The parties have agreed to a settlement in the Anthem data breach lawsuit, which arose after Anthem announced in February 2015 that hackers had breached its network and compromised the personal information of 78.8 million people.
The settlement requires Anthem to pay $115 million to provide class members with:
- A minimum of two years of triple bureau credit monitoring and identity theft protection
- Cash instead of credit monitoring for class members who demonstrate that they are already covered by adequate credit monitoring for the next year
- Reimbursement of out-of-pocket costs that can be traced to the data breach
The settlement also requires Anthem to enhance its information security practices to help protect the personal information stored in its databases from another cyberattack, including by:
- Encrypting certain personal information
- Strengthening specified data security controls
- Guaranteeing that Anthem’s information security funding will not fall below a certain level
- Moving certain data into archived databases that will have strict access controls and be robustly monitored
Settlement Preliminarily Approved, Awaiting Final Approval
In a class action, once the parties reach a settlement, there are two more stages before the settlement can become final. First, the judge must grant preliminary approval of the settlement. Second, the judge must grant final approval.
On August 25, 2017, the court preliminarily approved the settlement. After preliminary approval, class members are sent notices describing the terms of the settlement and giving them an opportunity to opt out and comment on the settlement.
After final approval, class members are sent another round of notices explaining how they can claim their share of the benefits under the settlement, including any cash compensation that they are entitled to.
Important Settlement Dates
- 10/30/17 – All notices will have been sent by this date
- 12/29/17 – Deadline to opt-out of the class settlement
- 2/1/18 – Court will hold a hearing about final settlement approval
If you have not received a notice by around mid-November, you may want to contact the settlement administrator (KKC).
For more information and to receive updates about the case, please visit the settlement website.
Data Breach Affects all Anthem Product Lines
Anthem, Inc., the nation’s second-largest insurer, disclosed on February 4, 2015 that its information security systems had been subject to a cyber-attack. Bloomberg has reported that the details of up to 80 million Anthem customers were exposed to theft by hackers. According to Anthem’s press release, thieves obtained personal information from Anthem’s data systems including names, birthdays, Social Security numbers, street addresses, email addresses, employment information, and income data. This press release also states that the breach impacts all Anthem product lines, including Anthem Blue Cross, Blue Cross and Blue Shield, Amerigroup, Caremore, Unicare, Healthlink, and DeCare.
Anthem: Medical Information Was Not Compromised
Anthem claims that there is no evidence that banking, credit card, or medical information have been compromised. The New York Times has reported that according to Katherine Keefe, the global focus leader for breach response services at Beazley, stolen medical information can be sold on the street for ten times the value of a credit card number.
Hackers May Have Had Access to Anthem’s Database for Over a Month
Reports indicate that Anthem’s database was open to hackers for over a month. Anthem first detected the data breach on January 27, 2015, according to an internal memorandum sent by Anthem to its employees, which is available on CSO Online’s Top Security News blog. An Anthem database administrator discovered a data query running using the administrator’s own logon information. Because he had not initiated the query, he stopped it, and informed the Information Security department. Anthem then discovered that the logon information for additional database administrators had been compromised. On January 29, Anthem officially determined that they were the victim of a cyber-attack and alerted government officials. This memorandum also states that the unauthorized activity began on December 10, 2014.
Experts Say Anthem Did Not Take Basic Security Steps
According to The New York Times, experts have said that Anthem did not take basic security steps such as protecting the data in its computers through encryption. Thomas Miller, Anthem’s chief information officer, stated that at the time of the breach, Anthem was considering encrypting its internal database. According to John Kindervag, an analyst with Forrest Research, Anthem mistakenly assumed that the information within its own database was secure, and did not apply the same protective standards it uses when it sends data to a doctor’s office.
Anthem’s History of Data Breach Problems
Anthem has had a history of data breach issues. In 2010, before it had changed its name to Anthem, Wellpoint suffered a data breach impacting over 600,000 customers, after a failed security update to one of their systems. In 2013, Wellpoint agreed to pay the U.S. Department of Health and Human Services $1.7 million to settle claims that this data breach violated the Health Insurance Portability and Accountability Act of 1996 (HIPPA).
Healthcare Breaches Are On the Rise
According to statistics quoted by The New York Times from the Office for Civil Rights at the Department of Health and Human Services, there have been over 740 major healthcare breaches affecting 29 million people in the past five years. The Identity Theft Resource Center’s 2014 report also states that 42.5 percent of reported data breaches occurred in the medical and healthcare sector, the largest number of data breaches among all categories. The report also states that healthcare breaches have been on the rise the past ten years.
Yet, The New York Times has reported that healthcare companies like Anthem are behind other industries in protecting sensitive personal information. Avivah Litan, a cybersecurity expert for Gartner stated that health organizations “are generally less secure than financial service companies who have the same type of customer data.”
On February 6, 2015, Anthem warned its customers that they might be subject to scam email and phone campaigns targeting current and former members. These scams are designed to appear as if they were from Anthem, but are intended to trick consumers into sharing personal data (these are called phishing scams).