as a result of the attack, according to a note on the settlement posted to the company’s site.
“We are pleased to be putting this litigation behind us, and to be providing additional substantial benefits to individuals whose data was or may have been involved in the cyber attack and who will now be members of the settlement class,” the statement reads.
In addition to credit monitoring, the settlement also mandates the company adhere to a set of business practices, specifically guaranteeing a certain level of funding goes towards information security and updating its data security systems. The company is being required to encrypt and archive certain data with strict access controls. Anthem said $15 million of the fund will go toward any out-of-pocket costs class members experience.
Class members who already have credit monitoring services in place can elect to receive cash compensation but it won’t be much. Members will receive at least $36, or up to $50 in some instances, according to the settlement’s “Alternative Compensation” section.
A preliminary motion filed by attorneys representing the plaintiffs approving the settlement was also filed Friday (.PDF).
It could be the largest data breach settlement in history if approved by Lucy Koh, the judge presiding over the case for the United States District Court for the Northern District of California. Koh isn’t scheduled to hear the Plaintiffs’ motion until Aug. 17.
It was in February 2015 when word broke that attackers had infiltrated Anthem, securing access to customers’ Social Security numbers, birth dates, names, and employment data, among other personally identifiable information.
At the time the Anthem’s CEO, Joseph Swedish, said the company had been the target of a “very sophisticated external cyber attack.” The company cooperated with the FBI and hired Mandiant to comb through the attack’s particulars.
The California Department of Insurance said in January earlier this year that it believed the breach was the result of an attacker working on behalf of a foreign government.
The breach’s tentacles stretched across the U.S. Health care subsidiaries like Caremore, UniCare, and Amerigroup who were hit, along with regional Anthem brands in 26 states, including Georgia, California, Kentucky, Maine, and Wisconsin, to name a few.
More than 100 lawsuits were filed against Anthem and consolidated into a single complaint for the case. The plaintiffs’ case rested on proving the data breach happened because Anthem “aggregated 80 million people’s private information into a central data warehouse that was not properly secured.”
The settlement, if approved, could be nearly six times as much as other data breaches from the past several years. Home Depot, which was impacted by a breach in 2014, agreed to pay $19.5 million to compensate 40 million victims in March 2016. The retailer agreed in March this year to pay an additional $27.25 million to financial institutions affected by the breach. Target, which had 41 million customers hit by a breach in 2013, agreed last month to pay $18.5 million to settle.
Photo via Tony Webster, Flickr, Creative Commons