Judge Approves Final $115 Million Anthem SettlementBut Most Victims of the Health Insurer's Data Breach Will See No Cash
A federal judge in California has given final approval to a $115 million settlement involving health insurer Anthem over its 2015 data breach. The settlement is the largest ever recorded for a class-action lawsuit filed over a data breach. But most victims will receive no money.
See Also: API Security: Making Sense of the Market
The class-action suit has been winding its way through federal court in San Jose since mid-2015 and is the result of a consolidation of more than 100 lawsuits filed against Anthem.
Most of the settlement fund will be used to fund two more years of credit monitoring and fraud resolution services for victims. About 13 percent of the fund has been reserved for cash reimbursements for any victims who paid out of pocket for security monitoring services.
Anthem Must Triple Its Cybersecurity Budget
Anthem, which was formerly known as WellPoint, disclosed in February 2015 that attackers gained access to a corporate database and stolen more than 79 million records containing patient and employee data (see Anthem Hit by Massive Data Breach).
The stolen data has never surfaced publicly. In August 2017, however, a Chinese man was arrested by U.S. authorities for allegedly distributing a type of malware that was used in the Anthem attack as well as in an attack against the U.S. Office of Personnel Management (see Chinese Man Allegedly Tied to OPM Breach Malware Arrested).
The Anthem breach affected a gamut of the organization's affiliated brands, including Anthem Blue Cross, Anthem Blue Cross and Blue Shield, Blue Cross and Blue Shield of Georgia, Empire Blue Cross and Blue Shield, Amerigroup, Caremore, Unicare, Healthlink and DeCare.
As part of the full settlement amount, Anthem is required to make "changes to its data security systems and policies" as well as to nearly triple its cybersecurity budget, writes U.S. District Judge Lucy H. Koh, who approved the settlement.
28 People Opposed Settlement
The total number of class members in the lawsuit that has led to the settlement is 79.1 million. Only 28 people opposed the final settlement.
One of the tricky parts of data breach lawsuits is trying to determine the amount of damages that should be awarded to victims. According to the final settlement agreement, an expert witness for the plaintiffs calculated that the damage amounted to $10 per person. Anthem's expert, however, put the cost at $4 per victim.
"The credit monitoring services offered in this settlement are more extensive than the services offered by Equifax."
—District Judge Lucy H. Koh
Koh writes that the damages would have reached $792 million, using the plaintiff's figure. The agreed settlement instead awards the plaintiffs 14.5 percent of what they would have sought at trial, she writes. The judge cited two other cases where settlements that were 9.7 percent and 10 percent of what plaintiffs had sought was found to have been "reasonable."
Koh writes: "The court finds that this percentage is within the range of reasonableness after taking into account the costs and risks of litigation."
Some data breach victims may be eligible for out-of-pocket costs related to the breach. Of the settlement, $15 million will be set aside for those who submit claims for credit monitoring or other costs, up to a maximum of $10,000 per person. The maximum cash payment for anyone who signed up for credit monitoring is $50.
Three people in the class objected to the value of the credit monitoring reimbursement, the settlement says. The people contended that it was of little value, ironically because they'd already received free monitoring via Equifax as a result of the credit bureau's 2017 data breach (see Equifax: US Breach Victim Tally Stands at 146.6 Million).
But "the credit monitoring services offered in this [Anthem] settlement are more extensive than the services offered by Equifax," Koh writes. After its breach, Anthem voluntarily offered all victims two years of credit monitoring, and the final settlement agreement should see that monitoring get extended to more than four years, the judge writes.
Big Breaches Lead to Big Costs
In and of itself, the Anthem class action settlement is believed to be the largest on record for a data breach. But for other companies hit with significant data breaches, the costs extend far beyond just consumer class-action lawsuits.
A class action suit filed against Home Depot, for example, resulted in a $27.2 million settlement fund that covered 52 million consumers. The 2014 breach of Home Depot's systems exposed 56 million payment cards as well as personal details for up to 53 million individuals.
Target, meanwhile, experienced a breach in 2013 that led to the exposure of 40 million payment cards and contact details for 60 million consumers. The retailer ultimately reached a $23.3 million settlement with a class of 110 million consumers. Target also paid a fine of $18.5 million following legal action by the attorneys general of 47 states and the District of Columbia (see Target Reaches $18.5 Million Breach Settlement with States).
Home Depot and Target were also forced to reach settlement agreements with card issuers and companies such as MasterCard and Visa. Those settlements were "much larger" than the consumer litigation, the Anthem settlement agreement notes. Target's settlement with Visa alone, for example, was worth $67 million.
Breach costs can also include incident response, mitigation, ongoing investigations and cleanup. By the end of 2017, for example, Equifax reported that it faced $439 million in costs due to its data breach, of which $125 million would be covered by its cybersecurity insurance policy.
Executive Editor Mathew Schwartz also contributed to this story.