doe v anthem

CLASS ACTION COMPLAINT

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

ZIMMERMAN REED, PLLPBRADLEY C. BUHROW (CA Bar No. 283791)

E-mail: [email protected] N. Kierland Blvd., Suite 145Scottsdale, Arizona 85254(480) 348-6400(480) 348-6415 Facsimile

RIDOUT LYON + OTTOSON, LLPCHRISTOPHER P. RIDOUT (SBN: 143721)

E-mail: [email protected] MARKER (SBN: 294155)

E-mail: [email protected] E. Ocean Blvd., Suite 500Long Beach, California 90802(562) 216-7380(562) 216-7385 Facsimile

Attorneys for Plaintiffs

(Additional Counsel Listed Below)

UNITED STATES DISTRICT COURT

CENTRAL DISTRICT OF CALIFORNIA

John Doe, individually and on behalf ofall others similarly situated,

Plaintiff,v.

ANTHEM, INC., d/b/a Anthem Health,Inc., an Indiana corporation, THEANTHEM COMPANIES, INC., anIndiana corporation, THE ANTHEMCOMPANIES OF CALIFORNIA, INC.,a California corporation, ANTHEMBLUE CROSS LIFE AND HEALTHINSURANCE COMPANY, a Californiacorporation, and DOES 1-25,

Defendants.

Case No. ___________

CLASS ACTION COMPLAINT FOR:

1. Negligence2. Violations of Cal. Bus. & Prof.

Code §17200, et seq.3. Violation of Cal. Civ. Code

§1798.80, et seq.4. Violation of Cal. Civ. Code

§56, et seq.

DEMAND FOR JURY TRIAL

Case 2:15-cv-00934-SVW-JPR Document 1 Filed 02/09/15 of 21 Page ID #:1

2


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

Plaintiff John Doe (“Plaintiff”), on behalf of himself and all others similarly

situated, brings this class action against Defendants Anthem, Inc., doing business as

Anthem Health, Inc., The Anthem Companies, Inc., The Anthem Companies of

California, Inc., Anthem Blue Cross Life and Health Insurance Company,

(collectively, “Anthem”), and Does 1-25 (collectively, “Defendants”). Plaintiff makes

the following allegations upon information and belief, except as to his own actions,

the investigation of his counsel, and the facts that are a matter of public record.

NATURE OF CLAIM

1. On February 4, 2015, Anthem announced that unauthorized persons had

accessed and obtained from Anthem’s IT Systems the personal information of current

and former Anthem members, including their names, birthdays, medical IDs, social

security numbers, street addresses, email addresses and employment information.

According to Anthem’s own public statements, all Anthem product lines across the

country were impacted by this data breach.

2. This massive breach of Anthem’s IT Systems (“Data Breach”) would

not have occurred, or would not have occurred with such severity, but for Anthem’s

failure to maintain adequate, reasonable and industry-standard data security, a failure

that represents gross disregard of the duties and obligations Anthem owed to Plaintiff

and the Class members.

3. Plaintiff brings this consumer class action against Defendants to recover

statutory and common law damages resulting from Defendants’ failure to safeguard

and secure the personally identifiable information “PII” and personal health related

information “PHI”) of Plaintiff and Class members that they provided to Defendants’

for safekeeping. In addition, Plaintiff seeks restitution and injunctive relief that will

ensure that Anthem protects Plaintiff’s and the Class members PII and PHI from any

future breaches.

4. As detailed below, Plaintiff brings this action on behalf of himself and all

similarly situated individuals in the United States, and a subclass of California


3


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

residents, whose PII and/or PHI was released to unauthorized persons as a result of

Anthem’s failure to safeguard that information while residing on Anthem’s IT

Systems.

PARTIES

5. Plaintiff is an individual who resides in Los Angeles, California.

6. At this time, Plaintiff brings this litigation under a pseudonym to prevent

public disclosure of his identity to protect information highly sensitive and personal to

him and to prevent further invasion of his privacy. Plaintiff will disclose his identity

to Defendants’ counsel and/or this Court upon demand.

