Health insurer Anthem Inc. agreed to settle a class-action lawsuit accusing it of failing to protect consumer data for $115 million, making it the largest-ever settlement over a data breach.
According to Law360, the June 21 settlement will provide nearly 80 million victims of Anthem’s massive 2015 data breach with two years of credit monitoring services, cover expenses they paid out-of-pocket because of the breach, and compensate customers who had already paid for credit monitoring on their own.
Papers filed in a California federal court also show that the proposed settlement requires Anthem, the second-largest health insurance company in the U.S., to devote some of the settlement money to funding information security and making improvements to its data security systems over the next three years.
Anthem described the breach as a “very sophisticated external cyberattack” much like the breaches hackers have performed on other companies and government agencies. Anthem spokeswoman Jill Becher noted that “over the past few years, many cyberthreat actors are increasingly sophisticated and determined adversaries” and added that “Anthem is determined to do its part to prevent future attacks.”
In addition to Anthem, plaintiffs in the multidistrict litigation named more than two dozen Anthem affiliates and 14 “non-Anthem” Blue Cross groups as defendants in the lawsuit, claiming they violated federal and state consumer protection laws. A federal judge subsequently slashed some of those but left them largely intact, Law360 reported.
The Anthem agreement dwarfs a number of other data-breach complaints settled in recent months. Earlier in June, a judge granted preliminary approval to a proposed $1.6 million agreement between Neiman Marcus Group LLC and a class of customers whose credit card data was compromised in a 2013 data breach.
That agreement followed two similar agreements in May. In one of those deals, Target Corp. paid $18.5 million to settle a 2013 data breach complaint with 47 states and the District of Columbia. In the other, Kmart agreed to pay $18.5 million to a class of banks that were forced to compensate their customers after a cyberattack on Kmart’s data system.