In terms of sheer size, Anthem, Inc. is ranked second among the country’s health insurers. But thanks to recent litigation, it now holds first-place (though dubious) “honors” in another regard: the company recently signed a $115 million deal to resolve litigation over a 2015 cyber-attack, a deal that currently stands as the largest data breach settlement in history.

Anthem “pleased” to move past case

A statement on Anthem’s website begins with noting that the settlement “does not include any finding of wrongdoing, and Anthem is not admitting any wrongdoing or that any individuals were harmed as a result of the cyber attack. Nevertheless, we are pleased to be putting this litigation behind us, and to be providing additional substantial benefits to individuals whose data was or may have been involved in the cyber-attack and who will now be members of the settlement class.”

Credit monitoring, identity theft protection services, out-of-pocket expenses

By way of restitution for the approximately 80 million consumers affected by the data breach, Anthem is to provide credit monitoring and identity theft protection services for a period of two years, or, for those individuals who proactively purchased monitoring and protection on their own when they were warned of compromised data, the company will reimburse those costs.

Furthermore, if any consumers were forced to pay additional fees as a direct result of the breach, Anthem is expected to absorb those costs. A $15 million pool has been set aside in anticipation of those possible out-of-pocket expenses, though the company has said it does not have evidence that any such damages (i.e., the selling of consumers’ data or the use of stolen information to perpetuate fraud) have occurred.

Anthem required to strengthen its existing security programs

Beyond making the 80 million victims whole, the settlement stipulates that Anthem look ahead to the prevention of compromised information: the insurer is tasked with improving existing data security programs and with dedicating monies to IT security down the road.

“Anthem has had, for many years, a strong information security program to protect the personal data entrusted to us,” the statement on the insurer’s website notes. “As we have seen in cyber-attacks against governments and private sector companies including Anthem over the past few years, many cyber-threat actors are increasingly sophisticated and determined adversaries. Anthem is determined to do its part to prevent future attacks.”

Insurer says it responded quickly when cyber-attack occurred

The company’s statement also makes a distinction between its voluntary damage control and the recent court-ordered action by pointing out that when Anthem discovered the breach two years ago, it extended 24 months of credit monitoring and identity theft protection to all who had been made vulnerable by the cyber attack. The settlement will provide an additional two years’ of monitoring and identity protection. Furthermore, the insurer reiterated its ongoing commitment to the security protocol improvements it began when the breach occurred; other protections are expected to be folded in to data security over the span of three years as well.

The statement on Anthem’s website indicates that the settlement will be managed by a third-party administrator and overseen by the Court; therefore, specific questions from breach victims should be directed to the settlement administrator.


This blog post is provided for educational purposes only and is not offered as, and should not be relied on as, legal advice. Any individual or entity reading this information should consult an attorney for their particular situation. For more information/questions regarding any legal matters, please email or call 310.203.2800.