Health insurance giant Anthem is set to pay out a record $115m to customers affected by a massive data breach in 2015 which exposed the records of around 79 million patients.
The firm, which is the largest of its kind in the US, will still need to wait until presiding US district judge Lucy Koh approves the settlement payout.
The case is effectively over 100 lawsuits against the company combined into one.
The money, said by the lawyers involved to be a record payout, will be used to pay for two years of credit monitoring for those hit by the cyber-attack.
That’s in addition to the initial two years offered to victims by Anthem following the breach in February 2015.
Those who already have such services to help alert them if their account details are being abused can choose to receive their share of the settlement payment – thought to be around $50 – in cash instead, according to Reuters.
However, thus far there’s been no evidence that the personal information stolen by hackers two years ago has been bought or sold on the darknet by cyber-criminals.
That data apparently included names, birthdays, social security numbers, addresses and email addresses, as well as employee info, but not credit card or medical data.
The lack of activity on the cybercrime underground has led some to get behind the theory that foreign state-sponsored hackers, possibly from China, were behind the attack.
That was the conclusion reached by the California Department of Insurance, which said it had “medium degree of confidence” that the attacker was affiliated with a foreign nation state.
If so, it can probably be grouped with attacks such as the raid on the Office of Personnel Management (OPM); designed to harvest the details of US citizens which could prove useful for the intelligence services.
Anthem already paid out more than $260m for security improvements and in remediation and clean-up following the breach; yet another warning to boards of the potentially major financial repercussions from a cyber-attack.