Upload
trantuong
View
214
Download
0
Embed Size (px)
Citation preview
CLASS ACTION COMPLAINT
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
Jason S. Hartley (CA Bar No. 192514) STUEVE SIEGEL HANSON LLP 550 West C Street, Suite 1750 San Diego, CA 92101 Phone: (619) 400-5822 Fax: (619) 400-5832 [email protected] Norman E. Siegel Barrett J. Vahle J. Austin Moore (pro hac vice forthcoming) STUEVE SIEGEL HANSON LLP 460 Nichols Road, Suite 200 Kansas City, Missouri 64112 Phone: (816) 714-7100 Fax: (816) 714-7101 [email protected] [email protected] [email protected] Attorneys for Plaintiffs
IN THE UNITED STATES DISTRICT COURT
FOR THE SOUTHERN DISTRICT OF CALIFORNIA
KELLEN EDWARDS and GEORGE NICOUD, on behalf of themselves and all others similarly situated, Plaintiffs, v. ANTHEM, INC., and BLUE CROSS OF CALIFORNIA d/b/a ANTHEM BLUE CROSS, Defendants.
CASE NO. CLASS ACTION COMPLAINT JURY TRIAL DEMANDED
'15CV0318 NLSLAB
1 CLASS ACTION COMPLAINT
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
Plaintiffs George Nicoud and Kellen Edwards, individually and on behalf of
the classes of similarly situated persons defined below, allege the following against
Anthem, Inc. and Blue Cross of California d/b/a Anthem Blue Cross (collectively
referred to herein as “Anthem” or “Defendants”) based upon personal knowledge
with respect to themselves and on information and belief derived from, among other
things, investigation of counsel and review of public documents as to all other
matters.
NATURE OF THE ACTION
1. Anthem Inc., the second-largest health insurer in the United States by
market value, recently suffered the largest healthcare-related data breach in history.
The breach included the personal information of both current and former members
and employees of Anthem Blue Cross, Anthem Blue Cross and Blue Shield, Blue
Cross and Blue Shield, Amerigroup, Caremore, Unicare, BlueCard and numerous
other state Blue Cross and Blue Shield programs, the full extent of which is still
unknown.
2. On February 4, 2015, Anthem first publicly disclosed that hackers had
breached the company’s computer systems which stored the full names, birth dates,
medical IDs, Social Security numbers, physical addresses, e-mail addresses, and
employment information, including income and employment history (“Personal
Information”), of approximately 80 million current and former Anthem health
insurance plan members and Anthem employees. On February 12, 2015, Anthem
admitted that the stored information dated back to 2004,1 putting every current or
former Anthem employee and plan member in the last decade at risk.
1 Chad Terhune, Anthem says hackers had access to customer data back to 2004, LA TIMES, (Feb. 12, 2015), <http://www.latimes.com/business/la-fi-anthem-data-breach-20150212-story.html> (last visited Feb. 12, 2015).
2 CLASS ACTION COMPLAINT
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
3. Plaintiffs are current and former Anthem Blue Cross plan members and
bring this class action lawsuit on behalf of Anthem health plan members and
Anthem employees whose personal information has been compromised as a result of
Anthem’s failure to maintain reasonable and adequate security measures to
safeguard its members’ and employees’ Personal Information. Plaintiffs are seeking
damages, restitution, and injunctive relief requiring Anthem to implement and
maintain reasonable and effective security practices.
PARTIES
4. Plaintiff George Nicoud is a resident of California. He paid health
insurance premiums to Anthem Blue Cross PPO for many years prior to terminating
coverage at the end of 2014.
5. Plaintiff Kellen Edwards is a resident of San Diego, California. He
currently has health insurance with Anthem Blue Cross, and has for several years.
6. Defendant Anthem, Inc. is an Indiana corporation with its principal
place of business in Indianapolis, Indiana. Anthem, Inc. was formerly known as
WellPoint, Inc. and changed its name on December 3, 2014.
7. Defendant Blue Cross of California d/b/a Anthem Blue Cross is a
California corporation, and wholly owned subsidiary of Anthem, Inc. Blue Cross of
California is the state’s largest for-profit health insurer.
JURISDICTION AND VENUE
8. This Court has jurisdiction over this action under the Class Action
Fairness Act, 28 U.S.C. § 1332(d)(2). The amount in controversy exceeds $5 million
exclusive of interest and costs. At least one Plaintiff and Defendant are citizens of
different states. There are more than 100 putative class members.
9. This Court has jurisdiction over Defendants Anthem and Blue Cross of
California because they are registered to conduct business in California, have
sufficient minimum contacts in California, or otherwise intentionally avail
3 CLASS ACTION COMPLAINT
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
themselves of the markets within California, through the promotion, sale, marketing
and distribution of their products in California, to render the exercise of jurisdiction
by this Court proper and necessary. Defendant Blue Cross of California is
incorporated in California.
10. Venue is proper in this District under 28 U.S.C. § 1391 because
Defendants conduct substantial business in this District, Plaintiff Edwards resides in
this District, and a substantial part of the events giving rise to Plaintiff Edwards’s
claims occurred in this District.
FACTUAL ALLEGATIONS
Anthem Collects Significant Amounts of Employee and Member Information
11. According to its annual U.S. Securities and Exchange Commission
(SEC) filings, “Anthem, Inc. is one of the largest health benefits companies in terms
of medical membership in the United States, serving 35.7 million medical members
through our affiliated health plans and more than 67.8 million individuals through
all subsidiaries as of December 31, 2013.”2
12. Anthem is an independent licensee of the Blue Cross and Blue Shield
Association, an association of independent health benefit plans. Anthem, through its
subsidiaries, is licensed to conduct insurance operations in all 50 states, and
conducts business in California through the business operations of its wholly owned
subsidiary, Anthem Blue Cross. Anthem provides health insurance coverage as
“Blue Cross and Blue Shield” in Colorado, Connecticut, Georgia, Indiana,
Kentucky, Maine, Missouri, Nevada, New Hampshire, New York, Ohio, Virginia
and Wisconsin. Anthem offers health insurance through its wholly-owned subsidiary
“Americgroup” in Florida, Georgia, Kansas, Louisiana, Maryland, Nevada, New
2 Wellpoint, Inc., Annual Report (Form 10-K), at 3 (for the fiscal year ended December 31, 2013), <http://www.sec.gov/Archives/edgar/data/1156039/000115603914000003/wlp-20131231x10k.htm> (last visited Feb. 12, 2015).
