In 2015 Indianapolis-based Anthem, the largest health insurance company in the U.S., was the target of a data breach that resulted in the exposure and theft of nearly 80 million records, including client names, dates of birth, physical and email addresses, medical IDs and Social Security numbers. Using a stolen password, hackers were able to break into a database that contained information of former and current customers. Now Anthem has agreed to settle a class action lawsuit over the breach for a record $115 million.
The settlement, which was announced in June, still has to be approved by US District Court Judge Lucy Koh, who is scheduled to hear the case on August 17 in San Jose, California. In addition, while Anthem has reached this settlement, the healthcare insurer isn’t admitting any wrongdoing or that “any individuals were harmed as a result of the cyber attack.” Anthem maintains that there was no evidence any compromised information was sold or used to commit fraud.
"Nevertheless, we are pleased to be putting this litigation behind us, and to be providing additional substantial benefits to individuals whose data was or may have been involved in the cyber attack and who will now be members of the settlement class," an Anthem spokeswoman said in a statement confirming the settlement.
If the settlement is approved, it would be the largest data breach settlement in history. Target agreed to pay $18.5 million to 47 states to settle claims stemming from a 2013 breach of credit card data. Home Depot agreed to pay $19.5 million last year to settle a breach-related class action suit.
In addition to the financial arrangement, which is intended to pay for two years’ worth of credit monitoring for customers impacted by the breach, as part of the settlement Anthem agreed to implement further security measures, such as enhancements to its data security system, including encryption and stricter access controls. For individual class members who already have their own credit-monitoring services and don’t want to enroll in the settlement’s plan, the settlement provides alternative compensation of as much as $50 per class member. The plan also requires Anthem to spend an undisclosed amount to help protect members’ personal information over the next three years.
While a significant breach at the time, the Anthem hack pales in comparison to the breaches Yahoo has since reported. One of them, which occurred in 2014 and revealed in September, affected 500 million user accounts. Then three months later, the company disclosed an even bigger breach that happened in 2013 and affected one billion user accounts.
Cyber Insurance: Must-Have Coverage
The Anthem breach and others, including those that don’t get the same high-profile press coverage, underscore the need for Cyber Liability insurance. Cyber insurance is designed to pay for the following costs:
- Investigations – the forensics necessary to determine what occurred, how to repair damage and how to prevent the same type of breach from reoccurring.
- Business losses including monetary losses experienced by network downtime, business interruption, data loss recovery and costs involved in managing a crisis, which may involve repairing reputational damage.
- Privacy and notification, which includes required data breach notifications to customers and other affected parties as mandated by law in many jurisdictions, and credit monitoring for customers whose information was or may have been breached.
- Lawsuits and extortion: Legal expenses associated with the release of confidential information and intellectual property, legal settlements and regulatory fines (HIPAA in the case of healthcare organizations). This may also include the costs of cyber extortion, such as from ransomware.
RPS specializes in providing Cyber insurance to a wide range of industries, including healthcare providers. For more information about our programs, contact us.