Cybersecurity Law: U.S. District Court Approves $115M Anthem Data Breach Settlement

On August 16, 2018, the United States District Court for the Northern District of California issued an order approving a mega $115 million settlement in the Anthem data breach litigation. After considering the recommendations of a special master retained to review billing submitted by plaintiffs’ attorneys, U.S. District Court Judge Lucy Koh also awarded plaintiffs $31.05 million in attorneys’ fees and over $2 million in unreimbursed expenses, among other litigation cost reimbursements. The approved settlement marks the end of one of the largest data breaches in history.

Anthem, Inc. is one of the largest health benefits and health insurance companies in the United States. In order to provide services to its members, Anthem collected, received and stored an enormous amount of personal information regarding its members, including names, addresses, dates of birth, Social Security numbers and individual health information. At the time of the data breach in late 2014 and early 2015, Anthem maintained all of this information in a common computer database. Through the breach of Anthem’s computer database, hackers gained access to personal information of approximately 80 million individuals stored on Anthem’s database. After Anthem publicly announced the breach in February 2015, several lawsuits on behalf of consumers and members were filed. Ultimately, the pretrial proceedings for the various cases were consolidated in the United States District Court for the Central District of California before Judge Koh.

Over the next two years, the parties litigated multiple rounds of motions to dismiss and briefed the issue of class certification. Prior to any formal class-certification ruling, the parties reached a settlement in June 2017 in the amount of $115 million. While the Court granted preliminary approval of the $115 million settlement on August 25, 2017, plaintiffs filed a motion for attorneys’ fees and litigation expenses seeking, among other relief, $37.95 million in attorneys’ fees. Due to the sheer size of the attorneys’ fees request, which covered 329 billers from 53 law firms and 78,892.5 hours of legal work, the Court appointed a Special Master to perform a close examination regarding the reasonableness of the attorneys’ fees request and to prepare a report calculating the lodestar for the representation of the plaintiff Class in the action. The Court explained that “employing 53 law firms likely resulted in unnecessarily duplicative or inefficient work by virtue of the fact that so many billers needed to familiarize themselves with the case and keep abreast of case developments.”

With respect to plaintiffs’ request for $37.95 in attorneys’ fees, the Court was faced with the choice of applying either a lodestar method (i.e. calculated by multiplying the number of hours the prevailing party reasonably expended on the litigation [as supported by adequate documentation] by a reasonable hourly rate for the region and for the experience of the lawyer) or the percentage-of-recovery method (i.e. wherein 25% of the common settlement fund is a presumptively reasonable amount of attorneys’ fees). Although the Special Master recommended cutting plaintiffs’ attorneys’ fee request by over $7 million due to excessive hours and billing rates, the Court ultimately adopted a percentage award of 27% of the common settlement fund (or $31.05 million) rather than the 33% (or $37.95 million) requested by plaintiffs.

The take away here is that cybersecurity exposures and data breaches are extremely costly, even if these risks are settled and resolved relatively early in the litigation process. In addition to the $115 million settlement fund, plaintiffs were awarded the following additional amounts to account for attorneys’ fees and unreimbursed costs:

• $31,050,000.00 in attorneys’ fees;
• $2,005,068.59 in unreimbursed expenses (i.e. expert witness fees, case-related travel, transcript fees, document management, mediation fees, operation of a call center to respond to class members, electronic research and secretarial overtime);
• $132,000.00 as a total cost reserve for the retention of a cybersecurity expert to review Anthem’s annual cybersecurity reports and to operate a call center as long as necessary to assist class members with the claims filing process;
• $597,500.00 in service awards for the time and effort spent in the case by class representatives.

With respect to the $115 million settlement fund, the money will be used to pay for two years of credit monitoring for people affected by the breach, including current and former customers of Anthem and other affiliated insurers of the national Blue Cross Blue Shield Association. Customers who already have credit monitoring may choose to receive a cash settlement instead (up to $50 per person).