Anthem to pay record $115m to settle lawsuits over massive breach

In 2015, the Office of Civil Rights (OCR) recorded that US providers were affected by 253 medical data breaches, equivalent to 112m records.

The bulk of those records came from Anthem. In February 2015, Anthem confirmed that it had been bled for an estimated 80m patient records, including names, taxpayer IDs, birthdays, health care ID numbers, street addresses, email addresses, and employment data that included income – a veritable toolkit for identity theft.

As it turned out, the massive data breach exposed sensitive data on not only Anthem customers: it also dragged in data from non-customers, in the form of patient records for 37 independently operated Blue Cross Blue Shield member companies that were also involved in the breach.

The breach was later determined to have originated from a single malicious email opened by one person. And though it turned out to be a little less than the first estimate, at 78.8m breached records, it still dwarfed that year’s next-biggest medical data breaches, with 11m breached at Premera and 10m from Excellus.

But then, many superlatives adhere to Anthem: it’s the largest health insurance company in the US, it’s lost the most medical records, and now it’s looking at the possibility of having to cough up the largest data breach settlement in history.

Plaintiffs’ counsel on Friday announced that Anthem’s agreed to pay a $115m settlement over the breach.

The settlement still has to be approved by US District Court Judge Lucy Koh, who’s scheduled to hear the case on August 17.

If approved, the money will go toward at least two years of credit monitoring for victims, will cover out-of-pocket expenses incurred by consumers as a result of the data breach, and will provide cash compensation for those people who are already enrolled in credit monitoring.

Beyond funds for the victims, the settlement also requires Anthem to keep up a certain level of funding for information security and to implement or maintain numerous specific changes to its data security systems, including encryption of certain information and archiving sensitive data with strict access controls.

From plaintiffs’ counsel:

The settlement is designed to protect class members from future risk, provide compensation, and ensure best cybersecurity practices to deter against future data breaches.

According to a report (PDF) on the Anthem breach conducted by seven state insurance commissioners, as of January, Anthem was already spending more than $260m on significant security-related measures.

The report says that Anthem’s security enhancements have included implementation of two-factor authentication (2FA) on all remote access tools; deployment of a privileged account management technology; additional, enhanced logging resources to its security event and incident management tools; a complete reset of passwords for all privileged users; suspension of all remote access pending implementation of 2FA; new network administrator IDs to replace the existing IDs; and additional monitoring technologies for critical databases.

According to the insurance commissioners’ report, the data breach began on Februay 18 2014, when a user at one of Anthem’s subsidiaries opened a phishing email containing malware. In other words, the attackers apparently had access to the data for about a year. That’s a lot of time to inflict a lot of damage, and that’s exactly what happened.

Once the computer was infected – the report fingered a nation state but didn’t identify which one – the attackers gained remote access to it and dozens of other systems within Anthem. They moved laterally throughout the IT infrastructure, getting into critical databases and exfiltrating data without being detected.

In fact, according to the report, the attackers ratcheted it up all the way into Anthem’s data warehouse:

The attacker utilized at least 50 accounts and compromised at least 90 systems within the Anthem enterprise environment including, eventually, the company’s enterprise data warehouse – a system that stores a large amount of consumer personally identifiable information. Queries to that data warehouse resulted in access to an exfiltration of approximately 78.8m  unique user records.

Is $115m a large fine? It may be the largest fine for a data breach in history, but keep in mind that this was an enormous breach, affecting one of the largest sets of victims ever. Do the math: if all 78.8m victims were to claim their rightful share of the settlement, they’d be rolling in a marble’s worth of dough at about $1.46 apiece.

We can gird our loins for what one assumes may be bigger fines still for yet-bigger data breaches. As CNET notes, Yahoo is facing its own data-breach-related lawsuits, for multiple breaches: a 2014 breach, revealed in September, affected 500m user accounts.

Three months later, Yahoo disclosed that 1bn user accounts had been carved out of it in 2013.

Can we expect that each Yahoo account holder who got pwned in those breaches will get the royal sum of $1.46 in settlement funds someday?

Doubtful! If they only got $1 each, that would be $1.5bn, and that’s before lawyers’ fees. But at any rate, here’s hoping that at least $115m gets paid out over the Anthem breach.

Don’t spend it all at once! …But if you do, Amazon has some nice Grumpy Cat stickers for $1.99!