7. Defendant Anthem, Inc., doing business as Anthem Health, Inc., is an

Indiana corporation, registered with the California Secretary of State to do business in

California, and headquartered in Indianapolis, Indiana.

8. Defendant The Anthem Companies, Inc. is an Indiana corporation,

registered with the California Secretary of State to do business in California, and

headquartered in Indianapolis, Indiana.

9. Defendant The Anthem Companies of California, Inc. is a California

corporation and headquartered in Indianapolis, Indiana.

10. Defendant Anthem Blue Cross Life and Health Insurance Company is a

California corporation and headquartered in Indianapolis, Indiana.

JURISDICTION AND VENUE

11. This Court has original jurisdiction pursuant to 28 U.S.C. §1332(d)(2).

In the aggregate, Plaintiff’s claims and the claims of the other members of the Class

exceed $5,000,000 exclusive of interest and costs, and there are numerous class

members who are citizens of states other than Defendants’ states of citizenship, which

are Indiana and California.

12. This Court has personal jurisdiction over Anthem because Anthem is

authorized to do and does business in the State of California.

13. Venue is proper in this Court pursuant to 28 U.S.C. §1391 because many


4


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

of the acts and transactions giving rise to this action occurred in this District and

because Anthem is subject to personal jurisdiction in this District.

GENERAL ALLEGATIONS

14. Anthem, Inc., previously known as WellPoint, Inc., is one of the largest

for-profit managed health care companies in the United States. According to its fourth

quarter 2014 earnings report, Anthem has over 37 million members enrolled in its

health insurance products nationwide, with a $2.6 billion net income for 2014.

15. Plaintiff is a member of an Anthem Blue Cross HMO Plan. As an

Anthem Plan Member, Plaintiff provided his PII and PHI to Anthem for safekeeping

on Anthem’s IT Systems.

16. On or about February 4, 2015, Anthem published a notice at

anthemfacts.com that Anthem’s members had fallen victim to a data breach stating

that “the personal information from our current and former members such as their

names, birthdays, medical IDs/Social Security numbers, street addresses, email

addresses and employment information, including income data.”

<www.anthemfacts.com/faq> (last visited Feb. 9, 2015).

17. In its answers to Frequently Asked Questions (“Answers”), Anthem

admitted that all of its health insurance product lines had been impacted by the Data

Breach. Id.

18. Defendant Anthem Blue Cross Life And Health Insurance Company

recently stated that of these 80 million current and former members affected by the

breach, roughly 8 million are enrollees within the State of California.1

19. Recent reports indicate that the Data Breach may have started as far back

as April 2014.2

20. On February 6, 2015, Anthem’s spokeswoman Cindy Wakefield

1 <www.californiahealthline.org/articles/2015/2/6/doi-launches-investigation-into--anthems-response-to-breach> (last visited Feb. 9, 2015).2 <http://krebsonsecurity.com/2015/02/anthem-breach-may-have-started-in-april-2014/> (last visited Feb. 9, 2015).


5


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

confirmed news reports that the information released to unauthorized persons as a

result of the Data Breach had not been encrypted. <www.reuters.com/article/

2015/02/07/us-anthem-cybersecurity-warning-idUSKBN0LA24F20150207> (last

visited Feb. 9, 2015).

21. On the same day, Anthem amended its Answers to warn its members that

scam e-mail campaigns launched in the wake of the Data Breach were targeting

current and former Anthem members. According to Anthem, such “phishing”

activities “are designed to appear as if they are from Anthem and the emails include a

‘click here’ link for credit monitoring.” Id. Anthem cautions that the emails are not

from Anthem and instructs members not to click on any links provided in the emails

and not to provide any information to the senders of such “phishing” emails.

22. As amended, Anthem’s Answers do not provide any information as to

when its IT System was first compromised, how long unauthorized persons had access

to its IT System or what measures have been taken to prevent further breaches.

23. As Amended, Anthem’s Answers do not definitely state that its

members’ banking and medical information was not disclosed to third parties.

24. Given Anthem’s carefully worded and conclusory Answers, Plaintiff

believes and therefore alleges that his and the Class members’ medical information

was released and disclosed to third parties as a result of the Data Breach.

