Anthem Inc. has agreed to a US$115 million settlement to resolve a class action lawsuit relating to a 2015 cyberattack that compromised data on 79 million individuals. Anthem has denied any wrongdoing.

In February of 2015, Anthem reported that hackers stole personally identifiable information from millions of current and former customers, including names, addresses, social security numbers, health ID numbers, and employment and income information. Cyberattacks are an increasing threat to health care companies; according to the Identity Theft Resource Center (ITRC), the healthcare sector accounted for nearly 23 percent of all data breaches in 2017.

More than 100 lawsuits related to the breach were filed against Anthem, its subsidiaries and affiliates, and certain Blue Cross and Blue Shield companies that stored data on Anthem’s system. These lawsuits were later consolidated into a class action lawsuit in the U.S. District Court for the Northern District of California. The class action lawsuit alleged that Anthem and other defendants breached their contractual obligations to plan members and violated state consumer protection laws by failing to adequately protect customers’ personal data. The payer’s settlement will be split among 19.1 million plaintiffs in the class-action lawsuit, all of whom were required to prove that their personal information was stored in the data warehouse hackers targeted.

Under the settlement, Anthem will establish a US$15 million fund for class members who incurred out-of-pocket expenses as a result of the data breach. Class members can claim up to US$10,000 to reimburse for related out-of-pocket costs. Anthem will also pay for an additional two years of credit monitoring services for class members, beyond the two years already offered by the company. Alternatively, class members who have already signed up for credit monitoring services can opt for a cash alternative of US$50 with proof of their current credit monitoring services.

The settlement also requires Anthem to improve its data security systems and policies. According to settlement documents, Anthem has agreed to triple its annual spending on data security for the next three years and implement certain reforms such as “changing its data retention policies, following specific remediation schedules, and performing annual IT security risk assessments and settlement compliance review.”

The Anthem settlement represents one of the largest settlements in a consumer data breach case and is an example of the high cost of cyberattacks. Companies, particularly those that collect and store health data, should take precautions to reduce the risk of cyberattack, including ensuring that internal policies and procedures meet the standards set forth in the Health Insurance Portability and Accountability Act (HIPAA) and other federal and state consumer protection and privacy laws. For additional recommendations related to Anthem’s security breach, read “Anthem breach poses significant cybersecurity risks for Anthem’s customers; may trigger legal obligation,” published in Norton Rose Fulbright’s Data Protection Report. Companies facing specific data security issues should consult with an attorney with subject matter expertise.