Anthem to pay record $115 million to settle data breach lawsuit

Health insurer Anthem has agreed to pay $115 million to settle a class-action lawsuit over a 2015 data breach involving the personal information of nearly 80 million individuals.

The settlement must still be approved by a court, but if it is, it will stand as the biggest data breach settlement in history.

Back in 2015, the Indianapolis, Indiana-based insurer was the victim of a cyberattack that involved the Social Security numbers, birthdates, addresses and healthcare ID numbers of 78.8 million people. At that time, Anthem said in a statement, it provided two years of credit monitoring and identity protection services to all impacted individuals.

Still, more than 100 lawsuits were filed against Anthem. They were eventually consolidated.

As part of the hefty $115 million settlement, Anthem will give data breach victims at least two years of credit monitoring and provide cash compensation for individuals who already enrolled in credit monitoring. The health insurer will also cover the out-of-pocket expenses victims have due to the data breach.

On top of that, Anthem has to allocate a certain amount of money for security purposes and make specific changes to its data security systems.

In a statement, the insurer said the settlement “does not include any finding of wrongdoing.” Anthem added that it “is not admitting any wrongdoing or that any individuals were harmed as a result of the cyberattack.”

Anthem continued: “Nevertheless, we are pleased to be putting this litigation behind us, and to be providing additional substantial benefits to individuals whose data was or may have been involved in the cyberattack and who will now be members of the settlement class.”

The insurer isn’t the only one pleased to see this legal matter drawing to a close.

“After two years of intensive litigation and hard work by the parties, we are pleased that consumers who were affected by this data breach will be protected going forward and compensated for past losses,” Eve Cervantez, co-lead plaintiffs’ counsel, said in a statement.

Photo: zimmytws, Getty Images

Article source: http://medcitynews.com/2017/06/anthem-settlement-data-breach/

,

No Comments

Healthcare Company CoPilot Settles Data Breach with $130K …

Boston — June 15-16, 2017
Nashville — June 27-28, 2017
Denver — July 18-19, 2017
Philadelphia — August 10 – 11, 2017
St. Petersburg — September 20-21, 2017
Raleigh — October 19-20, 2017
Beverly Hills — November 9-10, 2017
Dallas — December 14-15, 2017
San Diego — February 1-2, 2018
Cleveland — March 27-28, 2018

Article source: https://www.healthcare-informatics.com/news-item/cybersecurity/healthcare-company-copilot-settles-data-breach-130k-payment

,

No Comments

BREAKING: Anthem settles data-breach litigation for record $115 million

Anthem has reached a $115 million deal to settle a class-action lawsuit over a 2015 data breach in which hackers stole personal information from 78.8 million employees and current and former members.

The settlement is the largest data-breach settlement ever. As part of the deal, Anthem will offer two years of credit protection to those affected—in addition to the two years of monitoring they already received—and will set aside funding for cybersecurity improvements, including modifying its current cybersecurity systems. It will also set aside $15 million to pay plaintiffs for out-of-pocket costs due to the breach.

The deal comes more than two years after Anthem announced hackers had gained access to its IT system. They stole the names, birthdates, Social Security numbers, addresses, and other information of tens of millions of people.

“As we have seen in cyberattacks against governments and private sector companies including Anthem over the past few years, many cyberthreat actors are increasingly sophisticated and determined adversaries,” the company wrote in a statement. “Anthem is determined to do its part to prevent future attacks.”

The settlement must be approved by a U.S. District Court in California.

Article source: http://www.modernhealthcare.com/article/20170623/NEWS/170629931

,

No Comments

Anthem to Pay Record $115M to Settle Lawsuits Over Data Breach

Anthem Inc, the largest U.S. health insurance company, has agreed to settle litigation over hacking in 2015 that compromised about 79 million people’s personal information for $115 million, which lawyers said would be the largest settlement ever for a data breach.

The deal, announced Friday by lawyers for people whose information was compromised, must still be approved by U.S. District Judge Lucy Koh in San Jose, California, who is presiding over the case.

