Anthem has agreed to pay $115 million to settle a class-action lawsuit following a 2015 data breach that exposed nearly 80 million patient records.
The preliminary settlement (PDF) requires Anthem to reserve $15 million to reimburse members that had verifiable out-of-pocket losses. The remaining $100 million will be used to provide victims of the breach with two years of credit monitoring and fraud detection services on top of the two years already offered by the insurer after the breach was discovered. Those who already have credit monitoring services can file for cash compensation.
A California district court judge is scheduled to rule on the preliminary hearing on August 17.
The terms of the agreement also require Anthem to devote a certain amount of money to information security over the next three years. Although the amount is redacted in the preliminary agreement, the court document says it “represents a three-fold increase over Anthem’s pre-breach allocation.”
The insurer will also be required to adhere to specific security practices, including conducting adversarial simulations twice a year and submitting an annual IT security risk assessment to the plaintiff’s counsel for review.
“After two years of intensive litigation and hard work by the parties, we are pleased that consumers who were affected by this data breach will be protected going forward and compensated for past losses,” Eve Cervantez, an attorney with Girard Gibbs LLP who represented the plaintiffs, said in a release.
In a statement posted to its website, Anthem denied any wrongdoing and said there is no evidence the data compromised in the attack was sold or used to commit fraud. The insurer defended is cybersecurity program and highlighted the intensifying attacks targeting the healthcare industry.
“As we have seen in cyberattacks against governments and private sector companies including Anthem over the past few years, many cyberthreat actors are increasingly sophisticated and determined adversaries,” the statement read. “Anthem is determined to do its part to prevent future attacks. To that end, as part of the settlement, Anthem has agreed to continue the significant information security practice changes that we undertook in the wake of the cyberattack, and we have agreed to implement additional protections over the next three years.”