Monday, July 3, 2017

Anthem Pays $115 Million to Settle 2015 Data Breach Lawsuit

Anthem Logo.png
In 2015, Anthem suffered a data breach that resulted in the theft of nearly 80 million (you read that correctly) records containing personal information of members as well as employees.  The company had an insurance policy for this type of problem, but unfortunately it only covered $100 million meaning the company is on the hook for $15 million.  This is the largest payout in history for a company that has experienced a hack and data theft.
I’ve mentioned before how the weakest security link is almost always the human beings that are using the technology.  Guess how this whole thing got started.  Yup, a phishing email sent to an employee who opened an attachment in the email.  This was a simple password hack, but enabled the bad guys to have access to the Anthem system which, BTW the company failed to encrypt.  Oh, and they also waited several weeks before notifying the affected individuals.  This is pretty much a trifecta of what NOT to do.
Here is the statement from Anthem:

Anthem has reached a settlement to completely resolve the multidistrict class action litigation relating to the 2015 cyber attack against the company. The settlement, which is subject to approval by the court, does not include any finding of wrongdoing, and Anthem is not admitting any wrongdoing or that any individuals were harmed as a result of the cyber attack. Nevertheless, we are pleased to be putting this litigation behind us, and to be providing additional substantial benefits to individuals whose data was or may have been involved in the cyber attack and who will now be members of the settlement class.

When Anthem discovered the cyber attack in 2015, the company offered two years of credit monitoring and identity protection services to all individuals whose data may have been impacted. As part of this final resolution of the litigation, class members can receive an additional two years of credit monitoring and identity protection services, along with other significant benefits.

Anthem has agreed to pay a total of $115 million to resolve the litigation. Those funds will pay for the additional two years of credit monitoring and identity protection services, and will also benefit class members in several other ways.  In particular, while there is no evidence that any data impacted by the cyber attack has ever been sold or used to commit fraud, Anthem has agreed that $15 million of the fund will be allocated to pay actual out-of-pocket costs, up to a set amount, that  class members claim they incurred due to the cyber attack. Class members who already have credit services can submit a claim to receive alternative cash compensation instead of receiving the credit services provided by the settlement. The costs of sending notice to class members, administering claims, and the class members’ attorneys’ fees are also included in this total amount. The benefits described above, however, will not be available until the settlement has been finally approved by the Court and any appeals have been concluded.

Anthem has had, for many years, a strong information security program to protect the personal data entrusted to us. As we have seen in cyber attacks against governments and private sector companies including Anthem over the past few years, many cyber threat actors are increasingly sophisticated and determined adversaries. Anthem is determined to do its part to prevent future attacks. To that end, as part of the settlement, Anthem has agreed to continue the significant information security practice changes that we undertook in the wake of the cyber attack, and we have agreed to implement additional protections over the next three years.

A third-party settlement administrator will manage the settlement, which will be overseen by the court in this litigation. The settlement administrator will be the best resource for questions pertaining to the settlement agreement, including how to register for the credit monitoring or identity protection services offered or how to submit claims for out-of-pocket costs or alternative compensation. If the Court preliminarily approves the settlement, the settlement administrator will set up a website regarding this settlement, and we will update this page with a link to that website and a phone number for the settlement administrator as soon as those are available.


Anthem is working with AllClear ID, a leading and trusted identity protection provider, to offer 24 months of identity theft repair and credit monitoring services to impacted individuals.


This includes customers of Anthem, Inc. companies Amerigroup, Anthem and Empire Blue Cross Blue Shield companies, Caremore, HealthLink, and UniCare, and some employees of self-insured employer groups where Anthem received information about non-Anthem members to provide analytics and administrative services. Additionally customers of Blue Cross and Blue Shield companies who used their Blue Cross and Blue Shield insurance in one of fourteen states where Anthem, Inc. operates may be impacted and are also eligible: California, Colorado, Connecticut, Georgia, Indiana, Kentucky, Maine, Missouri, Nevada, New Hampshire, New York, Ohio, Virginia, and Wisconsin.


AllClear ID is ready and standing by to assist you if you need identity repair assistance. This service is automatically available to you with no enrollment required. If a problem arises, simply call and a dedicated investigator will do the work to recover financial losses, restore your credit, and make sure your identity is returned to its proper condition.


For additional protection, and at no cost, you may also enroll in the AllClear PRO service at any time during the 24 month coverage period. This service includes credit monitoring and an identity theft insurance policy. Please enroll at Those without Internet access can call 877-263-7995.


To access identity repair services, please call 877-263-7995


For additional information regarding your protections, please visit:

No comments:

Post a Comment