Factbox: Biggest U.S. data breach settlements before Equifax

(Reuters) - The U.S. Federal Trade Commission announced on Monday that Equifax Inc. EFX.N will pay up to $700 million for a data breach that exposed millions of consumers' personal information.

FILE PHOTO: Credit reporting company Equifax Inc. corporate offices are pictured in Atlanta, Georgia, U.S., September 8, 2017. REUTERS/Tami Chappell

The following are seven of the largest data breach settlements in recent years.

1) Equifax

Following its 2017 data breach, Equifax will pay up to $700 million to the U.S. Federal Trade Commission, the Consumer Financial Protection Bureau and nearly all U.S. states and territories. That includes a $175 million fine to the states and $100 million to the CFPB. It will also establish a $300 million restitution fund for harmed consumers. That amount could grow to $425 million depending on how many consumers act on it.

2) Uber

In 2018, ride-hailing app Uber UBER.N reached a $148 million settlement with 50 U.S. states and Washington, D.C., for failing to disclose a massive data breach in 2016. It exposed personal data from 57 million user accounts.

3) Target

Retailer Target Corp TGT.N agreed in 2017 to pay $18.5 million to 47 U.S. states and the District of Columbia for the company's massive 2013 data breach. Target reported that hackers stole data from up to 40 million credit and debit cards from shoppers who visited its stores in the 2013 holiday season.

4) Anthem

Anthem, Inc. ANTM.N agreed to pay $16 million to the U.S. Department of Health and Human Services and the Office for Civil Rights in 2018 to settle potential violations of HIPAA, the Health Insurance Portability and Accountability Act Privacy and Security Rules, an HHS statement said. A series of cyberattacks exposed the health information of almost 79 million people.

5) Premera

Earlier this month, health insurance company Premera Blue Cross agreed to pay $10 million to 30 U.S. states for allegedly failing to secure consumer data. A hacker had access to its network of private health information and Social Security numbers from May 2014 to March 2015, a statement from the Washington state attorney general said.

6) Nationwide Mutual

Insurance company Nationwide Mutual agreed in 2017 to pay $5.5 million to 33 U.S. states for a 2012 data breach. The attorneys general alleged that the company failed to apply a critical security patch and resulted in the loss of the personal information of over one million consumers.

7) Ashley Madison

Adultery website Ashley Madison’s parent company Ruby Corp agreed in 2016 to pay $1.6 million to settle FTC and state charges that it failed to protect 36 million users’ account and profile information in a July 2015 data breach. In a separate 2017 settlement, the company agreed to pay $11.2 million in a class-action settlement, which said users with valid claims could recoup up to $3,500 depending on their losses from the breach.

Reporting by Bryan Pietsch; Editing by Nick Zieminski