4 CLASS ACTION COMPLAINT
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
Jersey, New York, Tennessee, Texas and Washington. Anthem also provides health
insurance to certain Arizona, California, Nevada, New York and Virginia markets
through its subsidiary “CareMore,” and throughout the country as “HealthLink” and
“UniCare.”3
13. In a notice available on its website, Anthem states that it collects, uses
and shares the “nonpublic” and “personal” information of its members.”4 The notice
provides that Anthem “may collect [Personal Information] about you from other
persons or entities, such as doctors, hospitals or other carriers. We may share
[Personal Information] with persons or entities outside of our company — without
your OK in some cases.”5 The notice further provides that “[b]ecause [Personal
Information] is defined as any information that can be used to make judgments
about your health, finances, character, habits, hobbies, reputation, career and credit,
we take reasonable safety measures to protect the [Personal Information] we have
about you.”6
14. Anthem recognizes that its members’ and employees’ Personal
Information is highly sensitive and that it has a duty to safeguard and secure such
information. Anthem states on its website:
Personal Information (Including Social Security Number) Privacy Protection Policy
Anthem Blue Cross and Blue Shield maintains policies that protect the confidentiality of personal information, including Social Security numbers, obtained from its members and associates in the course of its
3 See id. 4 Anthem Notice: Information that’s important to you, <https://www.anthem.com/health-insurance/nsecurepdf/english_common_11832ANMEN> (last visited Feb. 12, 2015). 5 Id. 6 Id.
5 CLASS ACTION COMPLAINT
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
regular business functions. Anthem Blue Cross and Blue Shield is committed to protecting information about its customers and associates, especially the confidential nature of their personal information (PI).
Personal Information is information that is capable of being associated with an individual through one or more identifiers including but not limited to, a Social Security number, a driver’s license number, a state identification card number, an account number, a credit or debit card number, a passport number, an alien registration number or a health insurance identification number, and does not include publicly available information that is lawfully made available to the general public from federal, state or local government records or widely distributed media.
Anthem Blue Cross and Blue Shield is committed to protecting the confidentiality of Social Security numbers and other Personal Information.
Anthem Blue Cross and Blue Shield’s Privacy Policy imposes a number of standards to:
guard the confidentiality of Social Security numbers and other personal information,
prohibit the unlawful disclosure of Social Security numbers, and
limit access to Social Security numbers.
Anthem Blue Cross and Blue Shield will not use or share Social Security numbers or personal information with anyone outside the company except when permitted or required by federal and state law.
Anthem Blue Cross and Blue Shield Associates must only access Social Security numbers or personal information as required by their job duties. Anthem Blue Cross and Blue Shield has in place a minimum necessary policy which states that associates may only access, use or disclose Social Security numbers or personal information to complete a specific task and as allowed by law.
Anthem Blue Cross and Blue Shield safeguards Social Security numbers and other personal information by having physical, technical,
6 CLASS ACTION COMPLAINT
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
and administrative safeguards in place.7
15. Anthem also recognizes that protecting the Personal Information of its
members and employees is vital to its “business, reputation and profitability.” In a
recent SEC filing, Anthem stated:
As part of our normal operations, we collect, process and retain sensitive and confidential member information.
We are subject to various federal, state and international laws and rules regarding the use and disclosure of sensitive or confidential member and provider information, including HIPAA, the HITECH Act, the Gramm-Leach-Bliley Act, and numerous state laws governing personal information.
Despite the security measures we have in place to help ensure compliance with applicable laws and rules, our facilities and systems, and those of our third party service providers, are vulnerable to cyber-attacks, security breaches, acts of vandalism, computer viruses, misplaced or lost data, programming and/or human errors or other similar events.
Noncompliance with any privacy or security laws and regulations, or any security breach, cyber-attack or cyber security breach, and any incident involving the misappropriation, loss or other unauthorized disclosure of, or access to, sensitive or confidential member information, whether by us or by one of our vendors, could require us to expend significant resources to remediate any damage, interrupt our operations and damage our reputation, and could also result in regulatory enforcement actions, material fines and penalties, litigation or other actions which could have a material adverse effect on our business, reputation and results of operations.8
16. In addition to its substantial current member and employee database,
7 Anthem Privacy Statement,<https://www.anthem.com/health-insurance/about-us/privacy#hipaa> (last visited Feb. 12, 2015). 8 Wellpoint, Inc., Annual Report (Form 10-K), at 34-35 (for the fiscal year ended December 31, 2013), <http://www.sec.gov/Archives/edgar/data/1156039/000115603914000003/wlp-20131231x10k.htm> (last visited Feb. 12, 2015).
7 CLASS ACTION COMPLAINT
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
Anthem also stores and maintains the Personal Information of former members and
employees–even years after their relationship with Anthem has ended. Anthem
admitted that hackers gained access to employee and member information dating all
the way back to 2004.9
17. Anthem has a history of failing to adequately protect the Personal
Information of its members. In 2010, Anthem (then Wellpoint), was fined $1.7
million by the U.S. Department of Health and Human Services (HHS) for a
computer breach that resulted in the disclosure of personal information of
approximately 612,000 people. The HHS investigation found that in 2009 and 2010,
Anthem did not adequately implement policies and procedures to protect unsecured
“electronic protected health information” covered by the Health Insurance and
Portability and Accountability Act (HIPAA), including the names, dates of birth,
addresses, Social Security numbers, telephone numbers and health information of
Anthem customers.10
18. Although the CEO of Anthem recently stated that “[s]afeguarding
[members’] personal, financial and medical information is one of our top priorities,
and because of that, we have state-of-the-art information security systems to protect
your data,”11 Anthem’s past history and the details of the most recent breach make
clear that Anthem failed to take even basic safeguards to protect the Personal
Information of its members and employees.
9 Chad Terhune, Anthem says hackers had access to customer data back to 2004, LA TIMES, Feb. 12, 2015, <http://www.latimes.com/business/la-fi-anthem-data-breach-20150212-story.html> (last visited Feb. 12, 2015). 10 July 8, 2013 Resolution Agreement between HHS and WellPoint, Inc. <http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/wellpoint-agreement.pdf> (last visited Feb. 12, 2015). 11 Kara Brandeisky, Anthem Health Insurance Was Hacked. Here’s What Customers Need to Know, TIME, Feb. 5, 2015, <http://time.com/money/3697026/anthem-data-breach-social-security/> (last visited Feb. 12, 2015).
8 CLASS ACTION COMPLAINT
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
The Anthem Data Breach
19. On February 4, 2015, Anthem announced that hackers had breached its
network and obtained the personal information of approximately 80 million Anthem
health insurance plan members and Anthem employees. The affected brands and
plans are Anthem Blue Cross, Anthem Blue Cross and Blue Shield, Blue Cross and
Blue Shield of Georgia, Empire Blue Cross and Blue Shield, Amerigroup,
Caremore, and Unicare as well as members of the Blue Cross and Blue Shield
Association’s BlueCard program. The information obtained by the hackers includes
full names, birth dates, medical IDs, Social Security numbers, physical addresses, e-
mail addresses, and employment information, including income and employment
history.
