Health insurer Anthem agreed to pay $39.5 million to settle another class action suit related to a cyberattack in 2015 that exposed the personal data of nearly 79 million people. The settlement is related to an investigation brought by the U.S. states’ attorneys general, including New York, Indiana, Connecticut, Illinois, Kentucky, Massachusetts, and Missouri. The cyberattack, which, in its time, was considered one of the biggest cybersecurity attacks the nation had ever witnessed, had compromised users’ names, addresses, social security numbers, and medical identification numbers.
In a recent statement, Anthem stated that it is also committed to enhance its ongoing data protection measures. “The company is pleased to have resolved this matter, which is the last open investigation related to the 2015 cyberattack. Anthem does not believe it violated the law in connection with its data security and is not admitting to any such violations in this settlement with the State Attorneys General,” Anthem said.
“Anthem’s first priority was to ensure that its systems were secure and immediately engaged the FBI and a world-class security organization. The company took immediate action to investigate and assist consumers and customers and to meet and exceed its legal obligations to provide notice and cooperate with law enforcement. Following the investigations, no evidence has been found that information obtained through the 2015 cyberattack targeting Anthem has resulted in fraud,” Anthem added.
Not the First Settlement
The recent settlement is separate from a class action suit over the breach that Anthem settled in 2018. In July 2017, Anthem reported a massive data breach that resulted in an identity theft of 18,000 Anthem Medicare members. In April 2017, the company discovered that an employee who worked for one of the Anthem’s health care consulting firms was stealing and misusing the information of Medicaid members since July 2016.
As part of the settlement, Anthem agreed to pay a total of $115 million to resolve the litigation. The final resolution also pays for credit monitoring and identity protection services to all the victims for two years, including the costs of sending notices to class members, administering claims, and the attorneys’ fees. Anthem also clarified that there is no evidence of any fraud or misuse of the compromised data.