Health insurance giant Anthem, Inc. agreed to the largest data breach settlement to-date last week, ending multi-district consumer litigation over a 2015 data breach for $115 million. The data breach, which resulted from a hacker-orchestrated cyberattack following the theft of an employee password, exposed personally identifiable information (“PII”) and protected health information (“PHI”) of nearly 80 million people. The stolen information included the names of current and former clients, dates of birth, addresses, social security numbers, and other medical information.
The settlement package offers class members two years of credit monitoring in addition to what Anthem has already offered, provides a nearly $15 million pool of funds for reimbursement of certain out-of-pocket expenses incurred as a result of the breach, and provides a pool of money to compensate consumers for credit monitoring already obtained. The settlement also provides for up to $38 million (1/3 of the settlement fund amount) in attorneys’ fees for class counsel, and requires Anthem to earmark certain amounts for upgrades to its data security systems. The settlement does not include an admission of wrongdoing or liability by Anthem.
The agreement potentially ends years of litigation against Anthem, dozens of Anthem affiliates, and various Blue Cross entities stemming from alleged violations of federal and state consumer protection laws. The litigation was largely intact despite two motions to dismiss in 2016 which dismissed a subset of specific claims against non-Anthem affiliates in February, and then allowed amended breach of contract, negligence, and state unfair competition claims to go forward in May. The parties had briefed the consumers’ motion for class certification, but reached the settlement before the Northern District ruled on the motion.
The settlement awaits approval by Judge Lucy Koh of the Northern District of California. The case caption is In re Anthem Inc. Data Breach Litigation, No. 5:15-md-02617 (N.D. Cal.).