Anthem To Pay $115 Million In The Largest Data Breach Settlement Ever

An anonymous reader quotes CNET: Anthem, the largest health insurance company in the U.S., has agreed to settle a class action lawsuit over a 2015 data breach for a record $115 million, according to lawyers for the plaintiffs. The settlement still has to be approved by US District Court Judge Lucy Koh, who is scheduled to hear the case on August 17 in San Jose, California. And Anthem, which didn't immediately respond to a request for confirmation and comment, isn't admitting any admitting any wrongdoing, according to a statement it made to CyberScoop acknowledging the settlement.

But if approved, it would be the largest data breach settlement in history, according to the plaintiffs' lawyers, who announced the agreement Friday. The funds would be used to provide victims of the data breach at least two years of credit monitoring and to reimburse customers for breach-related expenses. The settlement would also guarantee a certain level of funding for "information security to implement or maintain numerous specific changes to its data security systems, including encryption of certain information and archiving sensitive data with strict access controls," the plaintiff attorneys said.
The breach compromised data for 80 million people, including their social security numbers, birthdays, street addresses (and email addresses) as well as income data. The $115 million settlement averages out to $1.43 for every person who was affected.

$1.43? Unlikely.

I'd say it's far closer to 30 cents after the lawyers etc get their share, if this is a class action suit.

Re: $1.43? Unlikely.

Good plan in theory, but it would conflict with Trump's plans to deport all the jihadi Muslims.

Re: $1.43? Unlikely.

[James_Duncan8181]

This community - and you - are really quite disgustingly prejudiced.

Credit monitoring?

They courts still haven't figured out a legitimate way to compensate or help affected individuals if they're still just trying to fund credit monitoring.
Companies with breaches like this should face real, tangible consequences. :-/

Re:Credit monitoring?

[gweihir]

Prison time for those responsible in management, up to and including the CEO. Before that happens, nothing will change.

Re:Credit monitoring?

[ShanghaiBill]

Prison time for those responsible in management, up to and including the CEO.

This kind of idiotic attitude is why America spends $100 Billion per year on prisons, nearly as much as the rest of the world combined. No, people should not go to prison for incompetence.

Re: Credit monitoring?

Yes they should. Incompetent doctor kills every patient they work on? Should they go to prison? Why should it be any different for corporate personhood?

Re: Credit monitoring?

This kind of idiotic attitude is why America spends $100 Billion per year on prisons, nearly as much as the rest of the world combined. No, people should not go to prison for incompetence.

Nope. America spends so much on prisons because nobody punishes the incompetence in the criminal justice system.

The rich and powerful don't even have to fear going to the same prisons, they get special treatment.

Re:Credit monitoring?

$100 Billion per year wasted on prisons... AKA Club Med.

Re:Credit monitoring?

[godel_56]

Prison time for those responsible in management, up to and including the CEO.

This kind of idiotic attitude is why America spends $100 Billion per year on prisons, nearly as much as the rest of the world combined. No, people should not go to prison for incompetence.

While the US does put way too many people in prison, this is not one of those cases. For those in power at the company, these fines are no punishment at all. The company is probably insured and any shortfall will be covered by shareholders, while the CEOs etc. will carry on getting the same or increased salaries and bonuses as usual, and the company's articles may make it almost impossible to vote them out (Mylan).

Only the possibility of real PERSONAL penalties that they can't insure against or just claim as a tax loss will serve to "concentrate the minds" of those in charge.

Re:Credit monitoring?

I want my divorce Bill! Give me MY DIVORCE!!!!

Re:Credit monitoring?

What an absolutely moronic statement. The US is spending $0 on jailing incompetent CEOs. That's why settlements like this are considered simply the cost of doing business.

Re:Credit monitoring?

