STUEVE SIEGEL HANSON LLP case links...STUEVE SIEGEL HANSON LLP 550 West C Street, Suite 1750 San Diego, CA 92101 Phone: (619) 400-5822 Fax: (619) 400-5832 [email protected]

CLASS ACTION COMPLAINT

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

Jason S. Hartley (CA Bar No. 192514) STUEVE SIEGEL HANSON LLP 550 West C Street, Suite 1750 San Diego, CA 92101 Phone: (619) 400-5822 Fax: (619) 400-5832 [email protected] Norman E. Siegel Barrett J. Vahle J. Austin Moore (pro hac vice forthcoming) STUEVE SIEGEL HANSON LLP 460 Nichols Road, Suite 200 Kansas City, Missouri 64112 Phone: (816) 714-7100 Fax: (816) 714-7101 [email protected] [email protected] [email protected] Attorneys for Plaintiffs

IN THE UNITED STATES DISTRICT COURT

FOR THE SOUTHERN DISTRICT OF CALIFORNIA

KELLEN EDWARDS and GEORGE NICOUD, on behalf of themselves and all others similarly situated, Plaintiffs, v. ANTHEM, INC., and BLUE CROSS OF CALIFORNIA d/b/a ANTHEM BLUE CROSS, Defendants.

CASE NO. CLASS ACTION COMPLAINT JURY TRIAL DEMANDED

'15CV0318 NLSLAB

1 CLASS ACTION COMPLAINT

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

Plaintiffs George Nicoud and Kellen Edwards, individually and on behalf of

the classes of similarly situated persons defined below, allege the following against

Anthem, Inc. and Blue Cross of California d/b/a Anthem Blue Cross (collectively

referred to herein as “Anthem” or “Defendants”) based upon personal knowledge

with respect to themselves and on information and belief derived from, among other

things, investigation of counsel and review of public documents as to all other

matters.

NATURE OF THE ACTION

1. Anthem Inc., the second-largest health insurer in the United States by

market value, recently suffered the largest healthcare-related data breach in history.

The breach included the personal information of both current and former members

and employees of Anthem Blue Cross, Anthem Blue Cross and Blue Shield, Blue

Cross and Blue Shield, Amerigroup, Caremore, Unicare, BlueCard and numerous

other state Blue Cross and Blue Shield programs, the full extent of which is still

unknown.

2. On February 4, 2015, Anthem first publicly disclosed that hackers had

breached the company’s computer systems which stored the full names, birth dates,

medical IDs, Social Security numbers, physical addresses, e-mail addresses, and

employment information, including income and employment history (“Personal

Information”), of approximately 80 million current and former Anthem health

insurance plan members and Anthem employees. On February 12, 2015, Anthem

admitted that the stored information dated back to 2004,1 putting every current or

former Anthem employee and plan member in the last decade at risk.

1 Chad Terhune, Anthem says hackers had access to customer data back to 2004, LA TIMES, (Feb. 12, 2015), <http://www.latimes.com/business/la-fi-anthem-data-breach-20150212-story.html> (last visited Feb. 12, 2015).


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

3. Plaintiffs are current and former Anthem Blue Cross plan members and

bring this class action lawsuit on behalf of Anthem health plan members and

Anthem employees whose personal information has been compromised as a result of

Anthem’s failure to maintain reasonable and adequate security measures to

safeguard its members’ and employees’ Personal Information. Plaintiffs are seeking

damages, restitution, and injunctive relief requiring Anthem to implement and

maintain reasonable and effective security practices.

PARTIES

4. Plaintiff George Nicoud is a resident of California. He paid health

insurance premiums to Anthem Blue Cross PPO for many years prior to terminating

coverage at the end of 2014.

5. Plaintiff Kellen Edwards is a resident of San Diego, California. He

currently has health insurance with Anthem Blue Cross, and has for several years.

6. Defendant Anthem, Inc. is an Indiana corporation with its principal

place of business in Indianapolis, Indiana. Anthem, Inc. was formerly known as

WellPoint, Inc. and changed its name on December 3, 2014.

7. Defendant Blue Cross of California d/b/a Anthem Blue Cross is a

California corporation, and wholly owned subsidiary of Anthem, Inc. Blue Cross of

California is the state’s largest for-profit health insurer.

JURISDICTION AND VENUE

8. This Court has jurisdiction over this action under the Class Action

Fairness Act, 28 U.S.C. § 1332(d)(2). The amount in controversy exceeds $5 million

exclusive of interest and costs. At least one Plaintiff and Defendant are citizens of

different states. There are more than 100 putative class members.

9. This Court has jurisdiction over Defendants Anthem and Blue Cross of

California because they are registered to conduct business in California, have

sufficient minimum contacts in California, or otherwise intentionally avail


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

themselves of the markets within California, through the promotion, sale, marketing

and distribution of their products in California, to render the exercise of jurisdiction

by this Court proper and necessary. Defendant Blue Cross of California is

incorporated in California.

10. Venue is proper in this District under 28 U.S.C. § 1391 because

Defendants conduct substantial business in this District, Plaintiff Edwards resides in

this District, and a substantial part of the events giving rise to Plaintiff Edwards’s

claims occurred in this District.

FACTUAL ALLEGATIONS

Anthem Collects Significant Amounts of Employee and Member Information

11. According to its annual U.S. Securities and Exchange Commission

(SEC) filings, “Anthem, Inc. is one of the largest health benefits companies in terms

of medical membership in the United States, serving 35.7 million medical members

through our affiliated health plans and more than 67.8 million individuals through

all subsidiaries as of December 31, 2013.”2

12. Anthem is an independent licensee of the Blue Cross and Blue Shield

Association, an association of independent health benefit plans. Anthem, through its

subsidiaries, is licensed to conduct insurance operations in all 50 states, and

conducts business in California through the business operations of its wholly owned

subsidiary, Anthem Blue Cross. Anthem provides health insurance coverage as

“Blue Cross and Blue Shield” in Colorado, Connecticut, Georgia, Indiana,

Kentucky, Maine, Missouri, Nevada, New Hampshire, New York, Ohio, Virginia

and Wisconsin. Anthem offers health insurance through its wholly-owned subsidiary

“Americgroup” in Florida, Georgia, Kansas, Louisiana, Maryland, Nevada, New

2 Wellpoint, Inc., Annual Report (Form 10-K), at 3 (for the fiscal year ended December 31, 2013), <http://www.sec.gov/Archives/edgar/data/1156039/000115603914000003/wlp-20131231x10k.htm> (last visited Feb. 12, 2015).


