Healthcare Information Security

Patient Privacy News

$115M Settlement Proposed in Anthem Data Breach Case

Plaintiffs filed a motion for preliminary approval for a settlement in the Anthem data breach lawsuit, following the large-scale 2015 cybersecurity attack.

Anthem data breach case will have $115 million settlement motion reviewed.

Source: Thinkstock

By Elizabeth Snell

- Plaintiffs in the Anthem data breach litigation case recently filed a $115 million settlement proposal, which would also require the healthcare provider to guarantee a certain level of funding for information security. Anthem would also need to implement or maintain data security system changes.

The motion is scheduled to be heard on August 17, 2017. Class members will be notified if the motion is granted, and can then learn settlement details and will be invited to participate in and comment on the settlement.

The settlement fund will be used in the following areas:

  • Provide at least two years of credit monitoring services to data breach victims
  • Cover out-of-pocket expenses consumers incurred because of the data breach
  • Provide cash compensation for consumers already enrolled in credit monitoring

“Out-of-Pocket Costs for preventative measures, such as obtaining credit monitoring services or credit freezes, shall be deemed fairly traceable to the Data Breach if they were incurred in February 2015 or thereafter and the Settlement Class Member states that they were incurred in response to the Data Breach,” the settlement states.

The Anthem data breach spurred numerous class action lawsuits across the country, alleging that the provider “failed to properly protect personal information in accordance with their duties, had inadequate data security, and delayed notifying potentially impacted individuals.”

READ MORE: Healthcare Data Breach Costs Highest for 7th Straight Year

The court documents also noted that the Defendant still denies “any wrongdoing whatsoever,” and that the proposed settlement “shall in no event be construed or deemed to be evidence of or an admission or concession.”

“After two years of intensive litigation and hard work by the parties, we are pleased that consumers who were affected by this data breach will be protected going forward and compensated for past losses,” plaintiffs’ Co-lead Counsel Eve Cervantez said, according to a Girard Gibbs LLP post.

Girard Gibbs attorney Eric Gibbs was named to the Plaintiffs’ Steering Committee.

“Class Counsel has investigated the facts relating to the Data Breach with the assistance of consultants in cybersecurity and identity theft, analyzed the evidence adduced during pretrial discovery, and researched the applicable law with respect to Plaintiffs’ claims against Defendants and the potential defenses thereto, including the motions described above,” the proposed settlement states.

Class counsel also reviewed 14 discovery motions, 3.8 million pages of documents, took 80 percipient witness and 30(b)(6) depositions, defended 105 named Plaintiff depositions, produced four experts for deposition, and took five expert depositions.

READ MORE: Healthcare Cybersecurity Task Force Finds 6 Imperative Areas

The Anthem data breach was a cybersecurity attack that impacted 78.8 million consumers. The California Department of Insurance released a report earlier this year maintaining that the incident was from a foreign nation attack.

The attacker’s identity was determined with a “high degree of confidence” and “concluded with a medium degree of confidence that the attacker was acting on behalf of a foreign government.”

“This was one of the largest cyber hacks of an insurance company's customer data," Insurance Commissioner Dave Jones said in a statement. “"Insurers have an obligation to make sure consumers' health and financial information is protected. Insurance commissioners required Anthem to take a series of steps to improve its cybersecurity and provide credit protection for consumers affected by the breach.”

“In this case, our examination team concluded with a significant degree of confidence that the cyber attacker was acting on behalf of a foreign government.”

Anthem first discovered the data breach on January 27, 2015, but did not publicly report the information until February 2015.

READ MORE: Healthcare Hacking Leading Cause for 2017 Incidents

Hackers infiltrated an Anthem data base, potentially compromising names, dates of birth, medical IDs or Social Security numbers, street addresses, and email addresses.

The California Department of Insurance determined that Anthem took reasonable measures to protect its data before the data breach, and had employed a remediation plan which helped lead to a quick and effective breach response.

However, Anthem was also criticized for its data breach response tactic. Senate health committee Chairman Lamar Alexander and Ranking Member Patty Murray wrote a letter to Anthem President and CEO Joseph Swedish in March 2015.

The duo said notification letters should be sent to all potentially affected individuals.

“While we appreciate your efforts to keep our Committee informed of your efforts to respond to the attack after you became aware of it, we are troubled by Anthem’s delay in notifying these 78.8 million Americans,” Alexander and Murray stated.

As of that time, more than 50 million individuals had not yet received a data breach notification letter from Anthem, the two explained.

“While we understand the logistical challenges associated with contacting millions of people, the highly sensitive nature of this information makes early notification essential, and we are concerned with your slow pace of notification and outreach thus far,” the lawmakers stressed. “We are writing to formally request that you speed up the pace of notifications, and share with our committee what steps you plan to take in the next few days, to dramatically increase the pace of notification.”


SIGN UP and gain free access to articles, white papers, webcasts and exclusive interviews on

HIPAA Compliance
Data Breaches

Our privacy policy

no, thanks