Anthem Inc., one of the nation’s largest health insurers has agreed to pay $115 million to settle litigation stemming from a 2015 hacking incident that compromised the personal data of some 79 million people, according to nbcnews.com, which cited lawyers for the plaintiffs.
Proceeds from the settlement would cover two years of credit monitoring for the victims of the hacking attack, who are believed to include former Anthem customers and customers of insurers affiliated with Anthem through the national Blue Cross Blue Shield Association, according to a report by Reuters. Lawyers said the settlement would be the largest ever for a data breach.
“We are very satisfied that the settlement is a great result for those affected and look forward to working through the settlement approval process,” Andrew Friedman, a lawyer for the victims, said in a statement.
The hack took place in February 2015, when an unknown perpetrator accessed a database containing personal information, including names, birthdays, Social Security numbers, addresses, email addresses, and employment and income information. More than 100 lawsuits were filed against Anthem as a result.
In announcing the breach, the company offered victims two years of credit monitoring. The current settlement adds on to that. Victims can choose to receive cash instead — up to $50 per person — if they’re already enrolled in credit monitoring.
A spokesperson for the company said there was no evidence that the compromised information was sold or used to commit fraud. Anthem did not admit wrongdoing.
The settlement also requires Anthem to, “guarantee a certain level of funding for information security and to implement or maintain numerous specific changes to its data security systems, including encryption of certain information and archiving sensitive data with strict access controls,” according to the victims’ lawyers.
In a statement to CyberScoop, Anthem said, it agreed to “continue the significant information security practice changes that we undertook in the wake of the cyberattack, and we have agreed to implement additional protections over the next three years.”