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

Jersey, New York, Tennessee, Texas and Washington. Anthem also provides health

insurance to certain Arizona, California, Nevada, New York and Virginia markets

through its subsidiary “CareMore,” and throughout the country as “HealthLink” and

“UniCare.”3

13. In a notice available on its website, Anthem states that it collects, uses

and shares the “nonpublic” and “personal” information of its members.”4 The notice

provides that Anthem “may collect [Personal Information] about you from other

persons or entities, such as doctors, hospitals or other carriers. We may share

[Personal Information] with persons or entities outside of our company — without

your OK in some cases.”5 The notice further provides that “[b]ecause [Personal

Information] is defined as any information that can be used to make judgments

about your health, finances, character, habits, hobbies, reputation, career and credit,

we take reasonable safety measures to protect the [Personal Information] we have

about you.”6

14. Anthem recognizes that its members’ and employees’ Personal

Information is highly sensitive and that it has a duty to safeguard and secure such

information. Anthem states on its website:

Personal Information (Including Social Security Number) Privacy Protection Policy

Anthem Blue Cross and Blue Shield maintains policies that protect the confidentiality of personal information, including Social Security numbers, obtained from its members and associates in the course of its

3 See id. 4 Anthem Notice: Information that’s important to you, <https://www.anthem.com/health-insurance/nsecurepdf/english_common_11832ANMEN> (last visited Feb. 12, 2015). 5 Id. 6 Id.


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

regular business functions. Anthem Blue Cross and Blue Shield is committed to protecting information about its customers and associates, especially the confidential nature of their personal information (PI).

Personal Information is information that is capable of being associated with an individual through one or more identifiers including but not limited to, a Social Security number, a driver’s license number, a state identification card number, an account number, a credit or debit card number, a passport number, an alien registration number or a health insurance identification number, and does not include publicly available information that is lawfully made available to the general public from federal, state or local government records or widely distributed media.

Anthem Blue Cross and Blue Shield is committed to protecting the confidentiality of Social Security numbers and other Personal Information.

Anthem Blue Cross and Blue Shield’s Privacy Policy imposes a number of standards to:

guard the confidentiality of Social Security numbers and other personal information,

prohibit the unlawful disclosure of Social Security numbers, and

limit access to Social Security numbers.

Anthem Blue Cross and Blue Shield will not use or share Social Security numbers or personal information with anyone outside the company except when permitted or required by federal and state law.

Anthem Blue Cross and Blue Shield Associates must only access Social Security numbers or personal information as required by their job duties. Anthem Blue Cross and Blue Shield has in place a minimum necessary policy which states that associates may only access, use or disclose Social Security numbers or personal information to complete a specific task and as allowed by law.

Anthem Blue Cross and Blue Shield safeguards Social Security numbers and other personal information by having physical, technical,


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

and administrative safeguards in place.7

15. Anthem also recognizes that protecting the Personal Information of its

members and employees is vital to its “business, reputation and profitability.” In a

recent SEC filing, Anthem stated:

As part of our normal operations, we collect, process and retain sensitive and confidential member information.

We are subject to various federal, state and international laws and rules regarding the use and disclosure of sensitive or confidential member and provider information, including HIPAA, the HITECH Act, the Gramm-Leach-Bliley Act, and numerous state laws governing personal information.

Despite the security measures we have in place to help ensure compliance with applicable laws and rules, our facilities and systems, and those of our third party service providers, are vulnerable to cyber-attacks, security breaches, acts of vandalism, computer viruses, misplaced or lost data, programming and/or human errors or other similar events.

Noncompliance with any privacy or security laws and regulations, or any security breach, cyber-attack or cyber security breach, and any incident involving the misappropriation, loss or other unauthorized disclosure of, or access to, sensitive or confidential member information, whether by us or by one of our vendors, could require us to expend significant resources to remediate any damage, interrupt our operations and damage our reputation, and could also result in regulatory enforcement actions, material fines and penalties, litigation or other actions which could have a material adverse effect on our business, reputation and results of operations.8

16. In addition to its substantial current member and employee database,

7 Anthem Privacy Statement,<https://www.anthem.com/health-insurance/about-us/privacy#hipaa> (last visited Feb. 12, 2015). 8 Wellpoint, Inc., Annual Report (Form 10-K), at 34-35 (for the fiscal year ended December 31, 2013), <http://www.sec.gov/Archives/edgar/data/1156039/000115603914000003/wlp-20131231x10k.htm> (last visited Feb. 12, 2015).


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

Anthem also stores and maintains the Personal Information of former members and

employees–even years after their relationship with Anthem has ended. Anthem

admitted that hackers gained access to employee and member information dating all

the way back to 2004.9

17. Anthem has a history of failing to adequately protect the Personal

Information of its members. In 2010, Anthem (then Wellpoint), was fined $1.7

million by the U.S. Department of Health and Human Services (HHS) for a

computer breach that resulted in the disclosure of personal information of

approximately 612,000 people. The HHS investigation found that in 2009 and 2010,

Anthem did not adequately implement policies and procedures to protect unsecured

“electronic protected health information” covered by the Health Insurance and

Portability and Accountability Act (HIPAA), including the names, dates of birth,

addresses, Social Security numbers, telephone numbers and health information of

Anthem customers.10

18. Although the CEO of Anthem recently stated that “[s]afeguarding

[members’] personal, financial and medical information is one of our top priorities,

and because of that, we have state-of-the-art information security systems to protect

your data,”11 Anthem’s past history and the details of the most recent breach make

clear that Anthem failed to take even basic safeguards to protect the Personal

Information of its members and employees.

9 Chad Terhune, Anthem says hackers had access to customer data back to 2004, LA TIMES, Feb. 12, 2015, <http://www.latimes.com/business/la-fi-anthem-data-breach-20150212-story.html> (last visited Feb. 12, 2015). 10 July 8, 2013 Resolution Agreement between HHS and WellPoint, Inc. <http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/wellpoint-agreement.pdf> (last visited Feb. 12, 2015). 11 Kara Brandeisky, Anthem Health Insurance Was Hacked. Here’s What Customers Need to Know, TIME, Feb. 5, 2015, <http://time.com/money/3697026/anthem-data-breach-social-security/> (last visited Feb. 12, 2015).


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

The Anthem Data Breach

19. On February 4, 2015, Anthem announced that hackers had breached its

network and obtained the personal information of approximately 80 million Anthem

health insurance plan members and Anthem employees. The affected brands and

plans are Anthem Blue Cross, Anthem Blue Cross and Blue Shield, Blue Cross and

Blue Shield of Georgia, Empire Blue Cross and Blue Shield, Amerigroup,

Caremore, and Unicare as well as members of the Blue Cross and Blue Shield

Association’s BlueCard program. The information obtained by the hackers includes

full names, birth dates, medical IDs, Social Security numbers, physical addresses, e-

mail addresses, and employment information, including income and employment

history.

