HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

World’s Largest Data Breach Settlement Agreed by Anthem

The largest data breach settlement in history has recently been agreed by the health insurer Anthem Inc. Anthem experienced the largest healthcare data breach ever reported in 2015, with the cyberattack resulting in the theft of 78.8 million records of current and former health plan members. The breach involved names, addresses, Social Security numbers, email addresses, birthdates and employment/income information.

A breach on that scale naturally resulted in many class-action lawsuits, with more than 100 lawsuits consolidated by a Judicial Panel on Multidistrict Litigation. Now, two years on, Anthem has agreed to settle the litigation for $115 million. If approved, that makes this the largest data breach settlement ever – Substantially higher than $18.5 million settlement agreed by Target after its 41 million-record breach and the $19.5 million paid to consumers by Home Depot after its 50-million record breach in 2014.

After experiencing the data breach, Anthem offered two years of complimentary credit monitoring services to affected plan members. The settlement will, in part, be used to pay for a further two years of credit monitoring services. Alternatively, individuals who have already enrolled in the credit monitoring services previously offered may be permitted to receive a cash payment of $36 in lieu of the additional two years of cover or up to $50 if funds are still available. The settlement also includes a $15 million fund to cover out-of-pocket expenses incurred by plaintiffs, which will be decided on a case-by-case basis for as long as there are funds available.

Anthem has also agreed to set aside ‘a certain level of funding’ to make improvements to its cybersecurity defenses and systems, including the use of encryption to secure data at rest. Anthem will also be making changes to how it archives sensitive data and will be implementing stricter access controls. While the settlement has been agreed, Anthem has not admitted any wrongdoing.

Get The Checklist

Free and Immediate Download
HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

Anthem Spokesperson Jill Becher explained that while data were stolen in the attack, Anthem has not uncovered evidence to suggest any of the information stolen in the cyberattack was used to commit fraud or was sold on. Becher also said, “We are pleased to be putting this litigation behind us, and to be providing additional substantial benefits to individuals whose data was or may have been involved in the cyberattack and who will now be members of the settlement class.”

While the decision to settle has been made, the settlement must now be approved by the U.S. District judge in California presiding over the case. District Judge Lucy Koh will hear the case on August 17, 2017.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.