$115 million settlement of Anthem data breach lawsuit
June 28, 2017
by Thomas Dworetzky, Contributing Reporter
Almost two years after a massive cyberattack against Anthem led to the loss of the personal data of 78.8 million individuals, the health insurance company has agreed to settle the litigation against it stemming from the breach for $115 million, according to the Wall Street Journal and other sources.
The money represents the biggest data-breach settlement in history, according to a statement from the court-appointed plaintiff attorneys from Altshuler Berzon, Cohen Milstein, Girard Gibbs and Lieff Cabraser.
“After two years of intensive litigation and hard work by the parties, we are pleased that consumers who were affected by this data breach will be protected going forward and compensated for past losses,” said Eve Cervantez, co-lead counsel representing the plaintiffs in the Anthem litigation.
The agreement awaits a final decision by U.S. District Judge Lucy Koh in San Jose, California, where the case is being litigated, according to Reuters.
The settlement provides that the money will be used to create a fund that covers “at least two years of credit monitoring,” as well as expenses victims have already had “as a result of the data breach.”
The two years is on top of the two years previously offered by the company, according to Reuters.
In addition, said plaintiffs' attorneys, it will also provide cash compensation to those who already paid for credit monitoring. The amount of money that would be paid for those who already paid for credit monitoring is roughly $50 per person.
The proposed deal also requires “Anthem to guarantee a certain level of funding for information security and to implement or maintain numerous specific changes to its data security systems, including encryption of certain information and archiving sensitive data with strict access controls.”
“We are very satisfied that the settlement is a great result for those affected and look forward to working through the settlement approval process,” said Andrew Friedman, co-lead plaintiffs’ counsel.
Anthem spokeswoman Jill Becher told Reuter's that the company was “pleased” about resolving the litigation, adding that the firm admitted no wrongdoing, and also that there was no evidence the compromised data had been used “for fraud” or sold.
In late January, 2015, Anthem was hit with a large-scale, sophisticated cyber security attack. Names, dates of birth, Social Security numbers, health care ID numbers, home address, email addresses, employment information and income data were stolen.
There are a number of steps a company can take to protect against or deal with such a breach, Michelle Foster Earle, president of OmniSure Consulting Group, told HCB News at the time.
One solution that could have prevented Anthem's breach is called "two-factor authentication," which requires the system administrator to use a personal device to verify their identity before they can use an administrator password to log into the system.
But sometimes a breach is inevitable, no matter what precautions are put into place. If a hospital or insurer is hit with a breach, Earle thinks the first thing they should do is stop the bleeding by shutting down access where possible, changing passwords and informing the authorities.
Next, they need to inform the public of the breach through social media, which is something Anthem did very well. The CEO of Anthem, Joseph Swedish, spoke out about both what they know and what they didn't know.
"[People] want to hear what's happening straight from the company they trusted," said Earle.
Earle recommended that all health care systems have a crisis management plan that includes cyber-breaches in place.
But the best risk management advice that she can give is to get cyber liability insurance, if you can't predict or control the breaches.
The money represents the biggest data-breach settlement in history, according to a statement from the court-appointed plaintiff attorneys from Altshuler Berzon, Cohen Milstein, Girard Gibbs and Lieff Cabraser.
“After two years of intensive litigation and hard work by the parties, we are pleased that consumers who were affected by this data breach will be protected going forward and compensated for past losses,” said Eve Cervantez, co-lead counsel representing the plaintiffs in the Anthem litigation.
The agreement awaits a final decision by U.S. District Judge Lucy Koh in San Jose, California, where the case is being litigated, according to Reuters.
The settlement provides that the money will be used to create a fund that covers “at least two years of credit monitoring,” as well as expenses victims have already had “as a result of the data breach.”
The two years is on top of the two years previously offered by the company, according to Reuters.
In addition, said plaintiffs' attorneys, it will also provide cash compensation to those who already paid for credit monitoring. The amount of money that would be paid for those who already paid for credit monitoring is roughly $50 per person.
The proposed deal also requires “Anthem to guarantee a certain level of funding for information security and to implement or maintain numerous specific changes to its data security systems, including encryption of certain information and archiving sensitive data with strict access controls.”
“We are very satisfied that the settlement is a great result for those affected and look forward to working through the settlement approval process,” said Andrew Friedman, co-lead plaintiffs’ counsel.
Anthem spokeswoman Jill Becher told Reuter's that the company was “pleased” about resolving the litigation, adding that the firm admitted no wrongdoing, and also that there was no evidence the compromised data had been used “for fraud” or sold.
In late January, 2015, Anthem was hit with a large-scale, sophisticated cyber security attack. Names, dates of birth, Social Security numbers, health care ID numbers, home address, email addresses, employment information and income data were stolen.
There are a number of steps a company can take to protect against or deal with such a breach, Michelle Foster Earle, president of OmniSure Consulting Group, told HCB News at the time.
One solution that could have prevented Anthem's breach is called "two-factor authentication," which requires the system administrator to use a personal device to verify their identity before they can use an administrator password to log into the system.
But sometimes a breach is inevitable, no matter what precautions are put into place. If a hospital or insurer is hit with a breach, Earle thinks the first thing they should do is stop the bleeding by shutting down access where possible, changing passwords and informing the authorities.
Next, they need to inform the public of the breach through social media, which is something Anthem did very well. The CEO of Anthem, Joseph Swedish, spoke out about both what they know and what they didn't know.
"[People] want to hear what's happening straight from the company they trusted," said Earle.
Earle recommended that all health care systems have a crisis management plan that includes cyber-breaches in place.
But the best risk management advice that she can give is to get cyber liability insurance, if you can't predict or control the breaches.