Anthem Inc., the victim of one of the more extensive data breaches in U.S. history, has agreed to pay a settlement of $115 million to consumers affected by the incident.
The settlement is believed to be the largest ever to result from a data breach in the U.S. and would end a class-action lawsuit that followed the 2015 compromise of Anthem, a major health-care provider. That breach affected more than 80 million consumers, and the data taken during the incident included names, birth dates, Social Security numbers, and other sensitive information. As part of the settlement, Anthem admits no fault for the incident.
“Defendants deny any wrongdoing whatsoever, and this Agreement shall in no event be construed or deemed to be evidence of or an admission or concession on the part of any Defendant with respect to any claim of any fault or liability or wrongdoing or damage whatsoever,” the settlement says.
The settlement agreement, announced on Friday, is subject to a judge’s approval, but if it’s finalized the money from the agreement would go to pay for consumers’ credit monitoring and costs from the data breach. The Anthem compromise reportedly resulted from attackers sending spear-phishing emails to Anthem employees, one of whom opened the mail and started a chain that resulted in the installation of malware. The attackers then moved around inside the network and were able to compromise many other computers.
Anthem officials said the settlement does not indicate that the company was at fault for the breach, but the company will be making changes to its security program as part of the agreement.
“Nevertheless, we are pleased to be putting this litigation behind us, and to be providing additional substantial benefits to individuals whose data was or may have been involved in the cyber attack and who will now be members of the settlement class,” the statement says.
“Anthem is determined to do its part to prevent future attacks. To that end, as part of the settlement, Anthem has agreed to continue the significant information security practice changes that we undertook in the wake of the cyber attack, and we have agreed to implement additional protections over the next three years.”
At the time it occurred, the Anthem data breach was one of the larger breaches on record, but since then there have been several other breaches of greater magnitude. The series of compromises that hit Yahoo in the last few years are far larger, with one revealed in 2016 that hit more than a billion accounts.
A report from the California Department of Insurance, which conducted an investigation into the Anthem breach, concluded earlier this year that a foreign government was behind the attack.
“The team determined with a high degree of confidence the identity of the attacker and concluded with a medium degree of confidence that the attacker was acting on behalf of a foreign government. Notably, the exam team also advised that previous attacks associated with this foreign government have not resulted in personal information being transferred to non-state actors,” the insurance report says.
CC By-sa license image from Matthew Hurst