The money will be used to pay for two years of credit monitoring for people affected by the hack, the lawyers said. Victims are believed to include current and former customers of Anthem and of other insurers affiliated with Anthem through the national Blue Cross Blue Shield Association.

People who are already enrolled in credit monitoring may choose to receive cash instead, which may be up to $50 per person, according to a motion filed in California federal court Friday.

“We are very satisfied that the settlement is a great result for those affected and look forward to working through the settlement approval process,” Andrew Friedman, a lawyer for the victims, said in a statement.



The credit monitoring in the settlement is in addition to the two years of credit monitoring Anthem offered victims when it announced the breach in February 2015, according to Anthem spokeswoman Jill Becher, who said the company was pleased to be resolving the litigation.

The Indianapolis-based company did not admit wrongdoing, and there was no evidence any compromised information was sold or used to commit fraud, Becher said.

Related: More Than 4 Billion Data Records Were Stolen Globally in 2016

Anthem said in February 2015 that an unknown hacker had accessed a database containing personal information, including names, birthdays, social security numbers, addresses, email addresses and employment and income information. The attack did not compromise credit card information or medical information, the company said.

More than 100 lawsuits filed against Anthem over the breach were consolidated before Judge Koh.

The breach is one of a series of high-profile data breaches that resulted in losses of hundreds of millions of dollars to U.S. companies in recent years, including Target Corp, which agreed to pay $18.5 million to settle claims by 47 states in May, and Home Depot Inc, which agreed to pay at least $19.5 million to consumers last year.

Article source: http://www.nbcnews.com/news/us-news/anthem-pay-record-115m-settle-lawsuits-over-data-breach-n776246

,

No Comments

One Million Affected By WSU Data Breach

Names and personal data of about a million people may have been compromised in a burglary involving Washington State University property.

A WSU hard drive was stolen from a locked storage unit in Olympia in April.

It held research data the university compiled for school districts, the Census Bureau, the Washington Legislature, and other agencies.

WSU spokesperson Phil Weiler says the university has identified the people who could be affected.

“The challenge is an individual may not know that his or her data was on that hard drive because they’re not aware that the school district might be doing these multi-year studies, so that’s why it’s important for us to be able to send letters to individuals.”

Weiler says WSU is offering those affected free credit monitoring for one year, and has set up a hotline for people to call for more info.

He says at this point there is no reason to believe the burglar has accessed the information on the hard drive.

Police have no suspects at this time.

Copyright 2017 KUOW

Article source: http://nwpr.org/post/one-million-affected-wsu-data-breach

,

No Comments

$12B in Fraud Loss Came from Data Breach Victims in 2016

Three-quarters of the total fraud losses for 2016 arose from victims who had been victims of a data breach within the previous six years.

Data breach victims are likely to someday become victims of fraud. Of the $16 billion in total fraud loss for 2016, $8.3 billion came from victims who had experienced a breach in the past 12 months and $12 billion arose from victims who had breached in the previous six years.

These findings come from a Javelin Advisory Services report entitled “2017 Data Breach Fraud Impact Report: Going Undercover and Recovering Data.” Researchers discovered the proportion of breach victims who became fraud victims rose to 31.7%, the highest rate in six years.

Javelin claims its findings underscore the longevity of breached data and the interconnectedness between breaches and fraud. Increasingly smaller financial institutions are becoming aware of the Internet’s criminal underground and monitoring the dark Web for mentions of their brand and customers.

The companies with the most mature threat intelligence operations are those acknowledging criminal campaigns. Some operators have infiltrated online criminal groups, and some have paid for data claimed to be stolen. Some buy malware and crime kits directly from threat actors to analyze different malware strains for the purpose of defending against them.

Researchers found the most common type of breached data are credit and debit cards, which were compromised among 44% and 26% of breach victims, respectively, within the past 12 months. Thirteen percent of victims had their Social Security number compromised.

