Anthem to pay $115 billion for 2015 data breach
(Bloomberg) -- Anthem Inc. agreed to pay $115 million to resolve consumer claims over a 2015 cyber-attack that compromised data on 78.8 million people, marking what attorneys in the case called the largest data-breach settlement in history.
The proposed accord, which would end class-action lawsuits filed in several states, requires approval from a federal judge in San Jose, California. Anthem sells coverage under the Blue Cross and Blue Shield brand in 14 states.
“We are pleased to be putting this litigation behind us, and to be providing additional substantial benefits to individuals whose data was or may have been involved in the cyber-attack and who will now be members of the settlement class,” the Indianapolis-based company said Friday in a statement.
Anthem didn’t admit any wrongdoing in the settlement.
The company said in February 2015 that hackers obtained data on tens of millions of current and former customers and employees that led to a probe by the Federal Bureau of Investigation. The information compromised included names, birthdates, Social Security numbers, medical IDs, street and e-mail addresses and employee data, including income, Anthem said at the time.
As part of the proposed settlement, $15 million would be set aside to pay for out-of-pocket expenses incurred as a result of the data breach.
The proposal filed Friday would require Anthem to establish a fund to buy at least two years of credit monitoring services for the class to help protect them from fraud.
For individual class members who already have their own credit-monitoring services and don’t want to enroll in the settlement’s plan, the settlement provides alternative compensation of as much as $50 per class member.
The plan also requires Anthem to spend an undisclosed amount to help protect members’ personal information over the next three years.
In 2015, after the breach was made public, Anthem established a website, anthemfacts.com, where people affected by the breach could sign up for two years of credit monitoring.
The case is In re Anthem Inc. Data Breach Litigation, 5:15-md-02617, U.S. District Court, Northern District of California (San Jose)