Anthem Inc. agreed to pay $115 million, and take specified corrective actions, to settle a consolidated class action that resulted from the massive cyberattack suffered by the health insurer.
The Anthem breach, which first came to light early in 2015, was the largest to date in the health care sector, with nearly 80 million individuals affected—many of them in employer group health plans insured or administered by Anthem companies.
Advanced Employment Issues Symposium
Join us in the Paris Las Vegas Hotel in November for one of the leading employment law conferences for forward-thinking HR professionals, executives, and in-house counsel.
The proposed settlement still must be approved by the federal district court in San Jose, Calif., where the lawsuits were consolidated (In re Anthem Inc. Data Breach Litigation, No. 5:15-MD-02617-LHK (N.D. Cal. June 23, 2017)).
The settlement fund includes $17 million to provide the affected individuals with 2 years of credit monitoring and identity restoration services. Those who have already signed up for such services can apply for reimbursement payments.
Another $15 million will be set aside to pay for out-of-pocket costs that are “fairly traceable” to the breach, such as preventative measures or unreimbursed losses from misuse of the data.
The settlement also includes “business practice commitments” regarding Anthem’s data security practices. This will include archiving databases with strict access controls and monitoring requirements, strengthening various data security controls, encrypting certain information, and guaranteeing a specified level of funding for Anthem’s information security, according to Girard Gibbs, one of the plaintiffs’ law firms.
As is standard in such a settlement, Anthem did not admit to any wrongdoing. Many class actions had been filed against Anthem and other defendants in jurisdictions across the country, alleging that they failed to properly protect personal information in accordance with their duties, had inadequate data security, and delayed notifying potentially impacted individuals.