25. Given Anthem’s carefully worded and conclusory Answers, Plaintiff

believes and therefore alleges that his and the Class members’ banking and credit card

information was also released and disclosed to third parties as a result of the Data

Breach.

26. On information and belief, Plaintiff’s and the Class members’ PII and

PHI was disclosed to unauthorized persons as a result of the Data Breach, resulting in

the breach of confidentiality of that PII and PHI.

/ / /

/ / /


6


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

DEFENDANTS’ FAILURE TO IMPLEMENTADEQUATE SECURITY OF ITS IT SYSTEMS VIOLATED

FEDERAL AND CALIFORNIA LAWS

27. Under HIPAA and the HITECH Act, Defendants must implement

policies and procedures that limit physical access to their electronic information

systems and the facility or facilities in which they are housed, while ensuring that

properly authorized access is allowed. 45 C.F.R. §164.310.

28. Such policies and procedures must: (a) ensure the confidentiality,

integrity, and availability of all electronic protected health information the covered

entity or business associate creates, receives, maintains, or transmits; (b) protect

against any reasonably anticipated threats or hazards to the security or integrity of

such information; and, (c) protect against any reasonably anticipated uses or

disclosures of such information that are not permitted. Id. at §164.306

29. Further, Defendants must implement technical policies and procedures

for electronic information systems that maintain PII/PHI to allow access only to those

persons or software programs that have been granted access rights under applicable

HIPAA regulations. Id. at §164.312.

30. When Defendants permit business associates to create, receive, maintain,

or transmit electronic PII/PHI, they must ensure that those business associates comply

with HIPAA and the HITECH Act. Id. at §164.314.

31. Defendants must also conduct an accurate and thorough assessment of

the potential risks and vulnerabilities to the confidentiality, integrity and availability

of electronic protected information held by the covered entity or business associate;

implement procedures to regularly review records of information system activity, such

as audit logs, access reports, and security incident tracking reports; and implement

procedures for guarding against, detecting, and reporting malicious software. Id. at

§164.308.

32. Similarly, the California Confidentiality of Medical Information Act: (a)

requires health care service plans, including Defendants, to protect and secure the


7


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

PII/PHI of their members; (b) imposes penalties for violations of the Act; and, (c)

authorizes individuals to bring suit to recover actual and nominal damages for

violations of the Act.

33. On information and belief, Defendants, in violation of HIPAA and the

California Act, did not establish and implement adequate security measures to protect

the PII/PHI residing on Defendants’ IT Systems.

34. Defendants were on notice of the need re-visit and tighten the security of

their IT Systems but, upon information and belief, failed to do so.

35. In April 2011, the California Department of Managed Healthcare

published a letter “to emphasize to health care service plans (health plans) their

obligations to protect and secure the private medical information of their enrollees.”

In doing so, the Department cautioned that “[a]s the use of electronic protected health

information (PHI) becomes more widespread, the likelihood of unintentional breaches

and disclosures also increases. The foreseeable nature of these events requires that

preventative measures be taken to ensure that enrollee information is protected.”

36. In April 2014, the FBI issued two Private Industry Notifications (“PIN”)

to the healthcare industry warning that healthcare organizing systems, including

medical devices, could be vulnerable to cyber-attacks.

37. Specifically, on April 8, 2014, the FBI issued a PIN to the healthcare

industry warning that “[c]yber actors will likely increase cyber intrusions against

health care systems --- to include medical devices --- due to mandatory transition from

paper to electronic health records (HER), lax cyber security standards and a higher

financial payout for medical records in the black market.” The FBI Notice also

cautioned that the “health care industry is not as resilient to cyber intrusions compared

to the financial and retail sectors, therefore the possibility of increased cyber

intrusions is likely.”

38. Thereafter, on April 17, 2014, the FBI issued its second PIN, which,

upon information and belief, contained updates on information disclosed in the April


8


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

8, 2014 PIN.

