Anthem, the largest health insurance firm, has agreed to settle a class action suit following a 2015 hack of its systems for a record-breaking $115 million.
But after lawyer fees and costs, the victims of the breach -- all 78.8 million current and former customers, according to a company statement last week -- will only see a fraction of the settlement figure.
The proposed settlement goes before a federal judge next month. If approved, it will be the largest data breach settlement in history.
The $115 million fund pays for at least two years of credit monitoring; compensation for those who already paid for credit monitoring; and out-of-pocket expenses incurred by the breach.
But attorneys' costs and fees can take up to one-third of the fund -- $37.9 million -- leaving every affected customer with about 97 cents each.
By comparison, the average cost of a data breach is about $158 a record, according to recent research.
Here's how the rest of that fund breaks down:
Credit monitoring firm Experian gets $17 million from the fund to provide credit monitoring services for each of the affected current and former customers for two years.
For those who already enrolled in credit monitoring, the fund will provide cash compensation. That so-called "alternative compensation" will pay out $36 each, or up to $50 if there are still funds available, and so long as the affected customer applies for it within three months of the settlement agreement.
The fund also allows current and former Anthem customers to claim back "out-of-pocket expenses incurred by consumers as a result of the data breach."
The settlement agreement states that any evidence to show a customer took preventative measures after the breach, such as obtaining credit monitoring or credit freezes, would be "fairly traceable" and considered for reimbursement. If the aggrieved customer proves their case, they can get reimbursed from a $15 million pot, which pays out case-by-case and only lasts as long as there are available funds.
If there's anything left in the settlement pot after that, it will be split equally between Purdue University's Center for Education and Research in Information Assurance Security, and the non-profit rights group Electronic Frontier Foundation.
One lawyer, who did not want to be named, told me that these kinds of settlements give attorneys a "huge payday." all while their clients "get enough to buy a couple sticks of gum each."
Anthem is also mandated to allocate an unknown level of non-settlement funds to update its systems to an industry-standard level, such as encrypting data and installing access controls.
As a result of the settlement, Anthem can avoid admitting guilt or wrongdoing for the breach, meaning it won't take any responsibility for its own failures to use encryption and other security measures. A company spokesperson downplayed the breach, saying that there was no evidence any compromised data was sold or used to commit fraud.
That probably isn't much solace to the millions of customers whose data was stolen, and whose breach of private information is reduced to less than a dollar.