20. Investigators believe that the hackers accessed Anthem’s database by
using the credentials of five different Anthem employees.12 Anthem confirmed that
unauthorized attempts to access the network started at least between December 10,
2014 and January 27, 2015, but may have started even earlier.13
21. According to security blogger Brian Krebs of Krebs on Security, an
“analysis of open source information on the cybercriminal infrastructure” suggests
that hackers may have first gained access to Anthem’s network in April of 2014,
nine months before Anthem claims it discovered the intrusion and breach.14
22. According to Anthem, the company did not detect the unauthorized
network activity until January 27, 2015, when an Anthem computer administrator 12 Brandon Bailey, Investigators Suspect Anthem Breach Began with ‘Phishing’ of Employees, INSURANCE JOURNAL, Feb. 10, 2015, <http://www.insurancejournal.com/news/national/2015/02/10/357051.htm> (last visited Feb. 12, 2015). 13 See id. 14 Brian Krebs, Anthem Breach May Have Started in April 2014, KREBS ON
SECURITY, (Feb. 9, 2015), <http://krebsonsecurity.com/2015/02/anthem-breach-may-have-started-in-april-2014/> (last visited Feb. 12, 2015).
9 CLASS ACTION COMPLAINT
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
discovered that other individuals had been using the administrator’s login
credentials to access Anthem’s network. However, reports indicate that Anthem’s
website dedicated to the security breach – www.anthemfacts.com – was registered
on December 13, 2014, seven weeks before Anthem said it discovered the breach.15
23. Despite admitting the breach occurred, and that up to 80 million current
and former Anthem members and employees dating back to 2004 could be affected,
Anthem still has not individually notified all affected plan members and employees
of the data breach. In many cases, Anthem has not even notified its own subsidiary
companies whether their members are potentially affected. Instead, Anthem has said
that it will begin mailing letters to individuals whose personal information was
compromised “in the coming weeks.”16
24. On February 10, 2014, more than two weeks after Anthem claims it
first learned of the breach, attorneys general from 10 states, including Arkansas,
Connecticut, Illinois, Kentucky, Maine, Mississippi, Nebraska, Nevada,
Pennsylvania, and Rhode Island, wrote a letter to Anthem CEO Joseph Swedish “to
express our alarm at the failure of the company to communicate with affected
individuals and, in particular, to provide them details about the protections the
company will make available and how to access those protections.”17 The letter
noted that the “delay in notifying those impacted is unreasonable and is causing
15 Dan Goodin, String of big data breaches continues with hack on health insurer Anthem, ARS TECHNICA, (Feb. 5, 2015), <http://arstechnica.com/security/2015/02/string-of-big-data-breaches-continues-with-hack-on-health-insurer-anthem/> (last visited Feb. 12, 2015). 16 Anthem Data Breach FAQ, <http://www.anthemfacts.com/faq> (last visited Feb. 12, 2015). 17 Matthew Sturdevant, Attorneys General Demand Response From Anthem, HARTFORD COURANT, Feb. 10, 2015, <http://www.courant.com/business/connecticut-insurance/hc-jepsen-anthem-attorneys-general-letter-20150210-story.html> (last visited Feb. 12, 2015).
10 CLASS ACTION COMPLAINT
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
unnecessary added worry to an already concerned population of Anthem customers.
We are also concerned that delays in providing protections to the victims of this
breach compounds the risk they face.”18
25. As a result of Anthem’s delay in notifying potentially affected
individuals, many class members will be unaware that their personal information has
been compromised and will not timely take the steps necessary to safeguard
themselves from the improper use of that information.
Anthem Failed to Maintain Reasonable and Adequate Security Measures to Safeguard Employee and Member Information
26. According to security experts, healthcare related data theft “has become
a booming business.”19 Even prior to the Anthem breach, major news outlets noted
that “medical information is worth 10 times more than your credit card number on
the black market” and that “cyber criminals are increasingly targeting the $3 trillion
U.S. healthcare industry, which has many companies still reliant on aging computer
systems that do not use the latest security features.”20 One security expert noted that
a patient’s medical records were auctioned off for $251 on the black market, while
credit card records were selling for 33 cents.21
27. The reason for this is simple. When credit card numbers are stolen and 18 Id. 19 Reed Abelson and Julie Creswell, Data Breach at Anthem May Forecast a Trend, N.Y. TIMES, Feb. 6, 2015, <http://www.nytimes.com/2015/02/07/business/data-breach-at-anthem-may-lead-to-others.html> (last visited Feb. 12, 2015). 20 Caroline Humer and Jim Finkle, Your medical record is worth more to hackers than your credit card, REUTERS, Sept. 24, 2014, <http://www.reuters.com/article/2014/09/24/us-cybersecurity-hospitals-idUSKCN0HJ21I20140924?feedType=RSS&feedName=healthNews> (last visited Feb. 12, 2015). 21 Reed Abelson and Julie Creswell, Data Breach at Anthem May Forecast a Trend, N.Y. TIMES, Feb. 6, 2015, <http://www.nytimes.com/2015/02/07/business/data-breach-at-anthem-may-lead-to-others.html> (last visited Feb. 12, 2015).
11 CLASS ACTION COMPLAINT
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
charged, the unauthorized transaction can be quickly identified and the card shut
down and replaced, oftentimes before major damage is done. There is no such
“quick-fix” for replacing healthcare-related information of the type stolen from
Anthem. As recognized by the New York Times, “patient medical records typically
include information not easily destroyed, including date of birth, Social Security
numbers and even physical characteristics that make them more useful for things
like identity theft, creation of visas or insurance fraud by falsely billing for
expensive medical or dental procedures that were either never done or performed on
someone else. Some criminals have also tried a form of so-called ransom ware in
which they threaten to reveal medical information unless they are paid.”22
28. Anthem was well aware of the value of its members’ and employees’
personal information on the black market. On April 8, 2014, the Federal Bureau of
Investigation (FBI) issued a private industry notification to healthcare providers
observing that the industry has especially lax data-security systems and warning
healthcare providers that they are particularly vulnerable to cyber-attacks compared
with other sectors.23
29. According to the FBI’s notice, “[t]he healthcare industry is not as
resilient to cyber intrusions compared to the financial and retail sectors, therefore
the possibility of increased cyber intrusions is likely.”24 The notice also mentioned
that data sold on the black market can be even more valuable than credit card
numbers because it includes information that can help with hacking into bank
accounts or getting prescription drugs.25
22 Id. 23 Denver Nicks, FBI Warns Health Care Sector Is Especially Vulnerable to Cyberattacks, TIME, April 23, 2014, <http://time.com/74414/fbi-warning-healthcare-sector-cyberattack-vulnerability/> (last visited Feb. 12, 2015). 24 Id. 25 Id.