39. Despite these warnings of foreseeable security breaches, Defendants

flagrantly disregarded their obligations to safeguard Plaintiff’s and the Class

members’ PII/PHI by intentionally, willfully, recklessly and/or negligently failing to

establish and implement adequate security of their IT Systems. Anthem improperly

handled and stored Plaintiff’s and the Class members’ PII/PHI, leaving it unsecured

and unencrypted on Defendants’ IT Systems and, as a result, failed to maintain the

PII/PHI in accordance with applicable, required, and appropriate cyber-security

protocols, policies and procedures.

40. As a direct result of Defendants’ common course of unlawful conduct,

Plaintiff’s and the Class members’ PII/PHI was released, accessed, breached and

disclosed to unauthorized persons.

DEFENDANTS’ FAILURE TO IMPLEMENTADEQUATE SECURITY OF ITS IT SYSTEMS

HARMED PLAINTIFF AND THE CLASS

41. In the words of the Federal Trade Commission (“FTC”), the information

Defendants released to unauthorized persons, including Plaintiff’s PII and PHI, is “as

good as gold” to identity thieves.3

42. Identity theft occurs when someone uses another’s PII and/or PHI, such

as that person’s name, address, credit card number, credit card expiration dates, and

other information, without permission, to commit fraud or other crimes. Id. The FTC

estimates that as many as 9 million Americans have their identities stolen each year.

Id.

43. Identity thieves can use identifying data to open new financial accounts

and incur charges in another person’s name, take out loans in another person’s name,

incur charges on existing accounts, or clone ATM, debit, or credit cards. Id.

44. Identity thieves can use PII and PHI such as that pertaining to Plaintiff

3 FTC, About Identity Theft, available at: <www.vanderbilt.edu/PersonalIdentityTheftProtection.pdf> (last visited Feb. 5, 2015).


9


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

and the Class, which Defendants failed to keep secure to perpetrate a variety of crimes

that do not cause financial loss, but nonetheless harm the victims. For instance,

identity thieves may commit various types of government fraud such as: immigration

fraud; obtaining a driver’s license or identification card in the victim’s name but with

another’s picture; using the victim’s information to obtain government benefits; or,

filing a fraudulent tax return using the victim’s information to obtain a fraudulent

refund.

45. In addition, identity thieves may get medical services using the Plaintiff’s

PII and PHI or commit any number of other frauds, such as obtaining a job, procuring

housing or even giving false information to police during an arrest.

46. Annual monetary losses from identity theft are in the billions of dollars.

According to a Presidential Report on identity theft produced in 2008:

In addition to the losses that result when identity thieves fraudulentlyopen accounts or misuse existing accounts,...individual victims oftensuffer indirect financial costs, including the costs incurred in both civillitigation initiated by creditors and in overcoming the many obstaclesthey face in obtaining or retaining credit. Victims of non-financialidentity theft, for example, health-related or criminal record fraud, faceother types of harm and frustration.

In addition to out-of-pocket expenses that can reach thousands of dollarsfor the victims of new account identity theft, and the emotional tollidentity theft can take, some victims have to spend what can be aconsiderable amount of time to repair the damage caused by the identitythieves. Victims of new account identity theft, for example, must correctfraudulent information in their credit reports and monitor their reports forfuture inaccuracies, close existing bank accounts and open new ones, anddispute charges with individual creditors.

The President’s Identity Theft Task Force, Combating Identity Theft: A Strategic

Plan, at p.11 (April 2007), available at <www.ftc.gov/sites/default/files/

documents/reports/combating-identity-theft-strategic-plan/strategicplan.pdf> (last

visited Feb. 5, 2015).

47. According to the U.S. Government Accountability Office (“GAO”),

which conducted a study regarding data breaches:

[L]aw enforcement officials told us that in some cases, stolen data may


10


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

be held for up to a year or more before being used to commit identitytheft. Further, once stolen data have been sold or posted on the Web,fraudulent use of that information may continue for years. As a result,studies that attempt to measure the harm resulting from data breachescannot necessarily rule out all future harm.

GAO, Report to Congressional Requesters, at p.33 (June 2007), available at

<www.gao.gov/new.items/d07737.pdf> (last visited Feb. 5, 2015).

