The Anthem data breach settlement represents a watershed moment in consumer protection law—a $115 million recovery that was the largest data breach settlement in U.S. history at the time of its court approval on August 16, 2018. In February 2015, Anthem Inc., one of America’s largest health insurers, announced that hackers had infiltrated their systems and compromised the personal information of 78.8 million individuals, making it one of the most catastrophic data breaches in American corporate history.
This article explains what happened, how the settlement was structured, and what it meant for the millions of victims whose Social Security numbers, names, birthdates, addresses, email addresses, employment information, and income data were exposed to criminals. The settlement demonstrated that massive corporations could be held accountable for negligent security practices. Rather than simply paying a fine and moving on, Anthem was required to distribute $115 million directly to affected individuals and implement major security improvements. For context, this settlement dwarfed earlier breach recoveries—it was roughly double the Target breach settlement ($18.5 million in 2015) and established a new benchmark for what victims could expect when their personal information was compromised by corporate negligence.
Table of Contents
- How Many People Were Affected and What Information Was Stolen?
- What Was the Settlement Amount and How Was It Distributed?
- What Security Failures Allowed the Breach to Happen?
- Who Was Eligible to Claim Settlement Money and How Did People File?
- What Long-Term Security Changes Did Anthem Have to Make?
- How Did This Settlement Compare to Other Data Breach Cases?
- What Happened to Anthem After the Settlement?
- Conclusion
How Many People Were Affected and What Information Was Stolen?
The anthem breach exposed the sensitive personal data of 78.8 million people—roughly one in four Americans at that time. The hackers didn’t just steal names or email addresses; they obtained a complete identity theft toolkit including full Social Security numbers, birthdates, street addresses, employment information, and household income data. This wasn’t a leak of billing records or account numbers—it was precisely the kind of comprehensive personal information that criminals need to commit identity theft, open fraudulent accounts, or sell to other criminals on the dark web.
To understand the scope: if you were an Anthem customer, former employee, or family member covered under an Anthem policy at any point, there’s a reasonable chance your data was compromised. The breach affected customers across Anthem’s entire network of subsidiaries and brands, meaning people with coverage through Blue Cross Blue Shield plans in multiple states were at risk. This mass exposure is why the settlement fund was so substantial—there were simply far too many victims for individual recovery to be anything other than symbolic without a settlement of historic size.
What Was the Settlement Amount and How Was It Distributed?
Anthem agreed to pay $115 million total, with funds allocated across four distinct categories based on the type of harm victims suffered. The largest portion—$51 million—went directly to Anthem customers and affected individuals who submitted claims for compensation. This money was meant to compensate people for the actual injury of having their identity information stolen, though the per-person payout was relatively modest given the number of claimants.
The remaining funds were allocated to specific services. Anthem set aside $17 million for credit monitoring services to help victims watch for fraudulent activity, $15 million for out-of-pocket losses (money people actually lost because of identity theft or fraud), and $13 million for customers who already had credit monitoring through other means and couldn’t use the Anthem-provided service. A critical limitation of this settlement structure is that it emphasized prevention (credit monitoring) over compensation—victims who had already been victimized a second time through actual identity theft could only recover out-of-pocket losses if they documented the fraud and filed a claim with evidence. This meant that many victims of secondary crimes related to the breach received nothing.
What Security Failures Allowed the Breach to Happen?
The Anthem breach occurred because Anthem’s security infrastructure was outdated and poorly maintained. Investigators later determined that Anthem was using web applications with known, unpatched security vulnerabilities. The company had failed to encrypt sensitive data in their databases—a failure so basic that it became a centerpiece of the plaintiff’s case and a justification for the record-setting settlement amount. When hackers penetrated Anthem’s network, they found a treasure trove of unencrypted personal information sitting there waiting to be stolen.
What makes this case particularly damaging to Anthem is that the company had been warned about these security gaps before the breach occurred. Anthem was operating in healthcare, an industry where data security is not optional but mandated by law under HIPAA. The settlement judge and regulators viewed Anthem’s negligence as especially egregious because the company should have known better and had the resources to secure its systems. This is why the settlement included mandatory security remedies: Anthem was ordered to implement encryption of sensitive information, establish strict access controls and data archiving practices, and commit to minimum funding levels for ongoing information security improvements.
Who Was Eligible to Claim Settlement Money and How Did People File?
