Anthem, Inc. has set a record for the second time. The first was for the largest breach of medical information to date, affecting over 80 million subscribers. The second occurred on Friday August 25, 2017 when U.S. District Court Judge Lucy Koh gave preliminary approval to a $115 million settlement, a record for a settlement stemming from a data breach.
The settlement agreement granted preliminary approval by the court comprises $15 million to pay any out-of-pocket costs incurred by class members, such as expenses incurred in resolving identity theft from stolen information or fraud. The agreement also provides for $38 million in class counsel fees (class certification, which was hotly contested until settlement talks commenced in earnest in the spring, was granted by Judge Koh for purposes of the settlement only).
The benefits to Anthem of a settlement were highlighted by Judge Koh’s 2016 rulings that plaintiff’s claims could proceed under California and New York consumer protection statutes. These claims averred that Anthem’s contract with its subscribers (consumers under these statutes) was “deceptive” with regard to representations about security of the subscribers’ information that, in the wake of the cyber attack, turned out to be false. State consumer protection law claims, then, figured prominently in this settlement as standards of proof are different from, and often lower than, causes of action based on federal statutes.
The court also ruled that the loss of personally identifiable information of the health plan subscribers was, itself, “cognizable economic injury.” A number of federal circuits have since followed this reasoning in data breach litigation.
If you have questions regarding potential or actual data breach litigation, please contact Kenneth N. Rashbaum.