While I appreciate the instinct to blame all of upper management, it is usually tricky to determine actual fault. For example, I've personally had a conversation such as this:

CTO: Our PCI auditors have found significant vulnerabilities in our infrastructure. We need to buy some new devices, they will cost $XX
CEO: Get some new auditors.
CTO: Honestly, I think I agree with them, and I'm worried about a data breach.
CEO: But we have firewalls right?
CTO: That's not the point, there are many other points of weakness that have nothing to do with firewalls.
CEO: OK you need to shore this up with better procedures. You're in charge, keep me updated on your progress.
CTO: Um, maybe my team could implement a stop-gap solution, but I'm under staffed and would have to discontinue coverage in some other area
CEO: You're saying you can't handle this responsibility, maybe we need to transfer these responsibilities to [other manager]
CTO: He knows nothing about infosec and doesn't even comprehend these issues
CEO: Well if you're the best man for the job, better get going
CTO: Sigh...

Re:Credit monitoring?

It's more to do with the lobbyists for the for-profit prison industry that lobby for mandatory minimum sentences for non-violent offenders, three strikes laws, etc.

Re: Credit monitoring?

...
CTO: The reason I am available for new placement is because I quit my previous position because my former employer was being .. Shall we say, "more optimistic" in their risk tolerance than I felt was ethical.

Agency: That's great. Usually we just hear from some fat slob who thinks he got fired because his boss was envious of his 1500 calorie diet.

Re:Credit monitoring?

[phantomfive]

At a large company like Anthem, the CTO needs to be assertive. He needs to make it clear to the CEO what the options are, and what it will cost to make things secure.

Re:Credit monitoring?

[gweihir]

I disagree. Top management should most definitely go to prison for gross incompetence or intent. And, quite frankly, it can only be one of the two if the screw-up is so extreme. If there are just fines, the C-level executives responsible will not even feel them. That is the reason why prison-time is required here. I do agree that the US is imprisoning far to many people, but these here cannot be impressed any other way, because they cannot simply buy their way out of that.

Re:Credit monitoring?

[gweihir]

And that is exactly the point.

Re:Credit monitoring?

[gweihir]

Well, if upper management had real risks of suffering for them not fixing things, maybe the competent ones would cut through the crap and the incompetent ones would get weeded out fast. That would be massively better than the dysfunctional system now in place.

Re: Credit monitoring?

We talking about Creimer? I'm confused.

Re:Credit monitoring?

[unrtst]

Start sending the CEO's/CTO's/etc to prison when stuff like this happens, and I assure you that their prisons will start looking a lot nicer. Repeat and spread them out to improve all our prisons.

Re: Credit monitoring?

Everyone who has this happen to them is allowed a free credit freeze by each credit bureau. BAM ! Solved. Even lifelock can't prevent anything, they are just more quicker than a credit report and come with legal services of dubious value.

Cool!

Yay! Big money!

$1.43 for every person who was affected.

[charliemerritt03]

Every person NEGATIVELY affected will have more than $1.43 in damages - far mor

Re: $1.43 for every person who was affected.

But republicans don't care simcebthey hate us and want us to die.

Re: $1.43 for every person who was affected.

People will die because of this, and hat makes them so happy. They don't want us to have health insurance.

Bean counters were right

The fine was still cheaper than maintain a proper IT and security organization.

No prison time? They got away cheap!

[gweihir]

For this minuscule amount per customer exposed, they will likely happily do it all again...

Re:No prison time? They got away cheap!

[interkin3tic]

No no, see the free market will work, customers will simply take their business elsewhere! They'll choose one of the health insurance providers that keeps their data secure!

(this is sarcasm)

WOW...Are you kidding ?????

[sit1963nz]

So a pirated music file is worth tens of thousands of dollars, but a persons confidential medical history is worth $1.43

wow.....just effing wow.

And here is the funny part, the $110 million is probably considered a tax deductible expense, so the victims are in effect paying themselves a portion of the compensation.

Seems this is true.
Being in power is not so you can punish the poor, its to ensure the rich don't get punished.

Re:WOW...Are you kidding ?????

So a pirated music file is worth tens of thousands of dollars, but a persons confidential medical history is worth $1.43

I'm actually surprised by this. Do a Google search for "cost of data breach" ... first hit is an IBM report. Take with a grain of salt, but, they claim it should be $141 per record on average.