Read more details here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: http://www.darkreading.com/attacks-breaches/$12b-in-fraud-loss-came-from-data-breach-victims-in-2016/d/d-id/1329211

,

No Comments

How To Stay Safe In A World Of Law Firm Data Breaches

Law360, Los Angeles (June 22, 2017, 9:24 PM EDT) — About two-thirds of law firms have experienced some sort of data breach, according to a forthcoming cybersecurity scorecard from Logicforce that gives eye-popping clarity to the extent of data breaches in the industry — and what firms can do about it. 

Logicforce, a technology consulting company for law firms, surveyed more than 200 firms about cybserecurity topics in a report reviewed Thursday by Law360. Company President John Sweeney told Law360 that while law firms are trying their best to stay ahead of the curve on data…

Article source: https://www.law360.com/articles/937681/how-to-stay-safe-in-a-world-of-law-firm-data-breaches

,

No Comments

Ouch! UK Govt’s Cyber Essentials scheme suffers data breach due to configuration error

Ouch! UK Govt's Cyber Essentials scheme suffers data breach due to configuration error

The UK Government’s Cyber Essentials digital security scheme has suffered a data breach caused by a configuration error in a software platform.

On 21 June, companies received word of the incident from Dr. Emma Philpott, chief executive at the Information Assurance for Small and Medium Enterprises (IASME) Consortium. One of the scheme’s Accreditation Bodies, IASME has incorporated Cyber Essentials into its information assurance standard. Suppliers wanting to secure contracts for work involving government data must therefore work with a Certification Body licensed by IASME or another Accreditation Body to achieve Cyber Essentials accreditation.

In her email to companies, Philpott explains the breach traces back to a configuration error involving its deployment of a platform developed by Pervade Software and used for Cyber Essentials assessments. As quoted by The Register:

“An unknown person accessed a list of email addresses in a log file generated by the Pervade assessment platform and your email address, company name and the IP address of the Certification Body was on that list. No other information was accessed. The other information on the assessment portal itself was not affected in any way and no-one has accessed the system, your account, the answers you provided or the report you received. This log file became accessible through a configuration error on the part of one of the Pervade systems engineers. Pervade have taken immediate steps to address the error and have resolved the issue.”

It’s a good thing the breach didn’t affect other suppliers’ financial information. (Other breaches involving UK companies haven’t been as lucky.)

UK GovernmentBut Cyber Essentials stands for better digital security practices. A breach involving this scheme is ironic, to say the least… if not downright infuriating. One affected employee vocalized this latter sentiment to The Register:

“We paid to be audited and registered with the UK Govt Cyber Essentials scheme, in order to be able to do business with govt organisations. Turns out that the info has been leaked, which I guess means that someone now has a list of companies that work with the govt.”

With that information, attackers can conduct phishing campaigns and other attacks against affected companies, possibly with the lure of non-existent government contracts.

Currently, Pervade and IASME are working to fix the error. Let’s hope they follow up these efforts with an explanation of what happened and what they’re doing to prevent it from happening again.

Article source: https://www.grahamcluley.com/ouch-uk-govts-cyber-essentials-scheme-suffers-data-breach-due-configuration-error/

,

No Comments

Law Firm Survey Finds Majority Experienced A Data Breach

Law360, Los Angeles (June 22, 2017, 9:24 PM EDT) — About two-thirds of law firms have experienced some sort of data breach, according to a forthcoming cybersecurity scorecard from Logicforce that gives eye-popping clarity to the extent of data breaches in the industry — and what firms can do about it. 

Logicforce, a technology consulting company for law firms, surveyed more than 200 firms about cybserecurity topics in a report reviewed Thursday by Law360. Company President John Sweeney told Law360 that while law firms are trying their best to stay ahead of the curve on data…

Article source: https://www.law360.com/technology/articles/937681/law-firm-survey-finds-majority-experienced-a-data-breach

,

No Comments

How Proper Offboarding Can Help Prevent Data Breaches

​Shortly after she was fired from her job at the City of New Haven recently, a Connecticut woman reportedly snuck back into her former office, copied data onto her personal thumb drive and erased the private health records of 587 people from a government database.

