On August 15, 2018, a United States District Court granted final approval of a $115 million settlement in the Anthem data breach lawsuit, which arose after Anthem announced in February 2015 that hackers had breached its network and compromised the personal information of 78.8 million people.
We are no longer accepting new clients in this case.
Settlement Benefits
The settlement required Anthem to pay $115 million to provide class members with:
- A minimum of two years of triple bureau credit monitoring and identity theft protection
- Cash instead of credit monitoring for class members who demonstrate that they are already covered by adequate credit monitoring for the next year
- Reimbursement of out-of-pocket costs that can be traced to the data breach
The settlement also required Anthem to enhance its information security practices to help protect the personal information stored in its databases from another cyberattack, including by:
- Encrypting certain personal information
- Strengthening specified data security controls
- Guaranteeing that Anthem’s information security funding will not fall below a certain level
- Moving certain data into archived databases that will have strict access controls and be robustly monitored
About the Anthem Data Breach
Anthem, Inc., the nation’s second-largest insurer, disclosed on February 4, 2015 that its information security systems had been subject to a cyber-attack. Bloomberg reported that the details of up to 80 million Anthem customers were exposed to theft by hackers. According to Anthem’s press release, thieves obtained personal information from Anthem’s data systems including names, birthdays, Social Security numbers, street addresses, email addresses, employment information, and income data. This press release also stated that the breach impacts all Anthem product lines, including Anthem Blue Cross, Blue Cross and Blue Shield, Amerigroup, Caremore, Unicare, Healthlink, and DeCare.
Hackers May Have Had Access to Anthem’s Database for Over a Month
Reports indicate that Anthem’s database was open to hackers for over a month. Anthem first detected the data breach on January 27, 2015, according to an internal memorandum sent by Anthem to its employees, which is available on CSO Online’s Top Security News blog. An Anthem database administrator discovered a data query running using the administrator’s own logon information. Because he had not initiated the query, he stopped it, and informed the Information Security department. Anthem then discovered that the logon information for additional database administrators had been compromised. On January 29, 2015, Anthem officially determined that they were the victim of a cyber-attack and alerted government officials. This memorandum also states that the unauthorized activity began on December 10, 2014.
Experts Say Anthem Did Not Take Basic Security Steps
According to The New York Times, experts have said that Anthem did not take basic security steps such as protecting the data in its computers through encryption. Thomas Miller, Anthem’s chief information officer, stated that at the time of the breach, Anthem was considering encrypting its internal database. According to John Kindervag, an analyst with Forrest Research, Anthem mistakenly assumed that the information within its own database was secure, and did not apply the same protective standards it uses when it sends data to a doctor’s office.
Anthem’s History of Data Breach Problems
Anthem has had a history of data breach issues. In 2010, before it had changed its name to Anthem, Wellpoint suffered a data breach impacting over 600,000 customers, after a failed security update to one of their systems. In 2013, Wellpoint agreed to pay the U.S. Department of Health and Human Services $1.7 million to settle claims that this data breach violated the Health Insurance Portability and Accountability Act of 1996 (HIPPA).