So, looks like Anthem got a ~99% discount somehow - it should have cost $11.2 billion.

Re:WOW...Are you kidding ?????

[guruevi]

Exactly, this information goes on the black market for ~$10/record in bulk to several $1000/record for celebrities and others. $110M over the last 2 decades and probably another decade in the future (any further hacks for the foreseeable future will just be chalked up with this) is less than the cost of hiring a decent team of IT people.

Re:WOW...Are you kidding ?????

So, looks like Anthem got a ~99% discount somehow - it should have cost $11.2 billion.

Well, let's see, the GOP is trying to pass health care bill that cuts subsidies for poor while giving a tax break to insurance companies that pay their CEO's over $500k which will cost the government about $40 million in taxes.

I'm sure these two things are completely unrelated. It's not like our current administration exerts any pressure on judges or would fire them if they don't obediently do what the politicians say they should do, after all.

Re:WOW...Are you kidding ?????

[Zontar_Thing_From_Ve]

So a pirated music file is worth tens of thousands of dollars, but a persons confidential medical history is worth $1.43

The major reason this is true is that a small number of cases with delusional defendants and incompetent lawyers lost big time. I'm too lazy to look up her name, but there is some lady who lost 3 times in court and every loss ended up being worse than the one before. She basically admitted in court that she shared the files in question and the last time she went she had law school students (no joke) as her lawyers. The students talked smack before the trial about how it was going to be a slam dunk to win it and they got her her worst loss ever. The cases I've known where defendants won was when they had good lawyers and they denied personally sharing the files in question. One case involved a guy who ran a home for senior citizens and his lawyers showed that the wifi there wasn't secured and the plaintiffs couldn't explicitly prove that he and only he could be responsible for the files being shared. Ever major loss I've ever read about involved defendants who admitted that they shared the files, refused to settle the case outside of court for a fraction of what they ended up paying with a loss in court, and basically seemed to think they would win in court simply because ... magic.

Re:WOW...Are you kidding ?????

So a pirated music file is worth tens of thousands of dollars, but a persons confidential medical history is worth $1.43

I'm actually surprised by this. Do a Google search for "cost of data breach" ... first hit is an IBM report. Take with a grain of salt, but, they claim it should be $141 per record on average.

So, looks like Anthem got a ~99% discount somehow - it should have cost $11.2 billion.

That $141 cost per record include any fines, reputation loss, as well as the cost associated with finding and fixing the breach.

Re:WOW...Are you kidding ?????

Just an FYI, legal penalties are normally not tax deductible.

Re:WOW...Are you kidding ?????

So a pirated music file is worth tens of thousands of dollars, but a persons confidential medical history is worth $1.43

wow.....just effing wow.

And here is the funny part, the $110 million is probably considered a tax deductible expense, so the victims are in effect paying themselves a portion of the compensation.

Seems this is true.

Being in power is not so you can punish the poor, its to ensure the rich don't get punished.

To be fair the MAFIAA could have asked for lower damages when they offer a settlement, they don't because their lawyers work for them on salary so they do what they're told.

In a class action lawsuit, the lawyers are payed out of the settlement so they want to pitch something the company being sued will accept quickly to maximize the pay/work ratio. They don't work for any of the people represen ted by the "class" so they have no incentive to push for the maximum they can get let alone seriously consider going to court rather than settling.

Re:WOW...Are you kidding ?????

So a pirated music file is worth tens of thousands of dollars, but a persons confidential medical history is worth $1.43

I'm actually surprised by this. Do a Google search for "cost of data breach" ... first hit is an IBM report. Take with a grain of salt, but, they claim it should be $141 per record on average.

So, looks like Anthem got a ~99% discount somehow - it should have cost $11.2 billion.

That $141 cost per record include any fines, reputation loss, as well as the cost associated with finding and fixing the breach.

No.
They are in addition to the cost of loss. Read the report.

Re:WOW...Are you kidding ?????

