- Anthem will pay a record $115 million to settle a class-action lawsuit stemming from a 2015 data breach in which the personal information of nearly 80 million members and employees was stolen.
- The company agreed to set aside funding for cybersecurity improvements as well as cover two years of credit protection and $15 million worth of out-of-pocket costs for those affected.
- In a statement, the payer did not admit to any wrongdoing or any harm to people as a result of the cyberattack, but said it is "determined to do its part to prevent future attacks."
If approved, the payout will be the largest amount ever for a data breach settlement and exceeds the $100 million insurance policy Anthem had against cyberattacks at the time of the breach. It's a chance to move on for the payer, as it received heavy criticism for how it handled the breach as well as how prepared — or not prepared — it was.
A report from the California Department of Insurance found that the initial breach occurred in February 2015 after an employee opened a phishing email. The breach was likely on behalf of a foreign government. The report also concluded Anthem had taken reasonable measures to protect its data and had a "quick and effective" response.
Anthem reportedly knew about cybersecurity shortcomings from a 2013 audit, but was still the victim of a simple password hack and failed to encrypt personal data. It was also criticized for taking several weeks to notify those who had been affected.
Anthem will now be required to make specific data security changes, "including encryption of certain information and archiving sensitive data with strict access controls," according to a statement for the plaintiffs’ lawyers.
It isn’t unusual for months to pass before an organization is aware of a breach, and the company is not likely to escape the attack without a heavy hit to its bottom line. Though Anthem escaped the settlement with a relatively minor financial impact, those impacted will likely receive a small payout. Split 80 million ways, $115 million doesn't go very far.
One of the reason regulators have stepped up enforcement of cybersecurity negligence is because of the harm breaches and cyberattacks cause. It's hard to put a price on the value of someone's PII or PHI. But once exposed, there's no going back. More regulation to ensure cybersecurity best practices are met will go a long way in helping to prevent such damaging exposures.