48. “In addition to the financial harm associated with other types of identity

theft, victims of medical identity theft may have their health endangered by inaccurate

entries in their medical records. This inaccurate information can potentially cause

victims to receive improper medical care, have their insurance depleted, become

ineligible for health or life insurance, or become disqualified from some jobs.

Victims may not even be aware that a theft has occurred because medical identity

theft can be difficult to discover, as few consumers regularly review their medical

records, and victims may not realize that they have been victimized until they receive

collection notices, or they attempt to seek medical care themselves, only to discover

that they have reached their coverage limits.” Id. at 30.

49. “With the advent of the prescription drug benefit of Medicare Part D, the

Department of Health and Human Services’ Office of the Inspector General (HHS

OIG) has noted a growing incidence of health care frauds involving identity theft.”

Identity thieves can use such information “fraudulently to enroll unwilling

beneficiaries in alternate Part D plans in order to increase...sales commissions” or

commit other types of fraud. “The types of fraud that can be perpetrated by an identity

thief are limited only by the ingenuity and resources of the criminal.” Id. at 31.

50. The unauthorized disclosure of Social Security Numbers can be

particularly damaging, because Social Security Numbers cannot easily be replaced. In

order to obtain a new number, a person must prove, among other things, which he or

she continues to be disadvantaged by the misuse. Thus, no new number can be

obtained until the damage has been done. Furthermore, as the Social Security

Administration (“SSA”) warns:


11


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

a new number probably will not solve all your problems. This is becauseother governmental agencies (such as the Internal Revenue Service andstate motor vehicle agencies) and private businesses (such as banks andcredit reporting companies) likely will have records under your oldnumber. Also, because credit reporting companies use the number, alongwith other personal information, to identify your credit record, using anew number will not guarantee you a fresh start. This is especially true ifyour other personal information, such as your name and address, remainsthe same.

If you receive a new Social Security Number, you will not be able to usethe old number anymore.

For some victims of identity theft, a new number actually creates newproblems. If the old credit information is not associated with the newnumber, the absence of any credit history under the new number maymake it more difficult for you to get credit.

SSA, Identity Theft and Your Social Security Number, SSA Publication No. 05-10064

(Aug. 2009), available at <www.ssa.gov/pubs/10064.html> (last visited Feb. 5, 2015).

51. Anthem’s wrongful actions and inaction directly and proximately caused

the release and disclosure into the public domain of Plaintiff’s and Class members’

unencrypted PII/PHI without their authorization, knowledge or consent.

52. As a further and direct and proximate result of Anthem’s wrongful

actions and inaction and the resulting Data Breach, Plaintiff and Class members have

suffered and will continue to suffer, economic damages and other actual harm

including, without limitation: (i) the untimely and inadequate notification of the Data

Breach; (ii) improper release and disclosure of their PII/PHI; (iii) loss of privacy; (iv)

out-of-pocket expenses incurred to mitigate the increased risk of identity theft and

identity fraud pressed upon them by the Data Breach; (v) the value of their time spent

mitigating identity theft and/or identity fraud and/or the increased risk of identity theft

and/or identity fraud; (vi) deprivation of the value of their PII/PHI, for which there is

a well-established national and international market; (vii) anxiety and emotional

distress; and, (viii) violation of rights they possess under the California statutes as

detailed below.

53. Plaintiff and the Class he seeks to represent now face years of constant

surveillance of their financial and medical records, monitoring, loss of rights, and


12


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

potential medical problems.

54. Indeed, according to one identity theft expert quoted in a recent news

article, the Data Breach represents a “mass victimization of the worst kind:”

“This is absolutely the worst kind of data breach, because thieves havestolen the information that’s the most valuable, the most dangerous andimpossible to change or cancel,” said Neal O’Farrell, Credit Sesame’s(http://www.creditsesame.com) security and identity theft expert in anemail. “This is mass victimization of the worst kind.”

Anthem Data Breach Could be “Lifelong” Battle for Customers, Shari Rudavsky

<http://indystar.com/story/news/2015/02/05/anthem-data-breach-lifelong-battle-

customers/22953623> (last visited 2/6/15).