20. Investigators believe that the hackers accessed Anthem’s database by

using the credentials of five different Anthem employees.12 Anthem confirmed that

unauthorized attempts to access the network started at least between December 10,

2014 and January 27, 2015, but may have started even earlier.13

21. According to security blogger Brian Krebs of Krebs on Security, an

“analysis of open source information on the cybercriminal infrastructure” suggests

that hackers may have first gained access to Anthem’s network in April of 2014,

nine months before Anthem claims it discovered the intrusion and breach.14

22. According to Anthem, the company did not detect the unauthorized

network activity until January 27, 2015, when an Anthem computer administrator 12 Brandon Bailey, Investigators Suspect Anthem Breach Began with ‘Phishing’ of Employees, INSURANCE JOURNAL, Feb. 10, 2015, <http://www.insurancejournal.com/news/national/2015/02/10/357051.htm> (last visited Feb. 12, 2015). 13 See id. 14 Brian Krebs, Anthem Breach May Have Started in April 2014, KREBS ON

SECURITY, (Feb. 9, 2015), <http://krebsonsecurity.com/2015/02/anthem-breach-may-have-started-in-april-2014/> (last visited Feb. 12, 2015).


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

discovered that other individuals had been using the administrator’s login

credentials to access Anthem’s network. However, reports indicate that Anthem’s

website dedicated to the security breach – www.anthemfacts.com – was registered

on December 13, 2014, seven weeks before Anthem said it discovered the breach.15

23. Despite admitting the breach occurred, and that up to 80 million current

and former Anthem members and employees dating back to 2004 could be affected,

Anthem still has not individually notified all affected plan members and employees

of the data breach. In many cases, Anthem has not even notified its own subsidiary

companies whether their members are potentially affected. Instead, Anthem has said

that it will begin mailing letters to individuals whose personal information was

compromised “in the coming weeks.”16

24. On February 10, 2014, more than two weeks after Anthem claims it

first learned of the breach, attorneys general from 10 states, including Arkansas,

Connecticut, Illinois, Kentucky, Maine, Mississippi, Nebraska, Nevada,

Pennsylvania, and Rhode Island, wrote a letter to Anthem CEO Joseph Swedish “to

express our alarm at the failure of the company to communicate with affected

individuals and, in particular, to provide them details about the protections the

company will make available and how to access those protections.”17 The letter

noted that the “delay in notifying those impacted is unreasonable and is causing

15 Dan Goodin, String of big data breaches continues with hack on health insurer Anthem, ARS TECHNICA, (Feb. 5, 2015), <http://arstechnica.com/security/2015/02/string-of-big-data-breaches-continues-with-hack-on-health-insurer-anthem/> (last visited Feb. 12, 2015). 16 Anthem Data Breach FAQ, <http://www.anthemfacts.com/faq> (last visited Feb. 12, 2015). 17 Matthew Sturdevant, Attorneys General Demand Response From Anthem, HARTFORD COURANT, Feb. 10, 2015, <http://www.courant.com/business/connecticut-insurance/hc-jepsen-anthem-attorneys-general-letter-20150210-story.html> (last visited Feb. 12, 2015).


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

unnecessary added worry to an already concerned population of Anthem customers.

We are also concerned that delays in providing protections to the victims of this

breach compounds the risk they face.”18

25. As a result of Anthem’s delay in notifying potentially affected

individuals, many class members will be unaware that their personal information has

been compromised and will not timely take the steps necessary to safeguard

themselves from the improper use of that information.

Anthem Failed to Maintain Reasonable and Adequate Security Measures to Safeguard Employee and Member Information

26. According to security experts, healthcare related data theft “has become

a booming business.”19 Even prior to the Anthem breach, major news outlets noted

that “medical information is worth 10 times more than your credit card number on

the black market” and that “cyber criminals are increasingly targeting the $3 trillion

U.S. healthcare industry, which has many companies still reliant on aging computer

systems that do not use the latest security features.”20 One security expert noted that

a patient’s medical records were auctioned off for $251 on the black market, while

credit card records were selling for 33 cents.21

27. The reason for this is simple. When credit card numbers are stolen and 18 Id. 19 Reed Abelson and Julie Creswell, Data Breach at Anthem May Forecast a Trend, N.Y. TIMES, Feb. 6, 2015, <http://www.nytimes.com/2015/02/07/business/data-breach-at-anthem-may-lead-to-others.html> (last visited Feb. 12, 2015). 20 Caroline Humer and Jim Finkle, Your medical record is worth more to hackers than your credit card, REUTERS, Sept. 24, 2014, <http://www.reuters.com/article/2014/09/24/us-cybersecurity-hospitals-idUSKCN0HJ21I20140924?feedType=RSS&feedName=healthNews> (last visited Feb. 12, 2015). 21 Reed Abelson and Julie Creswell, Data Breach at Anthem May Forecast a Trend, N.Y. TIMES, Feb. 6, 2015, <http://www.nytimes.com/2015/02/07/business/data-breach-at-anthem-may-lead-to-others.html> (last visited Feb. 12, 2015).


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

charged, the unauthorized transaction can be quickly identified and the card shut

down and replaced, oftentimes before major damage is done. There is no such

“quick-fix” for replacing healthcare-related information of the type stolen from

Anthem. As recognized by the New York Times, “patient medical records typically

include information not easily destroyed, including date of birth, Social Security

numbers and even physical characteristics that make them more useful for things

like identity theft, creation of visas or insurance fraud by falsely billing for

expensive medical or dental procedures that were either never done or performed on

someone else. Some criminals have also tried a form of so-called ransom ware in

which they threaten to reveal medical information unless they are paid.”22

28. Anthem was well aware of the value of its members’ and employees’

personal information on the black market. On April 8, 2014, the Federal Bureau of

Investigation (FBI) issued a private industry notification to healthcare providers

observing that the industry has especially lax data-security systems and warning

healthcare providers that they are particularly vulnerable to cyber-attacks compared

with other sectors.23

29. According to the FBI’s notice, “[t]he healthcare industry is not as

resilient to cyber intrusions compared to the financial and retail sectors, therefore

the possibility of increased cyber intrusions is likely.”24 The notice also mentioned

that data sold on the black market can be even more valuable than credit card

numbers because it includes information that can help with hacking into bank

accounts or getting prescription drugs.25

22 Id. 23 Denver Nicks, FBI Warns Health Care Sector Is Especially Vulnerable to Cyberattacks, TIME, April 23, 2014, <http://time.com/74414/fbi-warning-healthcare-sector-cyberattack-vulnerability/> (last visited Feb. 12, 2015). 24 Id. 25 Id.