Settlement eligibility was straightforward in principle but complicated in practice. Anyone whose personal information was confirmed to be in the breach could file a claim, including former employees, family members covered under policies, and Anthem customers. The company provided a dedicated settlement website where claimants could submit applications along with documentation of their identity and any out-of-pocket losses they suffered. However, here’s where victim experience often diverged from the settlement design: the claims process required people to prove both their identity and their losses in many cases.
A person could easily prove they were in the breach, but proving they actually lost money to fraud was much harder. Someone whose SSN was used to open fraudulent accounts might never discover it for years, meaning the official claims period passed before they knew they were a victim. The settlement offered relatively generous deadlines (typically 18-24 months from court approval), but many people missed these windows simply because they didn’t realize they’d been compromised. This is a common pattern in data breach settlements—the people who need the money most are often those who don’t discover the fraud in time to claim it.
What Long-Term Security Changes Did Anthem Have to Make?
The settlement was remarkable not just for the money but for the operational oversight it imposed on Anthem. The company was required to implement encryption standards for sensitive personal health information, meaning that even if hackers breached Anthem’s systems again, they would find encrypted data rather than readable customer information. Anthem had to establish data retention and archiving policies with strict access controls—essentially, they had to stop keeping unnecessary copies of sensitive data. Beyond these specific technical requirements, Anthem was mandated to commit to minimum funding levels for information security improvements, with court oversight to verify compliance.
This included regular security audits and assessments by independent third parties. The warning here is important: settlements impose compliance obligations, but they don’t guarantee that future breaches won’t happen. Anthem has experienced additional breaches and security incidents in the years since this settlement, demonstrating that court-ordered remedies can improve security practices but cannot eliminate risk. The settlement was a forcing mechanism to upgrade security infrastructure, not a guarantee of perfect protection going forward.
How Did This Settlement Compare to Other Data Breach Cases?
When the Anthem settlement was approved in 2018, it stood alone as the largest data breach settlement in American history. By comparison, the Target breach (2013) settled for $18.5 million, and the Home Depot breach (2014) settled for $19.5 million. Anthem’s settlement was roughly 5-6 times larger, reflecting both the massive scale of exposure (78.8 million people) and the aggressive litigation strategy pursued by the plaintiffs’ attorneys.
The size of the settlement established a new floor for expectations in major breach cases. Companies learned that a breach affecting tens of millions of people would likely result in nine-figure settlements, which has influenced corporate decision-making about security investments. Ironically, some security experts argue that the large settlement actually validated inaction—companies sometimes calculated that taking security risks and paying the inevitable settlement might be cheaper than implementing comprehensive security from the start. This perverse incentive persists in corporate America, where a $115 million settlement is often treated as a cost of doing business rather than a catastrophic event.
What Happened to Anthem After the Settlement?
Anthem completed the settlement fund distributions by 2020, and most affected individuals had either claimed their compensation or allowed the claims period to expire. However, Anthem’s security problems didn’t end with the settlement. The company experienced additional breaches and security incidents in subsequent years, and regulators continued to scrutinize Anthem’s security practices.
The $115 million settlement was a milestone in consumer protection law, but it didn’t transform Anthem into a security leader—it simply enforced a minimum standard that should have been in place all along. The broader lesson of the Anthem settlement has shaped how regulators, attorneys, and consumers think about corporate accountability for data breaches. It demonstrated that companies handling tens of millions of people’s personal information would face serious consequences for negligent security. Looking forward, the Anthem precedent raised the bar for settlement amounts in major breaches, making it harder for companies to downplay the financial consequences of security failures to their investors and boards.
Conclusion
The Anthem $115 million data breach settlement, approved on August 16, 2018, remains a landmark case in consumer protection law. It demonstrated that when a company exposes tens of millions of people’s most sensitive personal information—Social Security numbers, birthdates, and financial data—through negligent security practices, it can face consequences that reach nine figures. The settlement provided direct compensation to victims, credit monitoring services, reimbursement for documented fraud losses, and mandatory security improvements that the company was required to implement under court supervision.
If you were one of the 78.8 million people affected by the Anthem breach, you may have already claimed your settlement payment, or the claim deadline may have passed. If you were eligible but didn’t file, you may still be able to claim out-of-pocket losses if you can document fraudulent activity related to your compromised information. Check the settlement website or consult with a consumer protection attorney to understand your options and ensure you didn’t miss any deadlines for recovery.