CLASS ACTION ALLEGATIONS

55. Plaintiff brings this action on his own behalf, and on behalf of all other

persons similarly situated in the United States (the “Nationwide Class”). The

Nationwide Class that Plaintiff seeks to represent is:

All persons who reside in the United States and have purchased healthinsurance from Anthem, Inc. d/b/a Anthem Health, Inc., The AnthemCompanies, Inc., The Anthem Companies Of California, Inc., and/orAnthem Blue Cross Life And Health Insurance Company, and whosepersonally identifiable information, personal health information, and/orfinancial information was breached as a result of the data breachannounced on or about February 4, 2015.

56. Further, Plaintiff brings this action on his own behalf, and on behalf of

all other persons similarly situated who reside in the State of California (the

“California Class”). The California Class that Plaintiff seeks to represent is:

All persons who reside in the California and have purchased healthinsurance from Anthem, Inc. d/b/a Anthem Health, Inc., The AnthemCompanies, Inc., The Anthem Companies Of California, Inc., and/orAnthem Blue Cross Life And Health Insurance Company, and whosepersonally identifiable information, personal health information, and/orfinancial information was breached as a result of the data breachannounced on or about February 4, 2015.

57. Specifically excluded from the Nationwide Class and the California

Class are: (a) Defendants; any officers, directors, or employees of Defendants; any

entity in which Defendants have a controlling interest; any affiliates, legal

representatives, attorneys, heirs, and assigns of Defendants; (b) the Court, Court


13


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

Personnel and members of their immediate families; and, (c) Plaintiff’s counsel and

their staff and members of their immediate families.

58. All requirements for class certification in Fed. R. Civ. P. 23(a) and

23(b)(3) are satisfied with respect to the Nationwide Class and the California Class.

59. Numerosity of the Class. The members of the Nationwide Class and the

California Class are so numerous that the joinder of all members is impractical.

While the exact number of the members of each Class is unknown to Plaintiff at this

time, based upon information and belief, each Class has in excess of one million

members.

60. Ascertainable Class. The community of interest among the Class

members in the litigation is well-defined and the proposed class is ascertainable from

objective criteria. If necessary to preserve the case as a class action, the court itself

can redefine the Classes and/or create sub-classes.

61. Common Questions of Fact and Law Exist and Predominate over

Individual Issues. There is a well-defined community of interest in the questions of

law and fact involved affecting the parties to be represented. These common

questions of law and fact exist as to all members of the Class and predominate over

any questions affecting only individual members, including, but not limited to:

a. Whether Defendants unlawfully used, maintained, lost or disclosed

Class members’ PII and PHI;

b. Whether Anthem unreasonably delayed in notifying affected

customers of the data breach;

c. Whether Defendants failed to implement and maintain reasonable

security procedures and practices appropriate to the nature and

scope of the information compromised in the data breach;

d. Whether Defendants violated the requirements of HIPAA and the

HITECH Act;

e. Whether Defendants violated the requirements of California Civil


14


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

Code §1798.80, et seq.(California Class);

f. Whether Defendants’ conduct violated the California Business &

Professions Code §17200, et seq.(California Class);

g. Whether Defendants’ conduct was negligent;

h. Whether Defendants acted willfully and/or with oppression, fraud,

or malice;

i. Whether Defendants unlawfully used, maintained, lost or disclosed

Class members’ PII and PHI;

j. Whether Defendants’ conduct violated the California

Confidentiality of Medical Information Act, California Civil Code

§56, et seq. (California Class); and

k. Whether Plaintiff and the Class are entitled to damages, civil

penalties, punitive damages, and/or injunctive relief.

62. Typicality. Plaintiff is a member of and presents claims that are typical

of members of each Class. Plaintiff’s claims are typical of those of other Class

members because Plaintiff’s PII and PHI, like that of every other Class member, was

misused and/or disclosed by Defendants’ common course of misconduct – i.e.,

Defendants’ failure to implement security of the IT Systems that housed Plaintiff’s

and the Class members’ PII/PHI.

