- US District Judge Lucy Koh has given final approval to a $115 million settlement that ends further claims against Anthem over its 2015 data breach that exposed personal information on 79 million people.
Potentially exposed data included names, dates of birth, medical IDs or Social Security numbers, street addresses, and email addresses. Employment information was also potentially put at risk, according to Anthem.
The 2017 settlement requires Anthem to provide victims a minimum of two years of credit monitoring and identity theft protection, cash instead of credit monitoring for those who can show they already have a credit monitoring service, and reimbursement of out-of-pocket costs traceable to the data breach.
The credit monitoring in the settlement is in addition to the two years of credit monitoring Anthem offered victims when it announced the breach in February 2015, said Anthem spokeswoman Jill Becher as reported by NBC News.
In addition, the settlement requires Anthem to beef up its information security practices to protect personal information stored on its databases from another cyberattack.
This includes archiving databases with strict access controls and monitoring requirements, strengthening various data security controls, encrypting sensitive information, and guaranteeing a certain level of funding for Anthem’s information security.
“In sum, the Court finds that the distribution plan 'reimburses class members based on the type and extent of their injuries’ … There are no valid objections to the distribution plan, in large part because the parties’ April 2018 amendment adopted the objectors’ recommendations. Examining the distribution plan in its entirety, the Court concludes that the distribution plan is reasonable,” wrote Judge Koh in her opinion.
According to the plaintiff’s lawyers, this is the largest settlement ever for a data breach.
The Anthem data breach spurred more than 100 lawsuits across the country. Many of these lawsuits alleged that the provider “failed to properly protect personal information in accordance with their duties, had inadequate data security, and delayed notifying potentially impacted individuals.” These were all consolidated before Judge Koh.
“After two years of intensive litigation and hard work by the parties, we are pleased that consumers who were affected by this data breach will be protected going forward and compensated for past losses,” plaintiffs’ Co-lead Counsel Eve Cervantez said in a Girard Gibbs post.
The breach was first discovered by Anthem on January 27, 2015. In early February of that year, Anthem announced that it had suffered a major breach that compromised 78.8 million records, including records of at least 12 million minors.
The California Department of Insurance conducted a probe into the cyberattack.
“This was one of the largest cyber hacks of an insurance company's customer data,” Insurance Commissioner Dave Jones said in a statement.
“Insurers have an obligation to make sure consumers' health and financial information is protected. Insurance commissioners required Anthem to take a series of steps to improve its cybersecurity and provide credit protection for consumers affected by the breach. In this case, our examination team concluded with a significant degree of confidence that the cyber attacker was acting on behalf of a foreign government,” Jones continued.
The department’s examination team and a separate internal investigation by Mandiant found that the data breach began on February 18, 2014, when a user within one of Anthem's subsidiaries opened a phishing email containing malware.
Opening the email permitted the download of malware to the user's computer and allowed hackers to gain remote access to that computer and at least 90 other systems within the Anthem enterprise, including Anthem's data warehouse.
The department’s investigation concluded that Anthem took reasonable measures to protect its data before the data breach and had employed a remediation plan which helped lead to a quick and effective breach response.
“The team noted Anthem's exploitable vulnerabilities, worked with Anthem to develop a plan to address those vulnerabilities, and conducted a penetration test exercise to validate the strength of Anthem's corrective measures,” the department said in its statement. “As a result, the team found Anthem's improvements to its cybersecurity protocols and planned improvements were reasonable.”