12 CLASS ACTION COMPLAINT
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
30. The FBI notice came on the heels of a cyber-attack on Community
Hospital Systems, Inc. (CHS)—which operates more than 200 hospitals in 29
states—and impacted approximately 4.5 million people. While not referring to the
CHS breach by name, the FBI warned that it “observed malicious actors targeting
healthcare related systems, perhaps for the purpose of obtaining Protected
Healthcare Information (PHI) and/or Personally Identifiable Information (PII)[.]”26
31. The FBI notice also relied in part on the “SANS Cyberthreat Report”
published in February of 2014. The SANS Report analyzed data between September
2012 and October 2013 and reached the conclusion that the “data analyzed was
alarming . . . [i]t not only confirmed how vulnerable the industry had become, it also
revealed how far behind industry-related cybersecurity strategies and controls have
fallen.”27
32. According to the Identify Theft Resource Center, the healthcare sector
accounted for 44.1% percent of all major breaches in 2013.28 A “2014 Data Breach
Industry Forecast” report prepared by Experian noted that the “healthcare industry,
by far, will be the most susceptible to publicly disclosed and widely scrutinized data
breaches in 2014.”29 Likewise, BitSight Technology issued a 2014 cybersecurity 26 Jim Finkle, FBI warns healthcare firms they are targeted by hackers, REUTERS, Aug. 20, 2014, <http://www.reuters.com/article/2014/08/20/us-cybersecurity-healthcare-fbi-idUSKBN0GK24U20140820> (last visited Feb. 12, 2015). 27 SANS INSTITUTE, CYBERTHREAT REPORT: WIDESPREAD COMPROMISES DETECTED, COMPLIANCE NIGHTMARE ON HORIZON, 2, (Feb. 2014), < http://pages.norse-corp.com/rs/norse/images/Norse-SANS-Healthcare-Cyberthreat-Report2014.pdf > (last visited Feb. 12, 2015). 28 Identity Theft Resource Center, ITRC 2013 Breach List Tops 600 in 2013, <http://www.idtheftcenter.org/ITRC-Surveys-Studies/2013-data-breaches.html> (last visited Feb. 12, 2015). 29 David Carr, Healthcare Data Breaches To Surge In 2014, INFORMATIONWEEK, Dec. 26, 2013, <http://www.informationweek.com/healthcare/policy-and-regulation/healthcare-data-breaches-to-surge-in-2014/d/d-id/1113259> (last visited Feb. 12, 2015).
13 CLASS ACTION COMPLAINT
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
report and found that “compensation levels for IT security workers are lowest in the
sector, and that while companies are concerned with being compliant with federal
privacy laws, ‘compliance does not equate to security.’”30
33. These reports proved to be prophetic partly because Anthem chose not
to encrypt the Personal Information of its members and employees.
34. Encryption is a way to enhance the security of a message or file by
scrambling the contents so that it can be read only by someone who has the right
encryption key to unscramble it. Encryption is “considered the most effective way to
achieve data security.”31 The Health Insurance Portability and Accountability Act
(HIPPA) “strongly encourages,” but does not require, companies to encrypt such
data. Anthem instead chose to use “other measures, including elevated user
credentials, to limit access to the data when it is residing in a database.” 32
35. While encryption is not necessarily a cure-all, it “could have made the
[Personal Information] less valuable to hackers or harder to access in bulk.”33
Tellingly, an Anthem spokesperson stated that “Anthem encrypts personal data
when it moves in or out of its database, but not when it is stored.”34 Reasons for this
30 Shelley DuBois, Forget Target, your health care info is more at risk, THE
TENNESSEAN, June 11, 2014, <http://www.tennessean.com/story/money/industries/health-care/2014/06/11/health-care-cybersecurity-even-worse-retail/10302989/> (last visited Feb. 12, 2015). 31 Bruce Japsen, Hackers Stole Data On 80 Million Anthem Customers. Why Wasn't It Encrypted?, FORBES, Feb. 6, 2015, < http://www.forbes.com/sites/brucejapsen/2015/02/06/anthem-didnt-encrypt-personal-data-and-privacy-laws-dont-require-it/> (last visited Feb. 12, 2015). 32 Danny Yadron and Melinda Beck, Health Insurer Anthem Didn’t Encrypt Data in Theft, THE WALL STREET JOURNAL, Feb. 5, 2015, <http://www.wsj.com/articles/investigators-eye-china-in-anthem-hack-1423167560> (last visited Feb. 12, 2015). 33 Id. 34 Id.
14 CLASS ACTION COMPLAINT
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
include the high cost of encryption and Anthem’s desire to easily access the
information to track “healthcare trends” and the like.
36. Although Anthem received direct warnings from the FBI and
cybersecurity experts – and observed multiple high-profile data breaches involving
Target Corp., The Home Depot Inc., Community Hospital Systems, Inc., and
JPMorgan Chase, among others–Anthem failed to maintain reasonable security
procedures or implement stronger safeguards to protect its members’ and
employees’ stored information.
The Effect of the Data Breach on Anthem’s Victims
37. The ramifications of Anthem’s failure to protect the Personal
Information of its members and employees are severe. Identity thieves can use the
information taken in the breach to perpetrate a variety of crimes that harm victims.
For instance, identity thieves may commit various types of government fraud such
as immigration fraud, obtaining a driver’s license or identification card in the
victim’s name but with another’s picture, using the victim’s information to obtain
government benefits, or filing a fraudulent tax return using the victim’s information
to obtain a fraudulent refund. Some of this activity may not come to light for years.
38. The U.S. Social Security Administration (SSA) warns that “[i]dentity
theft is one of the fastest growing crimes in America.”35 Indeed, “[i]dentity thieves
can use [the victim’s] number and your good credit to apply for more credit in [the
victim’s] name. Then, they use the credit cards and do not pay the bills. [The victim]
may not find out that someone is using your number until [the victim is] turned
down for credit or [] begin[s] to get calls from unknown creditors demanding
payment for items [the victim] never bought.”36 In short, “[s]omeone illegally using 35 Identity Theft And Your Social Security Number, Social Security Administration (Dec. 2013), <http://www.ssa.gov/pubs/EN-05-10064.pdf> (last visited Feb. 12, 2015). 36 Id.
15 CLASS ACTION COMPLAINT
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
your Social Security number and assuming your identity can cause a lot of
problems.”37
39. Under SSA policy, individuals cannot obtain a new Social Security
number until there is evidence of ongoing problems due to misuse of the Social
Security number. Even then, the SSA recognizes that “a new number probably will
not solve all your problems. This is because other governmental agencies (such as
the IRS and state motor vehicle agencies) and private businesses (such as banks and
credit reporting companies) will have records under your old number. Along with
other personal information, credit reporting companies use the number to identify
your credit record. So using a new number will not guarantee you a fresh start.”38
40. In fact, a new Social Security numbers is substantially less effective
where “other personal information, such as [the victim’s] name and address, remains
the same” and for some victims, “a new number actually creates new problems. If
the old credit information is not associated with [the victim’s] new number, the
absence of any credit history under your new number may make it more difficult for
[the victim] to get credit.”39
41. Identity thieves can use the victim’s Personal Information to commit
any number of frauds, such as obtaining a job, procuring housing, or even giving
false information to police during an arrest. In the medical context, Personal
Information can be used to submit false insurance claims, obtain prescription drugs
or medical devices for black-market resale, or get medical treatment in the victim’s
name. As a result, Plaintiff and members of the classes now face a real and
immediate risk of identity theft and other problems associated with the disclosure of
their Social Security number, and will need to monitor their credit and tax filings for
37 Id. 38 Id. 39 Id.
16 CLASS ACTION COMPLAINT
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
an indefinite duration.