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

30. The FBI notice came on the heels of a cyber-attack on Community

Hospital Systems, Inc. (CHS)—which operates more than 200 hospitals in 29

states—and impacted approximately 4.5 million people. While not referring to the

CHS breach by name, the FBI warned that it “observed malicious actors targeting

healthcare related systems, perhaps for the purpose of obtaining Protected

Healthcare Information (PHI) and/or Personally Identifiable Information (PII)[.]”26

31. The FBI notice also relied in part on the “SANS Cyberthreat Report”

published in February of 2014. The SANS Report analyzed data between September

2012 and October 2013 and reached the conclusion that the “data analyzed was

alarming . . . [i]t not only confirmed how vulnerable the industry had become, it also

revealed how far behind industry-related cybersecurity strategies and controls have

fallen.”27

32. According to the Identify Theft Resource Center, the healthcare sector

accounted for 44.1% percent of all major breaches in 2013.28 A “2014 Data Breach

Industry Forecast” report prepared by Experian noted that the “healthcare industry,

by far, will be the most susceptible to publicly disclosed and widely scrutinized data

breaches in 2014.”29 Likewise, BitSight Technology issued a 2014 cybersecurity 26 Jim Finkle, FBI warns healthcare firms they are targeted by hackers, REUTERS, Aug. 20, 2014, <http://www.reuters.com/article/2014/08/20/us-cybersecurity-healthcare-fbi-idUSKBN0GK24U20140820> (last visited Feb. 12, 2015). 27 SANS INSTITUTE, CYBERTHREAT REPORT: WIDESPREAD COMPROMISES DETECTED, COMPLIANCE NIGHTMARE ON HORIZON, 2, (Feb. 2014), < http://pages.norse-corp.com/rs/norse/images/Norse-SANS-Healthcare-Cyberthreat-Report2014.pdf > (last visited Feb. 12, 2015). 28 Identity Theft Resource Center, ITRC 2013 Breach List Tops 600 in 2013, <http://www.idtheftcenter.org/ITRC-Surveys-Studies/2013-data-breaches.html> (last visited Feb. 12, 2015). 29 David Carr, Healthcare Data Breaches To Surge In 2014, INFORMATIONWEEK, Dec. 26, 2013, <http://www.informationweek.com/healthcare/policy-and-regulation/healthcare-data-breaches-to-surge-in-2014/d/d-id/1113259> (last visited Feb. 12, 2015).


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

report and found that “compensation levels for IT security workers are lowest in the

sector, and that while companies are concerned with being compliant with federal

privacy laws, ‘compliance does not equate to security.’”30

33. These reports proved to be prophetic partly because Anthem chose not

to encrypt the Personal Information of its members and employees.

34. Encryption is a way to enhance the security of a message or file by

scrambling the contents so that it can be read only by someone who has the right

encryption key to unscramble it. Encryption is “considered the most effective way to

achieve data security.”31 The Health Insurance Portability and Accountability Act

(HIPPA) “strongly encourages,” but does not require, companies to encrypt such

data. Anthem instead chose to use “other measures, including elevated user

credentials, to limit access to the data when it is residing in a database.” 32

35. While encryption is not necessarily a cure-all, it “could have made the

[Personal Information] less valuable to hackers or harder to access in bulk.”33

Tellingly, an Anthem spokesperson stated that “Anthem encrypts personal data

when it moves in or out of its database, but not when it is stored.”34 Reasons for this

30 Shelley DuBois, Forget Target, your health care info is more at risk, THE

TENNESSEAN, June 11, 2014, <http://www.tennessean.com/story/money/industries/health-care/2014/06/11/health-care-cybersecurity-even-worse-retail/10302989/> (last visited Feb. 12, 2015). 31 Bruce Japsen, Hackers Stole Data On 80 Million Anthem Customers. Why Wasn't It Encrypted?, FORBES, Feb. 6, 2015, < http://www.forbes.com/sites/brucejapsen/2015/02/06/anthem-didnt-encrypt-personal-data-and-privacy-laws-dont-require-it/> (last visited Feb. 12, 2015). 32 Danny Yadron and Melinda Beck, Health Insurer Anthem Didn’t Encrypt Data in Theft, THE WALL STREET JOURNAL, Feb. 5, 2015, <http://www.wsj.com/articles/investigators-eye-china-in-anthem-hack-1423167560> (last visited Feb. 12, 2015). 33 Id. 34 Id.


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

include the high cost of encryption and Anthem’s desire to easily access the

information to track “healthcare trends” and the like.

36. Although Anthem received direct warnings from the FBI and

cybersecurity experts – and observed multiple high-profile data breaches involving

Target Corp., The Home Depot Inc., Community Hospital Systems, Inc., and

JPMorgan Chase, among others–Anthem failed to maintain reasonable security

procedures or implement stronger safeguards to protect its members’ and

employees’ stored information.

The Effect of the Data Breach on Anthem’s Victims

37. The ramifications of Anthem’s failure to protect the Personal

Information of its members and employees are severe. Identity thieves can use the

information taken in the breach to perpetrate a variety of crimes that harm victims.

For instance, identity thieves may commit various types of government fraud such

as immigration fraud, obtaining a driver’s license or identification card in the

victim’s name but with another’s picture, using the victim’s information to obtain

government benefits, or filing a fraudulent tax return using the victim’s information

to obtain a fraudulent refund. Some of this activity may not come to light for years.

38. The U.S. Social Security Administration (SSA) warns that “[i]dentity

theft is one of the fastest growing crimes in America.”35 Indeed, “[i]dentity thieves

can use [the victim’s] number and your good credit to apply for more credit in [the

victim’s] name. Then, they use the credit cards and do not pay the bills. [The victim]

may not find out that someone is using your number until [the victim is] turned

down for credit or [] begin[s] to get calls from unknown creditors demanding

payment for items [the victim] never bought.”36 In short, “[s]omeone illegally using 35 Identity Theft And Your Social Security Number, Social Security Administration (Dec. 2013), <http://www.ssa.gov/pubs/EN-05-10064.pdf> (last visited Feb. 12, 2015). 36 Id.


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

your Social Security number and assuming your identity can cause a lot of

problems.”37

39. Under SSA policy, individuals cannot obtain a new Social Security

number until there is evidence of ongoing problems due to misuse of the Social

Security number. Even then, the SSA recognizes that “a new number probably will

not solve all your problems. This is because other governmental agencies (such as

the IRS and state motor vehicle agencies) and private businesses (such as banks and

credit reporting companies) will have records under your old number. Along with

other personal information, credit reporting companies use the number to identify

your credit record. So using a new number will not guarantee you a fresh start.”38

40. In fact, a new Social Security numbers is substantially less effective

where “other personal information, such as [the victim’s] name and address, remains

the same” and for some victims, “a new number actually creates new problems. If

the old credit information is not associated with [the victim’s] new number, the

absence of any credit history under your new number may make it more difficult for

[the victim] to get credit.”39

41. Identity thieves can use the victim’s Personal Information to commit

any number of frauds, such as obtaining a job, procuring housing, or even giving

false information to police during an arrest. In the medical context, Personal

Information can be used to submit false insurance claims, obtain prescription drugs

or medical devices for black-market resale, or get medical treatment in the victim’s

name. As a result, Plaintiff and members of the classes now face a real and

immediate risk of identity theft and other problems associated with the disclosure of

their Social Security number, and will need to monitor their credit and tax filings for

37 Id. 38 Id. 39 Id.


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

an indefinite duration.