[sit1963nz]

Irrelevant, that is the part about being found guilty.

Once they have been found guilty is costs a damn sight more than $1.43 for a music file.

The justice system is no longer blind, its seriously skewed towards benefitting the rich.

Re:WOW...Are you kidding ?????

[bill_mcgonigle]

In every democracy, people vote to give other people power to give them what they think is free shit. People being people, they sell that power instead to the highest bidder, because those people in power want free shit. The corporations and special interests buy that power because they want free shit.

Eventually everything ends in fire and the cycle repeats itself, as long as nobody learns their history lessons.

Correction

[Solandri]

The $115 million settlement averages out to $1.43 for every person who was affected.

Class action lawyers get about 15% of the total settlement amount. So the actual breakdown is $17.25 million to the lawyers, $1.22 for each person affected.

& everyone still knows about my dysfavoritism

cease fire stand down,, keep the change,, sing along,, https://www.youtube.com/watch?v=GPyPT7fb0-Q ..turn off a few 1000 heavy duty WMDs on wheels just for a week or 2 just to see what happens, just in jersey even..

And administrative fees

[Okian+Warrior]

Reading the settlement agreement provides the following disbursement

As further described in this Agreement, the Settlement Fund shall be used by the Settlement Administrator to pay for:
(a) all reasonable Administrative Expenses;
(b) the Taxes described in Sections 3;
(c) Service Payments award by the Court, as described in Section 11;
(d) attorneys’ fees and costs approved by the Court, as described in Section 12;
(e) Credit Services as described in Section 4;
(f) Alternative Compensation as described in Section 5;
(g)Out-of-Pocket Costs as described in Section 6.

So the fund also covers taxes and administrative expenses, such as putting up a website where class members can go to register to get their money.

in other news

/. editors aren't admitting any admitting any proofreading.

Anthem is worth $50.39 Billion as of June 25 2017

[Required+Snark]

That is their market capitalization today.

The fine is 0.23% of their market value, and has someone else pointed out it is tax deductible. Additionally it is not a single payment, so it will be spread out over two or more years.

This will have zero impact on the economics of the company, which means it will have zero deterrent effect on Anthem or any other busness in their sector. Or for any other business in the US, for that matter.

It is, in short, a joke.

Re: $1.43

Will you use the money for a mullet?

Re:Anthem is worth $50.39 Billion as of June 25 20

[phantomfive]

Market capitalization is only vaguely related to a company's actual value, and even less to their day-to-day cash flow, revenue and profits.

Ridiculously paltry sum.

[Ihlosi]

This is not going to hurt, so nothing will change.

Re:Ridiculously paltry sum.

[Jerrry]

I wonder how many people would obey the speed limits if the fine was $0.25 with no points?

Fining big corporations like Anthem will only work if the fines are in the multi billion range, not a few million, or even a hundred million.

Don't believe the hype!

this means nothing, it just cost them $1.43 more per customer on a base of 80 million customers.

Re:Anthem is worth $50.39 Billion as of June 25 20

[Required+Snark]

So what? What's your point?

Are you being a Slashdot Pundit and pointing out something of limited relevance or are you defending them? Do you think the fine is adequate and our system for regulating incompetent corporations is working correctly? Are you trying to make another point entirely?

You have added no value to the conversation, except to get your name posted. Even posting something overtly wrong would be better then venting something so vapid.

Get your game together, this is Slashdot. We say outrageous things and engage in verbal knife fights. For example, if Slashdot was a ride at the county fair your would not be allowed on because you are too short to hang with adults; go over to the petting zoo with the baby farm animals, it's more your speed. That, or something more cutting is where you should be, not this pseudo-intellectual crap.

Re:Anthem is worth $50.39 Billion as of June 25 20

[phantomfive]

So what? What's your point?

The point is that if you're going to try to decide if this will hurt the company or not, you should look at either income before tax, current assets, or cash flow. Those numbers are easy to find and will give you a much more accurate picture of how much it will hurt the company. I'll even link to them for you, to make your life easier, here you go, enjoy.