Anthem Breach Settlement 1 Step Closer to FinalAmendment Releases Certain Others From Liability in the Class Action Case
A federal judge has granted preliminary approval for an amended $115 million settlement in the consolidated class action lawsuit against health insurer Anthem over a 2015 cyberattack that impacted nearly 79 million individuals. The case is now slated to be wrapped up next February.
Among other things, an amendment to the proposed settlement - which was first announced on June 23 and preliminarily approved on Friday by the U.S. district court in San Jose, California - clarifies that a number of other persons and entities working with Anthem regarding the data breach have been released from legal claims by the class representatives and members in the case.
Those entities released from liability include technology and data security companies that worked with Anthem prior to the cyberattack, as well as companies that worked with the insurer to assist in the mitigation of the breach, says Eve Cervantez, co-lead counsel representing the plaintiffs in the Anthem litigation.
The amendment states that when the settlement becomes effective, all settlement class members and representatives will "absolutely and unconditionally release and discharge any and all released claims" against:
- Anthem's customers and also any company that provided information technology, information security auditing, or information security support to Anthem, and any person or entity that provided data to Anthem that was implicated in the data breach;
- Any insurance brokers;
- The settlement class representative and members' employers, health plans and plan fiduciaries;
- The Healthcare Information Security Trust alliance - or HITRUST; AllClear ID; Mandiant; Fire Eye; R.R. Donnelley & Sons Co.; IBM; Optiv Security Inc.; Microsoft; the Centers for Medicare and Medicaid Services; and any state or federal health insurance exchange.
CMS, a unit of the Department of Health and Human Services, is among entities named in the settlement's release of claims because some Anthem members affected are Medicare beneficiaries, Cervantez explains.
Those Not Off the Hook
The amendment specifically notes, however, that the settlement class representatives and class members "are not releasing the cyberattackers who committed the criminal acts involved in the data breach, and any person or entity that intentionally misuses the personal information stolen in the data breach for unlawful purposes" from liability.
Thus, the amendment preserves the rights of consumers whose sensitive personal information was disclosed to file a separate lawsuit "against the original cyberattackers who stole personal information from Anthem or any person or entity who intentionally misuses class members' stolen PII for unlawful purposes," explains privacy attorney David Holtzman, vice president of security consulting firm CynergisTek, who was not involved in the case. "If it can be determined who was behind the cyberattack that resulted in the Anthem breach, these provisions hold out the hope to seek damages from them," he says.
In January, seven state insurance commissioners released a report on their investigation into the massive cyberattack against Anthem. The insurance commissioners concluded that the attack began with a phishing campaign launched by an unnamed nation-state. However, China has been suspected by security experts to be linked to the Anthem attack. In a related development, on Aug. 23, the FBI arrested a Chinese national on charges that he was a "malware broker" who distributed a remote-access Trojan called Sakula that has been tied to mega-breaches, including the attacks against Anthem and the U.S. Office of Personnel Management (see Chinese Man Allegedly Tied to OPM, Anthem Breach Malware Arrested).
The court handling the Anthem data breach case has slated a final approval hearing for the settlement on Feb. 1, 2018. If the $115 million deal is finally approved by the court, attorneys say it would be the largest data breach settlement ever reached.
The case represents the consolidation of more than 100 lawsuits that were filed against Anthem across the country in the aftermath of the 2015 cyberattack on the company.
Cervantez says notices to class members will be sent out starting in October, notifying them that they have 90 days to file a claim or opt out. In general, those who opt out of these types of class action settlements typically choose to do so because they potentially plan to file their own lawsuits, she explained.
The proposed settlement provides for Anthem to establish a settlement fund that would be used to:
- Provide victims of the data breach at least two years of credit monitoring, beyond the two years offered by Anthem in the immediate aftermath of the breach;
- Provide cash compensation for those consumers who are already enrolled in credit monitoring, such as credit monitoring plans provided by employers;
- Cover out-of-pocket expenses - up to $10,000 - incurred by consumers as a result of the data breach.
In addition to the monetary fund, the settlement also requires Anthem to enhance its security, guarantee a certain level of funding for information security and implement or maintain numerous specific changes to its data security systems, including encryption of certain information and archiving sensitive data with strict access controls.
Court documents indicate that at the final approval hearing set for February, the court will consider a number of issues, including whether:
- The settlement is fair, reasonable, and adequate;
- The settlement class should be finally certified;
- A final judgment should be entered;
- Class counsel's motion for attorneys' fees and costs should be granted;
- The service payments sought for settlement class representatives should be awarded.
Lessons to Learn
So what are the key lessons that other covered entities and business associates should learn from the Anthem case?
"It's vital that everyone, from the smallest physician's office to the largest health insurer, have some cyber-awareness in place and take appropriate measures to understand what the risk is," Holtzman says.
"The Anthem breach happened because an employee opened a phishing email and it took almost an entire year for Anthem to notice anything was awry. The big takeaway from this breach is you have to have technologies in place that allow for audit and review, for monitoring system activity."