42. The processes of discovering and dealing with the repercussions of

identity theft are time consuming and difficult. The Department of Justice’s Bureau

of Justice statistics found that “among victims who had personal information used

for fraudulent purposes, 29% spent a month or more resolving problems.”40

Likewise, credit-monitoring services are not preventative, meaning they cannot

catch identity theft until after it happens.

43. Additionally, there is commonly lag time between when harm occurs

and when it is discovered, and also between when Personal Information is stolen and

when it is used. According to the U.S. Government Accountability Office, which

conducted a study regarding data breaches:

[L]aw enforcement officials told us that in some cases, stolen data may be held for up to a year or more before being used to commit identity theft. Further, once stolen data have been sold or posted on the Web, fraudulent use of that information may continue for years. As a result, studies that attempt to measure the harm resulting from data breaches cannot necessarily rule out all future harm.41

44. There is a very strong probability that Anthem victims could be at risk

of fraud and identity theft for extended periods of time. In fact, fraudsters have

already taken advantage of the Anthem data breach in an attempt to obtain class

members’ Personal Information.

45. On February 6, 2015, two days after Anthem publicly announced the

breach, Anthem issued a press release warning that “[i]ndividuals who may have 40 Erika Harrell and Lynn Langton, Victims of Identity Theft, 2012, (Bureau of Justice Statistics), Dec. 2013, <http://www.bjs.gov/content/pub/pdf/vit12.pdf> (last visited Feb. 12, 2014). 41 U.S. Government Accountability Office, GAO Report to Congressional Requesters, Data Breaches Are Frequent, but Evidence of Resulting Identity Theft Is Limited; However, the Full Extent Is Unknown, at 29, June 2007, <http://www.gao.gov/new.items/d07737.pdf> (last visited Feb. 12, 2014).


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

been impacted by the cyber attack against Anthem, should be aware of scam email

campaigns targeting current and former Anthem members. These scams, designed to

capture personal information (known as “phishing”) are designed to appear as if

they are from Anthem and the emails include a “click here” link for credit

monitoring. These emails are NOT from Anthem.”42

46. Additionally, the FBI has been investigating “fraudulent tax returns

filed in several states through the popular software [Intuit] TurboTax, the latest

instance of creative tricks cybercriminals are using to profit from stolen data.”43

Indeed, TurboTax had to temporarily suspend electronic filings of state tax returns

“after spotting an uptick in people using stolen personal information to file

fraudulent returns and claim tax refunds.”44 According to the Utah State Tax

Commission, “at least 19 states have endured similar fake tax filings” and “[m]any

taxpayers caught the problem after trying to file their returns, only to be notified by

TurboTax that their paperwork had already been submitted.”45

47. Plaintiff George Nicoud paid premiums to Anthem Blue Cross PPO for

many years prior to terminating coverage at the end of 2014. Plaintiff Kellen

Edwards is a resident of San Diego, California. He currently has health insurance

with Anthem Blue Cross, and has for several years.

48. As current and former Anthem health plan members, Anthem obtained

Plaintiffs’ sensitive personal information, including full names, birth dates, medical

42 Press Release: Anthem Alerts Consumers to Protect Themselves from Scam Email Campaigns, <http://ir.antheminc.com/phoenix.zhtml?c=130104&p=irol-newsArticle&ID=2014520> (last visited Feb. 12, 2015). 43 Shan Li, FBI probes rash of fraudulent state tax returns filed through TurboTax, LA TIMES, Feb. 11, 2015, <http://www.latimes.com/business/la-fi-turbotax-fbi-20150212-story.html> (last visited Feb. 12, 2015). 44 Id. 45 Id.


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

IDs, Social Security numbers, physical addresses, e-mail addresses, and

employment information, including income and employment history. Plaintiffs have

not yet been notified of the breach by Anthem.

49. As a result of Anthem’s negligent security practices and delay in

notifying affected customers, Plaintiffs and other former and current Anthem health

plan members and employees now face years of constant surveillance of their

financial and personal records, monitoring, and loss of rights. Plaintiffs and

members of the classes defined below are subject to an increased and concrete risk

of identity theft as a direct result of Anthem’s exposure of their Personal

Information.

CLASS ACTION ALLEGATIONS

50. Plaintiffs seek relief in their individual capacity and as representatives

of all others who are similarly situated. Pursuant to Fed. R. Civ. P. 23(a) and (b)(2)

and/or (b)(3), Plaintiffs bring this action on behalf of themselves and the classes

preliminarily defined as:

Current and former members of an Anthem health insurance plan and Anthem employees in California whose personal information was compromised as a result of the data breach announced in February 2015 (the “California Class”).

Current and former members of an Anthem health insurance plan and Anthem employees in the United States whose personal information was compromised as a result of the data breach announced in February 2015 (the “Nationwide Class”).

51. Excluded from the classes are Anthem, including any entity in which

Anthem has a controlling interest, is a parent or subsidiary, or which is controlled by

Anthem, as well as the officers, directors, affiliates, legal representatives, heirs,

predecessors, successors, and assigns of Anthem. Also excluded are the judges and

court personnel in this case and any members of their immediate families.


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

52. Numerosity. Fed. R. Civ. P. 23(a)(1). The members of the classes are

so numerous that the joinder of all members is impractical. While the exact number

of class members is unknown to Plaintiffs at this time, based on information and

belief, it is in the tens of millions.

53. Commonality. Fed. R. Civ. P. 23(a)(2) and (b)(3). There are questions

of law and fact common to the classes, which predominate over any questions

affecting only individual class members. These common questions of law and fact

include, without limitation:

a. Whether Anthem owed a duty to Plaintiffs and members of the

classes to adequately protect their personal and financial

information and to provide timely and accurate notice of the Data

Breach to Plaintiffs and members of the classes;

b. Whether Anthem knew or should have known that its computer

systems were vulnerable to attack;

c. Whether Anthem’s conduct, including its failure to act, resulted in

or was the proximate cause of the breach of its systems, resulting in

the loss of millions of consumers’ personal and financial data;

d. Whether Plaintiffs and members of the classes suffered injury,

including ascertainable losses, as a result of Anthem’s conduct or

failure to act;

e. Whether Anthem’s Personal Information storage and protection

protocols were reasonable under industry standards;

f. Whether Anthem violated California Civil Code sections 1798.81.5

by failing to implement reasonable security procedures and

practices;

g. Whether Anthem violated California Civil Code section 1798.82 by

failing to promptly notify class members that their personal


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

information had been compromised;

h. Whether class members may obtain injunctive relief against Anthem

under Civil Code section 1798.84 or under California’s Unfair

Competition Law, Cal. Bus. & Prof. Code § 17200, et seq.;

i. Whether Plaintiffs and members of the classes are entitled to

recover actual damages and/or statutory damages; and

j. Whether Plaintiffs and members of the classes are entitled to

equitable relief, including injunctive relief, restitution, disgorgement

and/or other equitable relief.

