SAN JOSE, Calif. (CN) – The largest settlement ever of claims stemming from a data breach received tentative approval from a federal judge on Friday.
U.S. District Judge Lucy Koh granted preliminary approval of a $115 million settlement between health insurance giant Anthem and the 79 million people whose data was compromised after a criminal hacker broke into the company’s servers and stole millions of health records.
“The court finds that the settlement agreement appears to be the result of serious, informed, non-collusive negotiations conducted with the assistance of former U.S. District Judge Layn R. Phillips over the course of nearly three months,” Koh wrote in her ruling granting preliminary approval.
The lynchpin of the settlement is a requirement that Anthem set up a $115 million fund to help consumers affected by the data breach to pay for at least two years of credit-monitoring services to identify possible identity theft and fraud.
“By settling now, the class is able to take advantage of remedies that, as a practical matter, would be unavailable or worth substantially less by the time this case could be litigated to a final judgment,” said Eve Cervantez, the lead attorney for the plaintiffs.
Along with the settlement fund for those who want to enlist credit-monitoring services, the agreement requires Anthem to spend an undisclosed amount to beef up its cybersecurity. While the amount is under seal, court documents indicate Anthem will spend three times more on cybersecurity than what it spent before the breach.
The breach, which the company announced in February 2015, resulted in the theft of identifying information of about 79 million people. That information included names, dates of birth, social security numbers and health IDs, leading to widespread concerns that criminals could sell the data on the black market and use it for identity theft and other crimes.
Most credit-monitoring services cost anywhere from $9 to $20 per month, but due to the ability to buy the service in bulk, plaintiffs will be able to get cheaper rates, according to court documents.
Those who want to retain current credit-monitoring services, or pay for the one of their choosing will be allowed to pursue alternative compensation that could amount to $50 per class member.
Additionally, a separate $15 million fund will be established to pay for out-of-pocket expenses of those affected by the breach of their private data, the settlement says.
“The court further observes that the settlement agreement is the product of more than two years of litigation, including two rounds of motions to dismiss, extensive fact and expert discovery, and briefing on plaintiffs’ motion for class certification and the parties’ motions to exclude expert testimony,” Koh wrote.
After Anthem announced the breach in 2015, more than 100 lawsuits were filed in various state and federal courts throughout the country, all of which were consolidated in the Northern District of California with Koh presiding over the litigation.
While the claims might have diverged slightly from case to case, the premise was uniform: Anthem’s cybersecurity efforts were insufficient.
“Plaintiffs’ case depends, above all, on proving their allegations that the data breach was possible only because Anthem had aggregated 80 million people’s private information into a central data warehouse that was not properly secured,” the plaintiffs said in their motion for preliminary settlement.
The criminal hack is widely thought to have originated in China, but the Chinese government has loudly denied such allegations.
A hearing on the final settlement is slated to take place at the federal courthouse in San Jose on Feb. 1, 2018.