42. The processes of discovering and dealing with the repercussions of
identity theft are time consuming and difficult. The Department of Justice’s Bureau
of Justice statistics found that “among victims who had personal information used
for fraudulent purposes, 29% spent a month or more resolving problems.”40
Likewise, credit-monitoring services are not preventative, meaning they cannot
catch identity theft until after it happens.
43. Additionally, there is commonly lag time between when harm occurs
and when it is discovered, and also between when Personal Information is stolen and
when it is used. According to the U.S. Government Accountability Office, which
conducted a study regarding data breaches:
[L]aw enforcement officials told us that in some cases, stolen data may be held for up to a year or more before being used to commit identity theft. Further, once stolen data have been sold or posted on the Web, fraudulent use of that information may continue for years. As a result, studies that attempt to measure the harm resulting from data breaches cannot necessarily rule out all future harm.41
44. There is a very strong probability that Anthem victims could be at risk
of fraud and identity theft for extended periods of time. In fact, fraudsters have
already taken advantage of the Anthem data breach in an attempt to obtain class
members’ Personal Information.
45. On February 6, 2015, two days after Anthem publicly announced the
breach, Anthem issued a press release warning that “[i]ndividuals who may have 40 Erika Harrell and Lynn Langton, Victims of Identity Theft, 2012, (Bureau of Justice Statistics), Dec. 2013, <http://www.bjs.gov/content/pub/pdf/vit12.pdf> (last visited Feb. 12, 2014). 41 U.S. Government Accountability Office, GAO Report to Congressional Requesters, Data Breaches Are Frequent, but Evidence of Resulting Identity Theft Is Limited; However, the Full Extent Is Unknown, at 29, June 2007, <http://www.gao.gov/new.items/d07737.pdf> (last visited Feb. 12, 2014).
17 CLASS ACTION COMPLAINT
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
been impacted by the cyber attack against Anthem, should be aware of scam email
campaigns targeting current and former Anthem members. These scams, designed to
capture personal information (known as “phishing”) are designed to appear as if
they are from Anthem and the emails include a “click here” link for credit
monitoring. These emails are NOT from Anthem.”42
46. Additionally, the FBI has been investigating “fraudulent tax returns
filed in several states through the popular software [Intuit] TurboTax, the latest
instance of creative tricks cybercriminals are using to profit from stolen data.”43
Indeed, TurboTax had to temporarily suspend electronic filings of state tax returns
“after spotting an uptick in people using stolen personal information to file
fraudulent returns and claim tax refunds.”44 According to the Utah State Tax
Commission, “at least 19 states have endured similar fake tax filings” and “[m]any
taxpayers caught the problem after trying to file their returns, only to be notified by
TurboTax that their paperwork had already been submitted.”45
47. Plaintiff George Nicoud paid premiums to Anthem Blue Cross PPO for
many years prior to terminating coverage at the end of 2014. Plaintiff Kellen
Edwards is a resident of San Diego, California. He currently has health insurance
with Anthem Blue Cross, and has for several years.
48. As current and former Anthem health plan members, Anthem obtained
Plaintiffs’ sensitive personal information, including full names, birth dates, medical
42 Press Release: Anthem Alerts Consumers to Protect Themselves from Scam Email Campaigns, <http://ir.antheminc.com/phoenix.zhtml?c=130104&p=irol-newsArticle&ID=2014520> (last visited Feb. 12, 2015). 43 Shan Li, FBI probes rash of fraudulent state tax returns filed through TurboTax, LA TIMES, Feb. 11, 2015, <http://www.latimes.com/business/la-fi-turbotax-fbi-20150212-story.html> (last visited Feb. 12, 2015). 44 Id. 45 Id.
18 CLASS ACTION COMPLAINT
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
IDs, Social Security numbers, physical addresses, e-mail addresses, and
employment information, including income and employment history. Plaintiffs have
not yet been notified of the breach by Anthem.
49. As a result of Anthem’s negligent security practices and delay in
notifying affected customers, Plaintiffs and other former and current Anthem health
plan members and employees now face years of constant surveillance of their
financial and personal records, monitoring, and loss of rights. Plaintiffs and
members of the classes defined below are subject to an increased and concrete risk
of identity theft as a direct result of Anthem’s exposure of their Personal
Information.
CLASS ACTION ALLEGATIONS
50. Plaintiffs seek relief in their individual capacity and as representatives
of all others who are similarly situated. Pursuant to Fed. R. Civ. P. 23(a) and (b)(2)
and/or (b)(3), Plaintiffs bring this action on behalf of themselves and the classes
preliminarily defined as:
Current and former members of an Anthem health insurance plan and Anthem employees in California whose personal information was compromised as a result of the data breach announced in February 2015 (the “California Class”).
Current and former members of an Anthem health insurance plan and Anthem employees in the United States whose personal information was compromised as a result of the data breach announced in February 2015 (the “Nationwide Class”).
51. Excluded from the classes are Anthem, including any entity in which
Anthem has a controlling interest, is a parent or subsidiary, or which is controlled by
Anthem, as well as the officers, directors, affiliates, legal representatives, heirs,
predecessors, successors, and assigns of Anthem. Also excluded are the judges and
court personnel in this case and any members of their immediate families.
19 CLASS ACTION COMPLAINT
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
52. Numerosity. Fed. R. Civ. P. 23(a)(1). The members of the classes are
so numerous that the joinder of all members is impractical. While the exact number
of class members is unknown to Plaintiffs at this time, based on information and
belief, it is in the tens of millions.
53. Commonality. Fed. R. Civ. P. 23(a)(2) and (b)(3). There are questions
of law and fact common to the classes, which predominate over any questions
affecting only individual class members. These common questions of law and fact
include, without limitation:
a. Whether Anthem owed a duty to Plaintiffs and members of the
classes to adequately protect their personal and financial
information and to provide timely and accurate notice of the Data
Breach to Plaintiffs and members of the classes;
b. Whether Anthem knew or should have known that its computer
systems were vulnerable to attack;
c. Whether Anthem’s conduct, including its failure to act, resulted in
or was the proximate cause of the breach of its systems, resulting in
the loss of millions of consumers’ personal and financial data;
d. Whether Plaintiffs and members of the classes suffered injury,
including ascertainable losses, as a result of Anthem’s conduct or
failure to act;
e. Whether Anthem’s Personal Information storage and protection
protocols were reasonable under industry standards;
f. Whether Anthem violated California Civil Code sections 1798.81.5
by failing to implement reasonable security procedures and
practices;
g. Whether Anthem violated California Civil Code section 1798.82 by
failing to promptly notify class members that their personal
20 CLASS ACTION COMPLAINT
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
information had been compromised;
h. Whether class members may obtain injunctive relief against Anthem
under Civil Code section 1798.84 or under California’s Unfair
Competition Law, Cal. Bus. & Prof. Code § 17200, et seq.;
i. Whether Plaintiffs and members of the classes are entitled to
recover actual damages and/or statutory damages; and
j. Whether Plaintiffs and members of the classes are entitled to
equitable relief, including injunctive relief, restitution, disgorgement
and/or other equitable relief.
