Was $115M Anthem settlement deft lawyering or dud?

Greg AndrewsAn army of class action attorneys took on Indianapolis-based Anthem Inc. over its massive 2015 data breach. And by their own estimation, they did a heck of a job when they got the insurance giant last summer to agree to a $115 million settlement.

Now they’re ready to collect their reward in the form of attorney’s fees. They filed paperwork in federal court in California last month seeking $38 million in fees and $2 million in expense reimbursements.

“Plaintiffs’ counsel have successfully litigated a groundbreaking case,” wrote attorneys for the two firms serving as lead counsel, San Francisco-based Altshuler Berzon LLP and Washington, D.C.-based Cohen Milstein Sellers & Toll PLLC. “The proposed settlement is the largest ever achieved in a data breach case.”

But some Anthem customers are unimpressed by the deal—which received preliminary approval in August—and even less so by the fee request.

“For a company that made $2.5 billion in profits the last two years in a row, a $115 million penalty is hardly a slap on the wrist,” Anthem customer Joseph Oriowske said in a January court filing month urging Judge Lucy Koh to reject the deal.

Making matters worse, critics say, is that the vast majority of the nearly 80 million data breach victims would receive two years of Experian fraud protection and credit monitoring as their sole compensation.

Anthem gave victims two years of credit monitoring when it made the breach public. Some opponents say the additional monitoring is of dubious value—given that data hacks have become so common that many Americans already have similar coverage. Further, so much time has elapsed that the need for the coverage has dropped.

Anthem disclosed in early 2015 that 78.8 million current and former customers’ records had been stolen by hackers from December 2014 through the following January—a disclosure that touched off more than 100 lawsuits accusing the insurer of inadequate data security. The cases, some brought by Indianapolis-based Cohen & Malad LLP, were consolidated into the California suit.

Under the settlement, Anthem did not admit wrongdoing or acknowledge anyone was harmed by the cyberattack. Even so, it agreed to set aside $15 million to reimburse customers who suffered out-of-pocket costs as a result of the breach, up to certain limits, and it earmarked $17 million to purchase Experian credit -monitoring services.

Customers who already have credit monitoring and certify they will keep it through October of this year are eligible for a cash payment of up to $50, from a total pot of $13 million.

A far larger sum, $23 million, is earmarked to pay California-based Kurtzman Carson Consultants, which was hired to administer the settlement, including mailing postcards to 50 million current or former Anthem customers for whom addresses are known.

In an objection to the fee request, Anthem customer Adam Schulman noted that the settlement-administrator fee and the proposed attorney’s fees gobble up well over half the settlement.

“This is outrageous on its face and a plain violation of … law,” he said in an objection to the fee request.

But the class action attorneys say achieving the results they did was a Herculean accomplishment, one that encompassed more than 78,000 hours of challenging legal work.

“In reaching this historic result, counsel took on four well-resourced law firms and matched them every step of the way, beating back two motions to dismiss; completing a massive discovery effort that included nearly 200 depositions and 3.8 million pages of documents; and fully briefing class certification in the near absence of precedent certifying a data breach class,” the attorneys wrote.

In addition, the customers benefit from Anthem’s buying the credit-monitoring service at a bulk discount. Customers buying that coverage on their own would pay at least $240 apiece, the attorneys said.

And on top of all that, Anthem agreed to conduct adversarial simulations at least twice a year, which would mimic a malicious attacker, and to triple its spending on IT security over three years compared with pre-breach levels.

The dollar value of that commitment is not public record, however, because Anthem argued it was a trade secret that should be redacted.

The irony of that stance wasn’t lost on customer Kelly Kress, who objected to the settlement and fees. “Indeed, the defendant wishes to keep information private and confidential—despite permitting the disclosure of millions of customers’ private information,” her attorneys wrote.•

Please enable JavaScript to view this content.

Story Continues Below

Editor's note: You can comment on IBJ stories by signing in to your IBJ account. If you have not registered, please sign up for a free account now. Please note our updated comment policy that will govern how comments are moderated.

{{ articles_remaining }}
Free {{ article_text }} Remaining
{{ articles_remaining }}
Free {{ article_text }} Remaining Article limit resets in {{ count_down }} days.