54. All members of the proposed classes are readily ascertainable by

objective criteria. Anthem has access to addresses and other contact information for

members of the classes, which can be used for providing notice to many class

members.

55. Typicality. Fed. R. Civ. P. 23(a)(3). Plaintiffs’ claims are typical of

those of other class members because Plaintiffs’ information, like that of other class

members, was misused and/or disclosed by Anthem.

56. Adequacy of Representation. Fed. R. Civ. P. 23(a)(4). Plaintiffs will

fairly and adequately represent and protect the interests of the members of the

classes. Plaintiffs’ Counsel is competent and experienced in litigating class actions.

57. Superiority of Class Action. Fed. R. Civ. P. 23(b)(3). A class action is

superior to other available methods for the fair and efficient adjudication of this

controversy since joinder of all the members of the classes is impracticable.

Furthermore, the adjudication of this controversy through a class action will avoid

the possibility of inconsistent and potentially conflicting adjudication of the asserted

claims. There will be no difficulty in the management of this action as a class action.

58. Damages for any individual class member are likely insufficient to

justify the cost of individual litigation, so that in the absence of class treatment,


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

Anthem’s violations of law inflicting substantial damages in the aggregate would go

un-remedied without certification of the classes.

59. Class certification is also appropriate under Fed. R. Civ. P. 23(a) and

(b)(2), because Anthem has acted or has refused to act on grounds generally

applicable to the classes, so that final injunctive relief or corresponding declaratory

relief is appropriate as to the classes as a whole.

FIRST CAUSE OF ACTION Negligence

(On Behalf of Plaintiffs and the Nationwide Class)

60. Plaintiffs incorporate by reference all preceding paragraphs as if fully

set forth herein.

61. Plaintiffs bring this cause of action on behalf of the Nationwide Class

whose personal information was compromised as a result of the data breach

publicized in February 2015.

62. In collecting the personal information of its current and former health

insurance plan members and employees, Anthem owed Plaintiffs and members of

the class a duty to exercise reasonable care in safeguarding and protecting that

information. This duty included, among other things, maintaining and testing

Anthem’s security systems and taking other reasonable security measures to protect

and adequately secure the personal data of Plaintiffs and the class from unauthorized

access and use. Anthem’s security system and procedures for handling the personal

information of its current and former health insurance plan members and employees

were intended to affect Plaintiffs and the class. Anthem was aware that by taking

such sensitive information of its health insurance plan members and employees, it

had a responsibility to take reasonable security measures to protect the data from

being stolen and, in the event of theft, easily accessed.

63. The duty Anthem owed to Plaintiffs and members of the class to


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

protect their personal information is also underscored by the California Customer

Records Act and HIPAA, which recognize the importance of maintaining the

confidentiality of personal information and were established to protect individuals

from improper disclosure of their personal information.

64. Additionally, Anthem had a duty to timely disclose to Plaintiffs and

members of the class that their personal information had been or was reasonably

believed to have been compromised. Timely disclosure is appropriate so that

Plaintiffs and members of the class could, among other things, report the theft of

their Social Security numbers to the Internal Revenue Service, monitor their credit

reports for identity fraud, undertake appropriate measures to avoid unauthorized

charges on their debit card or credit card accounts, and change or cancel their debit

or credit card PINs (personal identification numbers) to prevent or mitigate the risk

of fraudulent cash withdrawals or unauthorized transactions.

65. There is a close causal connection between Anthem’s failure to take

reasonable security standards to protect its current and former health insurance plan

members’ and employees’ data and the injury to Plaintiffs and the class. When

individuals have their personal information stolen, they are at risk for identity theft,

and need to buy credit monitoring services and purchase credit reports to determine

whether identify theft has occurred.

66. Anthem is morally to blame for not protecting the data of its current

and former health insurance plan members and employees by failing to take

reasonable security measures. If Anthem had taken reasonable security measures,

data thieves would not have been able to take the personal information of tens of

millions of current and former Anthem health insurance plan members and Anthem

employees.

67. The policy of preventing future harm weighs in favor of finding a

special relationship between Anthem and the class. Anthem’s health insurance plan


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

members and employees rely on Anthem as their provider and/or employer to keep

their data safe and in fact are required to share sensitive personal data with Anthem

as a condition of health plan enrollment and/or employment. If companies are not

held accountable for failing to take reasonable security measures to protect their

customers’ and employees’ personal information, then they will not take the steps

that are necessary to protect against future cyber-attacks and data breaches.

68. It was foreseeable that if Anthem did not take reasonable security

measures, the Personal Information of Plaintiffs and members of the class would be

stolen. Major corporations, particularly those in the healthcare industry, like

Anthem, face a higher threat of security breaches than other companies due in part

to the large amounts and type of data they possess and the value of such information

on the black market. Anthem should have known to take precautions to secure its

health plan members’ and employees’ data, especially in light of recent data

breaches and warnings regarding cyberattacks and network vulnerability in the

industry.

69. Anthem breached its duty to exercise reasonable care in protecting the

Personal Information of Plaintiffs and the class by failing to implement and maintain

adequate security measures to safeguard its health plan members’ and employees’

Personal Information, failing to monitor its systems to identify suspicious activity,

allowing unauthorized access to the personal information of Plaintiffs and the class,

and failing to encrypt or otherwise prevent unauthorized reading of such personal

information.

70. Anthem further breached its duty to timely notify Plaintiffs and the

class about the data breach. Anthem has failed to issue adequate notice to its current

and former health plan members and employees affected by the breach.

Additionally, Anthem was, or should have been, aware of breaches in its network

security at least as early as December 10, 2014.


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

71. But for Anthem’s failure to implement and maintain adequate security

measures to protect its current and former health plan members’ and employees’

personal information and failure to monitor its systems to identify suspicious

activity, the Personal Information of Plaintiffs and members of the class would not

have been stolen, and they would not be at a heightened risk of identity theft in the

future.

72. Anthem’s negligence was a substantial factor in causing harm to

Plaintiffs and members of the class.

73. As a direct and proximate result of Anthem’s failure to exercise

reasonable care and use commercially reasonable security measures, the personal

information of current and former Anthem health plan members and Anthem

employees was accessed by unauthorized individuals who could use the information

to commit identity fraud, medical fraud, or debit and credit card fraud. Plaintiffs and

the class face a heightened risk of identity theft.

74. Members of the class have also suffered economic damages, including

the purchase of credit monitoring services they would not have otherwise purchased.

75. Neither Plaintiffs nor other members of the class contributed to the

security breach, nor did they contribute to Anthem’s employment of insufficient

security measures to safeguard employees’ Personal Information.

76. Plaintiffs and the class seek compensatory damages and punitive

damages with interest, the costs of suit and attorneys’ fees, and other and further

relief as this Court deems just and proper.