54. All members of the proposed classes are readily ascertainable by
objective criteria. Anthem has access to addresses and other contact information for
members of the classes, which can be used for providing notice to many class
members.
55. Typicality. Fed. R. Civ. P. 23(a)(3). Plaintiffs’ claims are typical of
those of other class members because Plaintiffs’ information, like that of other class
members, was misused and/or disclosed by Anthem.
56. Adequacy of Representation. Fed. R. Civ. P. 23(a)(4). Plaintiffs will
fairly and adequately represent and protect the interests of the members of the
classes. Plaintiffs’ Counsel is competent and experienced in litigating class actions.
57. Superiority of Class Action. Fed. R. Civ. P. 23(b)(3). A class action is
superior to other available methods for the fair and efficient adjudication of this
controversy since joinder of all the members of the classes is impracticable.
Furthermore, the adjudication of this controversy through a class action will avoid
the possibility of inconsistent and potentially conflicting adjudication of the asserted
claims. There will be no difficulty in the management of this action as a class action.
58. Damages for any individual class member are likely insufficient to
justify the cost of individual litigation, so that in the absence of class treatment,
21 CLASS ACTION COMPLAINT
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
Anthem’s violations of law inflicting substantial damages in the aggregate would go
un-remedied without certification of the classes.
59. Class certification is also appropriate under Fed. R. Civ. P. 23(a) and
(b)(2), because Anthem has acted or has refused to act on grounds generally
applicable to the classes, so that final injunctive relief or corresponding declaratory
relief is appropriate as to the classes as a whole.
FIRST CAUSE OF ACTION Negligence
(On Behalf of Plaintiffs and the Nationwide Class)
60. Plaintiffs incorporate by reference all preceding paragraphs as if fully
set forth herein.
61. Plaintiffs bring this cause of action on behalf of the Nationwide Class
whose personal information was compromised as a result of the data breach
publicized in February 2015.
62. In collecting the personal information of its current and former health
insurance plan members and employees, Anthem owed Plaintiffs and members of
the class a duty to exercise reasonable care in safeguarding and protecting that
information. This duty included, among other things, maintaining and testing
Anthem’s security systems and taking other reasonable security measures to protect
and adequately secure the personal data of Plaintiffs and the class from unauthorized
access and use. Anthem’s security system and procedures for handling the personal
information of its current and former health insurance plan members and employees
were intended to affect Plaintiffs and the class. Anthem was aware that by taking
such sensitive information of its health insurance plan members and employees, it
had a responsibility to take reasonable security measures to protect the data from
being stolen and, in the event of theft, easily accessed.
63. The duty Anthem owed to Plaintiffs and members of the class to
22 CLASS ACTION COMPLAINT
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
protect their personal information is also underscored by the California Customer
Records Act and HIPAA, which recognize the importance of maintaining the
confidentiality of personal information and were established to protect individuals
from improper disclosure of their personal information.
64. Additionally, Anthem had a duty to timely disclose to Plaintiffs and
members of the class that their personal information had been or was reasonably
believed to have been compromised. Timely disclosure is appropriate so that
Plaintiffs and members of the class could, among other things, report the theft of
their Social Security numbers to the Internal Revenue Service, monitor their credit
reports for identity fraud, undertake appropriate measures to avoid unauthorized
charges on their debit card or credit card accounts, and change or cancel their debit
or credit card PINs (personal identification numbers) to prevent or mitigate the risk
of fraudulent cash withdrawals or unauthorized transactions.
65. There is a close causal connection between Anthem’s failure to take
reasonable security standards to protect its current and former health insurance plan
members’ and employees’ data and the injury to Plaintiffs and the class. When
individuals have their personal information stolen, they are at risk for identity theft,
and need to buy credit monitoring services and purchase credit reports to determine
whether identify theft has occurred.
66. Anthem is morally to blame for not protecting the data of its current
and former health insurance plan members and employees by failing to take
reasonable security measures. If Anthem had taken reasonable security measures,
data thieves would not have been able to take the personal information of tens of
millions of current and former Anthem health insurance plan members and Anthem
employees.
67. The policy of preventing future harm weighs in favor of finding a
special relationship between Anthem and the class. Anthem’s health insurance plan
23 CLASS ACTION COMPLAINT
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
members and employees rely on Anthem as their provider and/or employer to keep
their data safe and in fact are required to share sensitive personal data with Anthem
as a condition of health plan enrollment and/or employment. If companies are not
held accountable for failing to take reasonable security measures to protect their
customers’ and employees’ personal information, then they will not take the steps
that are necessary to protect against future cyber-attacks and data breaches.
68. It was foreseeable that if Anthem did not take reasonable security
measures, the Personal Information of Plaintiffs and members of the class would be
stolen. Major corporations, particularly those in the healthcare industry, like
Anthem, face a higher threat of security breaches than other companies due in part
to the large amounts and type of data they possess and the value of such information
on the black market. Anthem should have known to take precautions to secure its
health plan members’ and employees’ data, especially in light of recent data
breaches and warnings regarding cyberattacks and network vulnerability in the
industry.
69. Anthem breached its duty to exercise reasonable care in protecting the
Personal Information of Plaintiffs and the class by failing to implement and maintain
adequate security measures to safeguard its health plan members’ and employees’
Personal Information, failing to monitor its systems to identify suspicious activity,
allowing unauthorized access to the personal information of Plaintiffs and the class,
and failing to encrypt or otherwise prevent unauthorized reading of such personal
information.
70. Anthem further breached its duty to timely notify Plaintiffs and the
class about the data breach. Anthem has failed to issue adequate notice to its current
and former health plan members and employees affected by the breach.
Additionally, Anthem was, or should have been, aware of breaches in its network
security at least as early as December 10, 2014.
24 CLASS ACTION COMPLAINT
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
71. But for Anthem’s failure to implement and maintain adequate security
measures to protect its current and former health plan members’ and employees’
personal information and failure to monitor its systems to identify suspicious
activity, the Personal Information of Plaintiffs and members of the class would not
have been stolen, and they would not be at a heightened risk of identity theft in the
future.
72. Anthem’s negligence was a substantial factor in causing harm to
Plaintiffs and members of the class.
73. As a direct and proximate result of Anthem’s failure to exercise
reasonable care and use commercially reasonable security measures, the personal
information of current and former Anthem health plan members and Anthem
employees was accessed by unauthorized individuals who could use the information
to commit identity fraud, medical fraud, or debit and credit card fraud. Plaintiffs and
the class face a heightened risk of identity theft.
74. Members of the class have also suffered economic damages, including
the purchase of credit monitoring services they would not have otherwise purchased.
75. Neither Plaintiffs nor other members of the class contributed to the
security breach, nor did they contribute to Anthem’s employment of insufficient
security measures to safeguard employees’ Personal Information.
76. Plaintiffs and the class seek compensatory damages and punitive
damages with interest, the costs of suit and attorneys’ fees, and other and further
relief as this Court deems just and proper.
SECOND CAUSE OF ACTION Breach of Contract
(On Behalf of Plaintiffs and the Nationwide Class)
77. Plaintiffs incorporate by reference all preceding paragraphs as if fully
set forth herein.