63. Adequacy of Representation. Plaintiff will fairly and accurately

represent the interests of each Class. Plaintiff shares a common interest with all Class

members, with respect to Defendants’ conduct described herein and redress of same.

Plaintiff has retained counsel who are competent and experienced in the prosecution

of complex litigation and class actions. Plaintiff and his undersigned counsel intend

to prosecute this action vigorously and faithfully for the benefit of the Class members.

Plaintiff has no interests contrary to the class members, and will fairly and adequately

protect the interests of the Class members.

64. Predominance / Community of Interest. The proposed Classes have a


15


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

well-defined community of interest in the questions of fact and law to be litigated.

The common questions of law and fact are predominate with respect to the liability

issues, relief issues and anticipated affirmative defenses. Plaintiff has claims typical of

the Class members. Without limitation, as a result of Defendants’ conduct alleged

herein, Plaintiff was: (a) injured; and, (b) sustained pecuniary loss in an ascertainable

amount to be proven at the time of trial.

65. Superiority of Class Adjudication. The prosecution of separate actions

by individual members of each Class would create a risk of inconsistent or varying

adjudications with respect to individual members of each Class, which would

establish incompatible standards of conduct for Defendants and would lead to

repetitive adjudication of common questions of law and fact. Accordingly, class

treatment is superior to any other method for adjudicating the controversy. Plaintiff

knows of no difficulty that will be encountered in the management of this litigation

that would preclude its maintenance as a class action under Rule 23(b)(3). Damages

for any individual class member are likely insufficient to justify the cost of individual

litigation, so that in the absence of class treatment, Defendants’ violations of law

inflicting substantial damages in the aggregate would go un-remedied without

certification of the Nationwide Class and the California Class

66. Damages for any individual class member are likely insufficient to

justify the cost of individual litigation, so that in the absence of class treatment,

Defendants’ violations of law inflicting substantial damages in the aggregate would

go un-remedied without certification of the Nationwide Class and the California

Class.

67. Defendants have acted or refused to act on grounds that apply generally

to each Class, as alleged above, and certification is proper under Rule 23(b)(2).

/ / /

/ / /

/ / /


16


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

FIRST COUNT

(On behalf of the National Class)

Negligence

68. Plaintiff incorporates the substantive allegations contained in all previous

paragraphs as if fully set forth herein.

69. Defendants came into possession of Plaintiff’s PII and PHI and had a

duty to exercise reasonable care in safeguarding and protecting such information from

being compromised, lost, stolen, misused, and/or disclosed to unauthorized parties.

70. Defendants had a duty to timely disclose that Plaintiff’s PII and PHI

within its possession had been compromised.

71. Defendants had a duty to have procedures in place to detect and prevent

the loss or unauthorized dissemination of Plaintiff’s PII and PHI.

72. Defendants, through their actions and/or omissions, unlawfully breached

their duty to Plaintiff by failing to exercise reasonable care in protecting and

safeguarding Plaintiff’s PII and PHI within Defendants’ possession.


their duty to Plaintiff by failing to exercise reasonable care by failing to have

appropriate procedures in place to detect and prevent access and dissemination of

Plaintiff’s PII and PHI to unauthorized persons.


their duty to timely disclose to the Plaintiff and the Class members the fact that their

PII and PHI within their possession had been released to unauthorized persons.

75. Defendants’ negligent and wrongful breach of their duties owed to

Plaintiff and the Class proximately caused Plaintiff’s and Class members’ PII and PHI

to be released to unauthorized persons.

76. Plaintiff seeks the award of actual damages on behalf of the Class.

/ / /

/ / /


17


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

SECOND COUNT

(On Behalf of the California Class)

Violations of the California Unfair Competition Law,

Cal. Bus. & Prof. Code §17200, et seq.



78. Defendants’ conduct constitutes unfair and illegal and fraudulent

business practices within the meaning of the California Business & Professions Code

§17200, et seq. (the “UCL”).

79. Defendants’ conduct violated certain laws as alleged herein. By

engaging in the said conduct in the course of doing business, Defendants engaged in

unlawful business practices in violation of the UCL, including violations of HIPAA

and the HITECH Act requirements and the California requirements for protecting PII

and PHI in Defendants’ possession, custody and control.