SECOND CAUSE OF ACTION Breach of Contract

(On Behalf of Plaintiffs and the Nationwide Class)


set forth herein.

78. Anthem’s Personal Information Privacy Protection Policy promises that


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

the company “maintains policies that protect the confidentiality of personal

information, including Social Security numbers, obtained from its members and

associates in the course of its regular business functions. Anthem Blue Cross and

Blue Shield is committed to protecting information about its customers and

associates, especially the confidential nature of their personal information (PI).”

Anthem also purports to “safeguard[] Social Security numbers and other personal

information by having physical, technical, and administrative safeguards in place.”

79. Anthem’s privacy policies constitute an agreement between (1) Anthem

and (2) its health plan members and employees.

80. Anthem has breached its agreement with class members to protect their

personal information by (1) failing to implement security measures designed to

prevent this attack even though the industry has been repeatedly warned about the

risk of cyber-attacks, (2) failing to employ security protocols to detect the

unauthorized network activity, and (3) failing to maintain basic security measures

such as complex data encryption so that if data were accessed or stolen it would be

unreadable.

81. Plaintiffs and class members have been damaged by Anthem’s breach

of its obligations because their personal information has been compromised and they

are at and increased risk for future identity theft and fraudulent activity on their

financial accounts. Plaintiffs and class members have been deprived of the value of

their Personal Information and have lost money and property as a result of Anthem’s

unlawful and unfair conduct.

82. Plaintiffs, individually and on behalf of the members of the Nationwide

Class, seeks (a) damages suffered by members of the class, (b) equitable relief, and

(c) injunctive relief requiring Anthem to implement safeguards consistent with its

contractual promises.


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

THIRD CAUSE OF ACTION Violation of the California Customer Records Act,

California Civil Code Section 1798.80, et seq. (On Behalf of Plaintiffs and the California Class)


set forth herein.

84. Plaintiffs bring this cause of action on behalf of the California Class

who made purchases with a debit or credit card at an Anthem store within three

years of the filing of this lawsuit.

85. “[T]o ensure that personal information about California residents is

protected,” the California Legislature enacted Civil Code section 1798.81.5, which

requires that any business that “owns or licenses personal information about a

California resident shall implement and maintain reasonable security procedures and

practices appropriate to the nature of the information, to protect the personal

information from unauthorized access, destruction, use, modification, or disclosure.”

86. Anthem is a “business” within the meaning of Civil Code section

1798.80(a).

87. Plaintiffs and members of the class are “individual[s]” within the

meaning of the Civil Code section 1798.80(d). Pursuant to Civil Code sections

1798.80(e) and 1798.81.5(d)(1)(C), “personal information” includes an individual’s

name, Social Security number, driver’s license or state identification card number,

debit card and credit card information, medical information, or health insurance

information. “Personal information” under Civil Code section 1798.80(e) also

includes address, telephone number, passport number, education, employment,

employment history, or health insurance information.

88. The breach of the data of the debit and credit card information of

millions of accounts of Anthem customers constituted a “breach of the security

system” of Anthem pursuant to Civil Code section 1798.82(g).


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

89. By failing to implement reasonable measures to protect its former and

current health insurance plan members’ and its employees’ personal data, Anthem

violated Civil Code section 1798.81.5.

90. In addition, by failing to promptly notify all affected former and current

Anthem plan members and employees that their personal information had been

acquired (or was reasonably believed to have been acquired) by unauthorized

persons in the data breach, Anthem violated Civil Code section 1798.82 of the same

title. Anthem’s failure to timely notify employees of the breach has caused damage

to class members who have had to buy identity protection services or take other

measures to remediate the breach caused by Anthem’s negligence.

91. By violating Civil Code sections 1798.81.5 and 1798.82, Anthem “may

be enjoined” under Civil Code section 1798.84(e).

92. Accordingly, Plaintiffs request that the Court enter an injunction

requiring Anthem to implement and maintain reasonable security procedures to

protect employees’ and members’ data in compliance with the California Customer

Records Act, including, but not limited to: (1) ordering that Anthem, consistent with

industry standard practices, engage third party security auditors/penetration testers

as well as internal security personnel to conduct testing, including simulated attacks,

penetration tests, and audits on Anthem’s systems on a periodic basis; (2) ordering

that Anthem engage third party security auditors and internal personnel, consistent

with industry standard practices, to run automated security monitoring; (3) ordering

that Anthem audit, test, and train its security personnel regarding any new or

modified procedures; (4) ordering that Anthem, consistent with industry standard

practices, conduct regular database scanning and securing checks; (5) ordering that

Anthem, consistent with industry standard practices, periodically conduct internal

training and education to inform internal security personnel how to identify and

contain a breach when it occurs and what to do in response to a breach; (6) ordering


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

Anthem to meaningfully educate its former and current members and employees

about the threats they face as a result of the loss of their personal information to

third parties, as well as the steps they must take to protect themselves; and (7)

ordering Anthem to encrypt sensitive personal information.

93. Plaintiffs further request that the Court require Anthem to (1) identify

and notify all members of the California Class who have not yet been informed of

the data breach; and (2) to notify affected customers of any future data breaches by

email within 24 hours of Anthem’s discovery of a breach or possible breach and by

mail within 72 hours.

94. As a result of Anthem’s violation of Civil Code sections 1798.81.5 and

1798.82, Plaintiffs and members of the California Class have and will incur

economic damages relating to time and money spent remedying the breach,

including but not limited to, expenses for bank fees associated with the breach, any

unauthorized charges made on financial accounts, lack of access to funds while

banks issue new cards, tax fraud, as well as the costs of credit monitoring and

purchasing credit reports.

95. Plaintiffs, individually and on behalf of the members of the California

Class, seek all remedies available under Civil Code section 1798.84, including, but

not limited to: (a) damages suffered by members of the class; and (b) equitable

relief.


Class, seek reasonable attorneys’ fees and costs under applicable law.

FOURTH CAUSE OF ACTION Unlawful and Unfair Business Practices Under California Business and

Professions Code § 17200, et seq. (On Behalf of Plaintiffs and the California Class)


set forth herein.


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

98. Plaintiffs bring this cause of action on behalf of members of the

California Class whose personal information was compromised as a result of the

data breach publicized in February 2015.

