Privacy & Information Security Law Blog

On June 23, 2017, Anthem Inc., the nation’s second largest health insurer, reached a record $115 million settlement in a class action lawsuit arising out of a 2015 data breach that exposed the personal information of more than 78 million people. Among other things, the settlement creates a pool of funds to provide credit monitoring and reimbursement for out-of-pocket costs for customers, as well as up to $38 million in attorneys’ fees.

Anthem announced in February 2015 that it had been the target of an external cyber attack. The personal information obtained by attackers included names, dates of birth, Social Security numbers and health care ID numbers. Following the breach, Anthem offered affected individuals two years of credit monitoring. Under the settlement agreement, plaintiffs will be offered an additional two years of credit monitoring and identity protection services. Class members who already have credit monitoring services can submit a claim for monetary compensation instead of receiving the additional services.

The settlement also requires Anthem to make certain changes to its data security systems and cybersecurity practices for at least three years. These changes include (1) implementing data retention periods, (2) strict access requirements, (3) mandatory information security training for all associates and (4) annual IT security risk assessments. During this three year period, Anthem must engage an independent consultant to verify it is in compliance with the terms of the settlement agreement, and remediate 95 percent of critical findings within three years. The settlement further requires Anthem to allocate a certain amount of funds for information security and increase its funding for every additional 5,000 users if Anthem increases its users by more than 10 percent, whether by acquisition or growth.

The U.S. District Court for the Northern District of California, San Jose Division, is scheduled to hear a motion for preliminary approval of the settlement on August 17, 2017. If approved, a third-party administrator will be appointed to manage the settlement.