X

Anthem agrees to pay record $115M to settle data breach suit

The settlement, subject to a judge's approval, would be the largest to date for a data breach case, according to lawyers for the plaintiffs.

Michelle Meyers
Michelle Meyers wrote and edited CNET News stories from 2005 to 2020 and is now a contributor to CNET.
Michelle Meyers
2 min read
Health Insurance Provider Anthem Blue Cross To Hike Rates

The largest health insurance company in the US could pay a record $115 to settle a class action lawsuit stemming from a 2015 data breach.

David McNew/Getty Images

Anthem, the largest health insurance company in the US, has agreed to settle a class action lawsuit over a 2015 data breach for a record $115 million.

The settlement still has to be approved by US District Court Judge Lucy Koh, who is scheduled to hear the case on August 17 in San Jose, California. And Anthem isn't admitting any wrongdoing or that "any individuals were harmed as a result of the cyberattack."

"Nevertheless, we are pleased to be putting this litigation behind us, and to be providing additional substantial benefits to individuals whose data was or may have been involved in the cyberattack and who will now be members of the settlement class," an Anthem spokeswoman said in a statement confirming the settlement.

Assuming it's approved, it would be the largest data breach settlement in history, according to the plaintiffs' lawyers, who first announced the agreement Friday.

The funds would be used to provide victims of the data breach at least two years of credit monitoring and to reimburse customers for breach-related expenses. The settlement would also guarantee a certain level of funding for "information security to implement or maintain numerous specific changes to its data security systems, including encryption of certain information and archiving sensitive data with strict access controls," the plaintiff attorneys said.

The 2015 breach resulted in the exposure and theft of nearly 80 million records, including client names, dates of birth, physical and email addresses, medical IDs and Social Security numbers. Using a stolen password, hackers were able to break into a database that contained information of former and current customers.

Indianapolis-based Anthem maintains that there was no evidence any compromised info was sold or used to commit fraud.

Although a mammoth breach at the time, the Anthem hack doesn't compare in scale to breaches Yahoo has since reported. One of them, which occurred in 2014 and was revealed in September, affected 500 million user accounts. Then three months later, the company disclosed an even bigger breach that happened in 2013 and affected a billion user accounts.

Yahoo is facing its own data breach-related lawsuits. But for now, Anthem's appears to be the most costly to date for a US company in terms of litigation payouts. In May, for example, Target agreed to pay $18.5 million to 47 states to settle claims stemming from a 2013 breach of credit card data. And Home Depot agreed to pay $19.5 million last year to settle a breach-related class action suit.

First published June 25, 10:27 a.m. PT.
Update, 1:23 p.m.: Adds comment and confirmation from Anthem.

It's Complicated: This is dating in the age of apps. Having fun yet? These stories get to the heart of the matter.

Logging Out: Welcome to the crossroads of online life and the afterlife.