UPDATE: August 16, 2018: A federal district judge in California approved the settlement.
Dive Brief:
- Anthem will pay a record $115 million to settle a class-action lawsuit stemming from a 2015 data breach in which the personal information of nearly 80 million members and employees was stolen.
- The company agreed to set aside funding for cybersecurity improvements as well as cover two years of credit protection and $15 million worth of out-of-pocket costs for those affected.
- In a statement, the payer did not admit to any wrongdoing or any harm to people as a result of the cyberattack, but said it is “determined to do its part to prevent future attacks."
Dive Insight:
The payout is one of the largest amounts ever for a data breach settlement and exceeds the $100 million insurance policy Anthem had against cyberattacks at the time of the breach. The payer is likely happy to finalize the incident, as it received heavy criticism for how it handled the breach as well as how prepared — or not prepared — it was.
A report from the California Department of Insurance found that the initial breach occurred in February 2015 after an employee opened a phishing email. The breach was likely on behalf of a foreign government. The report also concluded Anthem had taken reasonable measures to protect its data and had a “quick and effective” response.
Anthem reportedly knew about cybersecurity shortcomings from a 2013 audit, but was still the victim of a simple password hack and failed to encrypt personal data. It was also criticized for taking several weeks to notify those who had been affected.
Anthem will now be required to make specific data security changes, “including encryption of certain information and archiving sensitive data with strict access controls,” according to a statement for the plaintiffs’ lawyers.
It isn’t unusual for months to pass before an organization is aware of a breach, and the company is not likely to escape the attack without a heavy hit to its bottom line. Health data breaches are costing the U.S. healthcare industry $6.2 billion a year, according to the Ponemon Institute.
One-third of healthcare leaders said in a recent HIMSS survey they are “highly concerned” of being a victim of a security breach. Nearly 80% said their greatest security concern is employee awareness.
Approving Judge Lucy Koh wrote that the settlement was "fair, adequate, and reasonable" in her opinion on August 15. Afflicted consumers can claim up to $10,000 each in out-of-pocket expenses from the $15 million pool, along with credit monitoring and fraud protection services.