This happened years after an employee terminated from Omega Engineering Inc. deleted all of the company’s programs, which cost the Bridgeport, N.J., organization $10 million in contracts and sales.

In this digital age, where data breaches happen mostly online, these examples serve as reminders to HR professionals why policies should be in place to safeguard data not just physically but also virtually.

In the newly released 2017 Cost of Data Breach Study, conducted by IBM Security and the Ponemon Institute, malicious insiders or criminals caused 47 percent of all breaches. “The average cost per record to resolve such an attack was $156,” the report revealed. “In contrast, system glitches cost $128 per record and human error or negligence is $126 per record.”

Despite this, fewer than half of in-house counsel (45 percent) said their organizations require employees to take training on how to prevent cybersecurity breaches, according to the Association of Corporate Counsel (ACC) Foundation.

“HR has a tremendous opportunity” to educate employees about good cybersecurity habits, said Amar Sarwal, vice president and chief legal strategist for the ACC, in an interview with SHRM Online.

That includes providing guidance about both online and offline behavior, experts said.

Increased Access

“You have to have the right governance in place to make sure [departing employees] can’t get into” computer files, said Alvaro Hoyas, chief information security officer at One Login, an identity and access management software company based in San Francisco.

“The challenge is that there are so many places where access is granted to an individual in every company. It’s a bigger problem now,” he told SHRM Online in a phone interview.
And Hoyas’ warning doesn’t apply just to disgruntled employees who can physically enter an office to commit crimes against a former employer.

“We need to move beyond having a key card or simply taking away people’s keys,” Hoyas added. “That’s not effective nowadays because we have a very mobile workforce.” Employees use mobile phones, work remotely on laptops, and log in to company systems from their own computers through shared drives or the cloud.

“You need to manage your employees wherever they exist and wherever they log in from,” he said. “Users log in from home, from their office and they can log into apps and e-mails from their own devices. Most of the time companies aren’t paying for people’s cellphones,” he pointed out.

Employers should keep that in mind when an employee leaves and they must cut off access to his or her computer, Hoyas said.

 

[SHRM members-only HR QA: Much of our employee data is now electronic and is accessible via the Internet and mobile devices. What are some best practice approaches to safeguard this information?]

Offboarding Best Practices

The first step, he and other experts said, is to know what employees have access to. That information should be available before an employee’s access to computer systems is terminated.

Other steps include:

  • Deactivating employees’ access to computers in a timely manner. IT and HR need

    to communicate, Hoyas said. For instance, if someone is terminated through an HR platform like Workday, UltiPro, ADP or Namely, these platforms make it easier for HR to notify IT that a firing has occurred, and IT can more quickly terminate access to all internal computer systems and collect laptops, key cards, token generators and other devices that might authenticate an end-user and let them connect to the network.

    “From there, they can’t try to get to a common shared directory,” he said. “It should be a streamlined process initiated by HR, and then IT should collect their devices.”

  • Making sure that, if they own files in a file-sharing system, those files are transferred to someone else.

    “Have a clear cleanup process,” Hoyas said. “So, if this person is in charge of XYZ, know who is going to take over their files or relationships or e-mails.” He said HR and IT should have a policy declaring what happens in the event of termination and resignations. For example, when a person is offboarded, are his or her e-mails forwarded to someone else in the company or “are you going to shut it down or send an autoreply that this person is no longer with the company?”

    One of the most important things is to make sure “all parties that are relevant to this whole process are in sync,” he said. “Managers, HR and IT need to clearly communicate procedures and expectations so nothing falls through the cracks.”

Was this article useful? SHRM offers thousands of tools, templates and other exclusive member benefits, including compliance updates, sample policies, HR expert advice, education discounts, a growing online member community and much more. Join/Renew Now and let SHRM help you work smarter.

Article source: https://www.shrm.org/resourcesandtools/hr-topics/technology/pages/how-proper-offboarding-can-help-prevent-data-breaches.aspx

,

No Comments