99. Anthem’s acts and practices, as alleged in this Complaint, constitute

unlawful and unfair business practices, in violation of the Unfair Competition Law

(“UCL”), Cal. Bus. & Prof. Code § 17200, et seq., HIPAA, and because Anthem’s

conduct was negligent:

a. Anthem’s practices were unlawful and in violation of California

Civil Code section 1798.81.5(b) because Anthem failed to take

reasonable security measures in protecting its former and current

employees’ personal data;

b. Anthem’s practices were unlawful and in violation of California

Civil Code section 1798.82 because Anthem has unreasonably

delayed informing Plaintiffs and members of the class about the

breach of security after Anthem knew the data breach occurred;

c. Anthem violated HIPAA by failing to establish procedures to keep

employees’ medical information confidential and private. Protected

health information under HIPAA includes “individually identifiable

health information,” including name, address, date of birth, and

social security number. The Department of Health and Human

Services Office of Civil Rights issued a statement regarding the

Anthem data breach, which noted that “[t]he personally identifiable

information health plans maintain on enrollees and members —

including names and social security numbers — is protected under

HIPAA, even if no specific diagnostic or treatment information is

disclosed.” 45 C.F.R. § 164.530(c)(1) requires that Anthem

implement reasonable safeguards for this information, which


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

Anthem failed to do. 45 C.F.R. § 164.404 requires that companies

provide notice of the breach of unsecured protected health

information, which includes protected health information that is not

rendered unusable, unreadable, or indecipherable to unauthorized

persons – i.e. non-encrypted data. See 45 C.F.R. § 164.402. Anthem

has failed to provide such notice.

100. The acts, omissions, and conduct of Anthem constitute a violation of

the unlawful prong of the UCL because they failed to comport with a reasonable

standard of care and California public policy as reflected in statutes such as the

Information Practices Act of 1977, Cal. Civ. Code § 1798, et seq., California

Customer Records Act, and HIPAA, which seek to protect customer data and ensure

that entities who solicit or are entrusted with personal data utilize reasonable

security measures.

101. In failing to protect plan members’ and employees’ personal

information and unduly delaying informing them of the data breach, Anthem has

engaged in unfair business practices by engaging in conduct that undermines or

violates the stated policies underlying the California Customer Records Act and the

Information Practices Act of 1977. In enacting the California Customer Records

Act, the Legislature stated that: “[i]dentity theft is costly to the marketplace and to

consumers” and that “victims of identity theft must act quickly to minimize the

damage; therefore expeditious notification of possible misuse of a person’s personal

information is imperative.” 2002 Cal. Legis. Serv. Ch. 1054 (A.B. 700). Anthem’s

conduct also undermines California public policy as reflected in other statutes such

as the Information Practices Act of 1977, Cal. Civ. Code § 1798, et seq., which

seeks to protect individuals’ data and ensure that entities who solicit or are entrusted

with personal data utilize reasonable security measures.

102. As a direct and proximate result of Anthem’s unlawful and unfair


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

business practices as alleged herein, Plaintiffs and members of the California Class

have suffered injury in fact. Plaintiffs and the California Class have been injured in

that their personal information has been compromised and they are at an increased

risk for future identity theft and fraudulent activity on their financial accounts. Class

members have also lost money and property by purchasing credit-monitoring

services they would not otherwise had to but for Anthem’s unlawful and unfair

conduct.

103. As a direct and proximate result of Anthem’s unlawful and unfair

business practices as alleged herein, Plaintiffs and members of the California Class

face an increased risk of identity theft and medical fraud, based on the theft and

disclosure of their personal information.

104. Because of Anthem’s unfair and unlawful business practices, Plaintiffs

and members of the California Class are entitled to relief, including restitution for

costs incurred associated with the data breach and disgorgement of all profits

accruing to Anthem because of its unlawful and unfair business practices,

declaratory relief, and a permanent injunction enjoining Anthem from its unlawful

and unfair practices.

105. The injunctive relief that Plaintiffs and members of the California Class

are entitled to includes, but is not limited to: (1) ordering that Anthem, consistent

with industry standard practices, engage third party security auditors/penetration

testers as well as internal security personnel to conduct testing, including simulated

attacks, penetration tests, and audits on Anthem’s systems on a periodic basis; (2)

ordering that Anthem engage third party security auditors and internal personnel,

consistent with industry standard practices, to run automated security monitoring;

(3) ordering that Anthem audit, test, and train its security personnel regarding any

new or modified procedures; (4) ordering that Anthem, consistent with industry

standard practices, conduct regular database scanning and securing checks; (5)


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

ordering that Anthem, consistent with industry standard practices, periodically

conduct internal training and education to inform internal security personnel how to

identify and contain a breach when it occurs and what to do in response to a breach;

(6) ordering Anthem to meaningfully educate its former and current members and

employees about the threats they face as a result of the loss of their personal

information to third parties, as well as the steps they must take to protect

themselves; and (7) ordering Anthem to encrypt sensitive personal information.


Class, also seeks reasonable attorneys’ fees and costs under applicable law.

PRAYER FOR RELIEF

WHEREFORE, Plaintiffs, on behalf of themselves and the classes set forth

herein, respectfully requests the following relief:

a. That the Court certify this case as a class action pursuant to Fed. R.

Civ. P. 23(a), (b)(2) and/or (b)(3), and, pursuant to Fed. R. Civ. P.

23(g), appoint the named Plaintiffs to be Class representatives and

the undersigned counsel to be Class counsel;

b. That the Court award Plaintiffs and the classes appropriate relief,

including actual and statutory damages, restitution and

disgorgement;

c. That the Court award Plaintiffs and the classes equitable, injunctive

and declaratory relief as maybe appropriate under applicable state

laws;

d. That the Court award Plaintiffs and the classes actual damages,

compensatory damages, statutory damages, and statutory penalties,

to the full extent permitted by law, in an amount to be determined;

e. That the Court award Plaintiffs and the classes pre-judgment and

post-judgment interest;


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

f. That the Court award Plaintiffs and the classes reasonable attorney

fees and costs as allowable by law; and

g. That the Court award Plaintiffs and the classes such other, favorable

relief as allowable under law or at equity.

JURY DEMAND

Plaintiffs hereby demand a jury trial in the instant action.

Dated: February 13, 2015 Respectfully submitted, By: s/ Jason S. Hartley

Jason S. Hartley (CA Bar No. 192514) STUEVE SIEGEL HANSON LLP 550 West C. Street, Suite 1750 San Diego, CA 92101 Tel: (619) 400-5822 Fax: (619) 400-5832

Norman E. Siegel Barrett J. Vahle J. Austin Moore (pro hac vice forthcoming) STUEVE SIEGEL HANSON LLP 460 Nichols Road, Suite 200 Kansas City MO 64112 Tel: (816) 714-7100 Fax: (816) 714-7101 Joseph M. Barton (CA Bar No. 188441) LAW OFFICES OF JOSEPH M. BARTON 628 Manzanita Avenue Corte Madera, CA 94925 Telephone: 415-235-9162 [email protected] John K. Landay, Esq. (CA Bar No. 257573) LANDAY ROBERTS LLP 450 J Street, Unit 5291 San Diego, CA 92101 (805) 305-3384 [email protected] Counsel for Plaintiffs and the Classes

Documents

STUEVE SIEGEL HANSON LLP case links...STUEVE SIEGEL HANSON LLP 550 West C Street, Suite 1750 San Diego, CA 92101 Phone: (619) 400-5822 Fax: (619) 400-5832 [email protected]