Anthem, Inc., the nation’s largest health insurance company, has agreed to settle the class action litigation arising from its 2015 data breach for $115 million, eclipsing the amount of any previous data breach settlement. The lawsuit, filed in federal court in California, had survived two motions to dismiss. After extensive discovery, plaintiffs moved for class certification on March 10, 2017.
According to papers filed by plaintiffs’ counsel, the settlement includes an extension to the two years of credit monitoring Anthem originally offered following the announced breach in 2015, a pool of funds ($15 million) allocated for out-of-pocket expenses incurred by consumers, and $37.9 million in attorneys’ fees (along with in excess of $2 million in costs incurred by plaintiffs to date). The settlement also allocates approximately $23 million for costs of notice and administration of the settlement. Court documents state that the largest of these notice costs will entail the cost of postage on postcard notices that will allow tear-off and return claims for credit monitoring.
The settlement also requires Anthem to make changes to its data security systems, including encryption of certain information and archiving sensitive data with strict access controls. Additionally, Anthem must engage an independent consultant to conduct an annual SOC 2 Type 2 assessment to verify that it is complying with the business practice commitments in the settlement and provide a copy of the assessment to the plaintiffs annually. Per the settlement agreement, Anthem must maintain these business practice commitments for at least three years from final approval of the settlement and entry of the judgment.
The data breach resulted in the exposure and theft of nearly 80 million records that included information such as names, dates of birth, addresses, e-mail addresses, medical ID numbers, and social security numbers. The hackers used stolen credentials to gain access to a database that contained information of current and former members.
The settlement still has to be approved by United States District Court Judge Lucy Koh. If it is approved, the settlement will be the largest data breach settlement in history.