Anthem Inc. agreed to pay $115 million in a deal to end a court battle over the 2015 data breach where hackers gained access to sensitive records for nearly 80 million Americans. The funds will go toward credit monitoring and reimbursement for customers, in addition to as much as $38 million in attorneys’ fees.
The 2015 breach saw hackers access records including Social Security numbers, birthdays, addresses, detailed employment information and income data. Chinese state-sponsored attackers were suspected in the attack but there has been no official attribution.
The settlement requires Anthem to guarantee “a certain level of funding for information security and to implement or maintain numerous specific changes to its data security systems, including encryption of certain information and archiving sensitive data with strict access controls,” according to a statement by the plaintiffs’ attorneys. “The settlement is designed to protect class members from future risk, provide compensation, and ensure best cybersecurity practices to deter against future data breaches.”
Anthem faces further court battles. A crucial point in the litigation against Anthem alleges the company willfully neglected cybersecurity, kept the neglect secret and failed to notify customers of the breach in a timely manner.
Earlier this year, it lost a key decision when a federal judge ruled that security audits from before and after the breach will be made public.
In a statement to CyberScoop, Anthem acknowledged the settlement but stressed that it “does not include any finding of wrongdoing, and Anthem is not admitting any wrongdoing or that any individuals were harmed as a result of the cyber attack.”
“As part of the settlement, Anthem has agreed to continue the significant information security practice changes that we undertook in the wake of the cyber attack, and we have agreed to implement additional protections over the next three years,” the company’s statement read.
It’s not clear what those additional protections consist of. We’ve reached out to Anthem seeking clarification.
Additionally, the health insurance titan told CyberScoop it has agreed to “continue the significant information security practice changes that we undertook in the wake of the cyber attack,” including:
- Resetting all passwords for our associates and contractors
- Re-issuing new IDs and passwords for users with elevated access
- Implementing a three-tier authentication model along with one-time, limited-duration passwords for elevated privileged user access; and
- Expanding security logging and monitoring capabilities
Both parties have agreed to the settlement but it still must be approved by the court. A hearing on the matter is scheduled for August 17.