78. Anthem’s Personal Information Privacy Protection Policy promises that
25 CLASS ACTION COMPLAINT
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
the company “maintains policies that protect the confidentiality of personal
information, including Social Security numbers, obtained from its members and
associates in the course of its regular business functions. Anthem Blue Cross and
Blue Shield is committed to protecting information about its customers and
associates, especially the confidential nature of their personal information (PI).”
Anthem also purports to “safeguard[] Social Security numbers and other personal
information by having physical, technical, and administrative safeguards in place.”
79. Anthem’s privacy policies constitute an agreement between (1) Anthem
and (2) its health plan members and employees.
80. Anthem has breached its agreement with class members to protect their
personal information by (1) failing to implement security measures designed to
prevent this attack even though the industry has been repeatedly warned about the
risk of cyber-attacks, (2) failing to employ security protocols to detect the
unauthorized network activity, and (3) failing to maintain basic security measures
such as complex data encryption so that if data were accessed or stolen it would be
unreadable.
81. Plaintiffs and class members have been damaged by Anthem’s breach
of its obligations because their personal information has been compromised and they
are at and increased risk for future identity theft and fraudulent activity on their
financial accounts. Plaintiffs and class members have been deprived of the value of
their Personal Information and have lost money and property as a result of Anthem’s
unlawful and unfair conduct.
82. Plaintiffs, individually and on behalf of the members of the Nationwide
Class, seeks (a) damages suffered by members of the class, (b) equitable relief, and
(c) injunctive relief requiring Anthem to implement safeguards consistent with its
contractual promises.
26 CLASS ACTION COMPLAINT
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
THIRD CAUSE OF ACTION Violation of the California Customer Records Act,
California Civil Code Section 1798.80, et seq. (On Behalf of Plaintiffs and the California Class)
83. Plaintiffs incorporate by reference all preceding paragraphs as if fully
set forth herein.
84. Plaintiffs bring this cause of action on behalf of the California Class
who made purchases with a debit or credit card at an Anthem store within three
years of the filing of this lawsuit.
85. “[T]o ensure that personal information about California residents is
protected,” the California Legislature enacted Civil Code section 1798.81.5, which
requires that any business that “owns or licenses personal information about a
California resident shall implement and maintain reasonable security procedures and
practices appropriate to the nature of the information, to protect the personal
information from unauthorized access, destruction, use, modification, or disclosure.”
86. Anthem is a “business” within the meaning of Civil Code section
1798.80(a).
87. Plaintiffs and members of the class are “individual[s]” within the
meaning of the Civil Code section 1798.80(d). Pursuant to Civil Code sections
1798.80(e) and 1798.81.5(d)(1)(C), “personal information” includes an individual’s
name, Social Security number, driver’s license or state identification card number,
debit card and credit card information, medical information, or health insurance
information. “Personal information” under Civil Code section 1798.80(e) also
includes address, telephone number, passport number, education, employment,
employment history, or health insurance information.
88. The breach of the data of the debit and credit card information of
millions of accounts of Anthem customers constituted a “breach of the security
system” of Anthem pursuant to Civil Code section 1798.82(g).
27 CLASS ACTION COMPLAINT
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
89. By failing to implement reasonable measures to protect its former and
current health insurance plan members’ and its employees’ personal data, Anthem
violated Civil Code section 1798.81.5.
90. In addition, by failing to promptly notify all affected former and current
Anthem plan members and employees that their personal information had been
acquired (or was reasonably believed to have been acquired) by unauthorized
persons in the data breach, Anthem violated Civil Code section 1798.82 of the same
title. Anthem’s failure to timely notify employees of the breach has caused damage
to class members who have had to buy identity protection services or take other
measures to remediate the breach caused by Anthem’s negligence.
91. By violating Civil Code sections 1798.81.5 and 1798.82, Anthem “may
be enjoined” under Civil Code section 1798.84(e).
92. Accordingly, Plaintiffs request that the Court enter an injunction
requiring Anthem to implement and maintain reasonable security procedures to
protect employees’ and members’ data in compliance with the California Customer
Records Act, including, but not limited to: (1) ordering that Anthem, consistent with
industry standard practices, engage third party security auditors/penetration testers
as well as internal security personnel to conduct testing, including simulated attacks,
penetration tests, and audits on Anthem’s systems on a periodic basis; (2) ordering
that Anthem engage third party security auditors and internal personnel, consistent
with industry standard practices, to run automated security monitoring; (3) ordering
that Anthem audit, test, and train its security personnel regarding any new or
modified procedures; (4) ordering that Anthem, consistent with industry standard
practices, conduct regular database scanning and securing checks; (5) ordering that
Anthem, consistent with industry standard practices, periodically conduct internal
training and education to inform internal security personnel how to identify and
contain a breach when it occurs and what to do in response to a breach; (6) ordering
28 CLASS ACTION COMPLAINT
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
Anthem to meaningfully educate its former and current members and employees
about the threats they face as a result of the loss of their personal information to
third parties, as well as the steps they must take to protect themselves; and (7)
ordering Anthem to encrypt sensitive personal information.
93. Plaintiffs further request that the Court require Anthem to (1) identify
and notify all members of the California Class who have not yet been informed of
the data breach; and (2) to notify affected customers of any future data breaches by
email within 24 hours of Anthem’s discovery of a breach or possible breach and by
mail within 72 hours.
94. As a result of Anthem’s violation of Civil Code sections 1798.81.5 and
1798.82, Plaintiffs and members of the California Class have and will incur
economic damages relating to time and money spent remedying the breach,
including but not limited to, expenses for bank fees associated with the breach, any
unauthorized charges made on financial accounts, lack of access to funds while
banks issue new cards, tax fraud, as well as the costs of credit monitoring and
purchasing credit reports.
95. Plaintiffs, individually and on behalf of the members of the California
Class, seek all remedies available under Civil Code section 1798.84, including, but
not limited to: (a) damages suffered by members of the class; and (b) equitable
relief.
96. Plaintiffs, individually and on behalf of the members of the California
Class, seek reasonable attorneys’ fees and costs under applicable law.
FOURTH CAUSE OF ACTION Unlawful and Unfair Business Practices Under California Business and
Professions Code § 17200, et seq. (On Behalf of Plaintiffs and the California Class)
97. Plaintiffs incorporate by reference all preceding paragraphs as if fully
set forth herein.
29 CLASS ACTION COMPLAINT
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
98. Plaintiffs bring this cause of action on behalf of members of the
California Class whose personal information was compromised as a result of the
data breach publicized in February 2015.
99. Anthem’s acts and practices, as alleged in this Complaint, constitute
unlawful and unfair business practices, in violation of the Unfair Competition Law
(“UCL”), Cal. Bus. & Prof. Code § 17200, et seq., HIPAA, and because Anthem’s
conduct was negligent:
a. Anthem’s practices were unlawful and in violation of California
Civil Code section 1798.81.5(b) because Anthem failed to take
reasonable security measures in protecting its former and current
employees’ personal data;
b. Anthem’s practices were unlawful and in violation of California
Civil Code section 1798.82 because Anthem has unreasonably
delayed informing Plaintiffs and members of the class about the
breach of security after Anthem knew the data breach occurred;
c. Anthem violated HIPAA by failing to establish procedures to keep
employees’ medical information confidential and private. Protected
health information under HIPAA includes “individually identifiable
health information,” including name, address, date of birth, and
social security number. The Department of Health and Human
Services Office of Civil Rights issued a statement regarding the
Anthem data breach, which noted that “[t]he personally identifiable
information health plans maintain on enrollees and members —
including names and social security numbers — is protected under
HIPAA, even if no specific diagnostic or treatment information is
disclosed.” 45 C.F.R. § 164.530(c)(1) requires that Anthem
implement reasonable safeguards for this information, which
30 CLASS ACTION COMPLAINT
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
Anthem failed to do. 45 C.F.R. § 164.404 requires that companies
provide notice of the breach of unsecured protected health
information, which includes protected health information that is not
rendered unusable, unreadable, or indecipherable to unauthorized
persons – i.e. non-encrypted data. See 45 C.F.R. § 164.402. Anthem
has failed to provide such notice.
100. The acts, omissions, and conduct of Anthem constitute a violation of
the unlawful prong of the UCL because they failed to comport with a reasonable
standard of care and California public policy as reflected in statutes such as the
Information Practices Act of 1977, Cal. Civ. Code § 1798, et seq., California
Customer Records Act, and HIPAA, which seek to protect customer data and ensure
that entities who solicit or are entrusted with personal data utilize reasonable
security measures.
101. In failing to protect plan members’ and employees’ personal
information and unduly delaying informing them of the data breach, Anthem has
engaged in unfair business practices by engaging in conduct that undermines or
violates the stated policies underlying the California Customer Records Act and the
Information Practices Act of 1977. In enacting the California Customer Records
Act, the Legislature stated that: “[i]dentity theft is costly to the marketplace and to
consumers” and that “victims of identity theft must act quickly to minimize the
damage; therefore expeditious notification of possible misuse of a person’s personal
information is imperative.” 2002 Cal. Legis. Serv. Ch. 1054 (A.B. 700). Anthem’s
conduct also undermines California public policy as reflected in other statutes such
as the Information Practices Act of 1977, Cal. Civ. Code § 1798, et seq., which
seeks to protect individuals’ data and ensure that entities who solicit or are entrusted
with personal data utilize reasonable security measures.
102. As a direct and proximate result of Anthem’s unlawful and unfair
31 CLASS ACTION COMPLAINT
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
business practices as alleged herein, Plaintiffs and members of the California Class
have suffered injury in fact. Plaintiffs and the California Class have been injured in
that their personal information has been compromised and they are at an increased
risk for future identity theft and fraudulent activity on their financial accounts. Class
members have also lost money and property by purchasing credit-monitoring
services they would not otherwise had to but for Anthem’s unlawful and unfair
conduct.
103. As a direct and proximate result of Anthem’s unlawful and unfair
business practices as alleged herein, Plaintiffs and members of the California Class
face an increased risk of identity theft and medical fraud, based on the theft and
disclosure of their personal information.
104. Because of Anthem’s unfair and unlawful business practices, Plaintiffs
and members of the California Class are entitled to relief, including restitution for
costs incurred associated with the data breach and disgorgement of all profits
accruing to Anthem because of its unlawful and unfair business practices,
declaratory relief, and a permanent injunction enjoining Anthem from its unlawful
and unfair practices.
105. The injunctive relief that Plaintiffs and members of the California Class
are entitled to includes, but is not limited to: (1) ordering that Anthem, consistent
with industry standard practices, engage third party security auditors/penetration
testers as well as internal security personnel to conduct testing, including simulated
attacks, penetration tests, and audits on Anthem’s systems on a periodic basis; (2)
ordering that Anthem engage third party security auditors and internal personnel,
consistent with industry standard practices, to run automated security monitoring;
(3) ordering that Anthem audit, test, and train its security personnel regarding any
new or modified procedures; (4) ordering that Anthem, consistent with industry
standard practices, conduct regular database scanning and securing checks; (5)
32 CLASS ACTION COMPLAINT
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
ordering that Anthem, consistent with industry standard practices, periodically
conduct internal training and education to inform internal security personnel how to
identify and contain a breach when it occurs and what to do in response to a breach;
(6) ordering Anthem to meaningfully educate its former and current members and
employees about the threats they face as a result of the loss of their personal
information to third parties, as well as the steps they must take to protect
themselves; and (7) ordering Anthem to encrypt sensitive personal information.
106. Plaintiffs, individually and on behalf of the members of the California
Class, also seeks reasonable attorneys’ fees and costs under applicable law.
PRAYER FOR RELIEF
WHEREFORE, Plaintiffs, on behalf of themselves and the classes set forth
herein, respectfully requests the following relief:
a. That the Court certify this case as a class action pursuant to Fed. R.
Civ. P. 23(a), (b)(2) and/or (b)(3), and, pursuant to Fed. R. Civ. P.
23(g), appoint the named Plaintiffs to be Class representatives and
the undersigned counsel to be Class counsel;
b. That the Court award Plaintiffs and the classes appropriate relief,
including actual and statutory damages, restitution and
disgorgement;
c. That the Court award Plaintiffs and the classes equitable, injunctive
and declaratory relief as maybe appropriate under applicable state
laws;
d. That the Court award Plaintiffs and the classes actual damages,
compensatory damages, statutory damages, and statutory penalties,
to the full extent permitted by law, in an amount to be determined;
e. That the Court award Plaintiffs and the classes pre-judgment and
post-judgment interest;
33 CLASS ACTION COMPLAINT
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
f. That the Court award Plaintiffs and the classes reasonable attorney
fees and costs as allowable by law; and
g. That the Court award Plaintiffs and the classes such other, favorable
relief as allowable under law or at equity.
JURY DEMAND
Plaintiffs hereby demand a jury trial in the instant action.
Dated: February 13, 2015 Respectfully submitted, By: s/ Jason S. Hartley
Jason S. Hartley (CA Bar No. 192514) STUEVE SIEGEL HANSON LLP 550 West C. Street, Suite 1750 San Diego, CA 92101 Tel: (619) 400-5822 Fax: (619) 400-5832
Norman E. Siegel Barrett J. Vahle J. Austin Moore (pro hac vice forthcoming) STUEVE SIEGEL HANSON LLP 460 Nichols Road, Suite 200 Kansas City MO 64112 Tel: (816) 714-7100 Fax: (816) 714-7101 Joseph M. Barton (CA Bar No. 188441) LAW OFFICES OF JOSEPH M. BARTON 628 Manzanita Avenue Corte Madera, CA 94925 Telephone: 415-235-9162 [email protected] John K. Landay, Esq. (CA Bar No. 257573) LANDAY ROBERTS LLP 450 J Street, Unit 5291 San Diego, CA 92101 (805) 305-3384 [email protected] Counsel for Plaintiffs and the Classes