80. By engaging in the above-described conduct in the course of doing

business, Defendants engaged in unfair business practices in violation of the UCL.

The harm to each Plaintiff outweighed any utility that Defendants’ conduct may have

produced.

81. Plaintiff suffered injury in fact and lost property and money as a result of

Defendants’ conduct.

82. Plaintiff seeks restitution and injunctive relief on behalf of the Class.

THIRD COUNT

(On behalf of the California Class)

Violation of Cal. Civ. Code §1798.80, et seq.



84. The data breach described above constituted a “breach of the security

system” of Defendants, within the meaning of §1798.82(g) of the California Civil


18


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

Code.

85. The information lost in the data breach constituted “personal

information” within the meaning of §1798.80(e) of the California Civil Code.

86. Defendants failed to implement and maintain reasonable security

procedures and practices appropriate to the nature and scope of the information

compromised in the data breach.

87. Defendants unreasonably delayed informing anyone about the breach of

security of Class members’ confidential and non-public information after Defendants

knew the data breach had occurred.

88. Defendants failed to disclose to Class members, without unreasonable

delay, and in the most expedient time possible, the breach of security of their

unencrypted, or not properly and securely encrypted, personal Information when they

knew or reasonably believed such information had been compromised.

89. Upon information and belief, no law enforcement agency instructed

Defendants that notification to Class members would impede investigation.

90. As a result of Defendants’ violation of Cal. Civ. Code §1798.80 et seq.,

Plaintiff and other Class members have incurred and/or will incur economic damages,

including expenses associated with necessary credit monitoring.

91. Plaintiff, individually and on behalf of the Class, seeks all remedies

available under Cal. Civ. Code §1798.84, including, but not limited to: (a) damages

suffered by Class members as alleged above; (b) statutory damages for Defendants’

willful, intentional, and/or reckless violation of Cal. Civ. Code §1798.83; and, (c)

equitable relief.

92. Plaintiff, individually and on behalf of the Class, also seeks reasonable

attorneys’ fees and costs under Cal. Civ. Code §1798.84(g).

/ / /

/ / /

/ / /


19


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

FOURTH COUNT

(On behalf of the California Class)

Violation of the California Confidentiality of Medical Information Act,

Cal. Civ. Code §56, et seq.



94. Defendants are health care service plans and/or providers of health care

within the meaning of the California Confidentiality of Medical Information Act, Cal.

Civ. Code §56 et seq. (“CCMIA”).

95. Plaintiff is a subscriber, enrollee and/or patient as defined in the CCMIA.

96. Defendants maintain medical information as defined in the CCMIA,

including the medical information of Plaintiff and the Class.

97. Defendants have misused and/or disclosed medical information regarding

Plaintiff and the Class without written authorization as required under the CCMIA.

98. As a result of Defendants’ failure to safeguard Plaintiff’s and the Class

members’ medical information, such information has been disclosed to unauthorized

persons, resulting in the breach of confidentiality of that medical information.

99. Defendants’ misuse and/or disclosure of medical information regarding

the Plaintiff and the Class constitute a violation of Civil Code §§56.10, 56.11, 56.13,

and 56.26.

100. Plaintiff and the Class have suffered damages from the improper misuse

and/or disclosure of their medical information and therefore Plaintiff and the Class

seek relief under Civil Code §§56.35 and 56.36.

101. Even in absence of actual damages, Plaintiff and members of the Class

are entitled to nominal damages under Civil Code §56.36(b).

102. Plaintiff and the Class seek actual damages, statutory damages, nominal

damages, statutory penalties, attorney fees and costs pursuant to Civil Code §§56.35

and 56.36.


20


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

PRAYER FOR RELIEF

WHEREFORE Plaintiff prays for judgment as follows:

A. For an Order certifying this action as a class action and appointing

Plaintiff and his Counsel to represent the Class;

B. For equitable relief enjoining Defendants from engaging in the wrongful

conduct complained of herein pertaining to the misuse and/or disclosure of Plaintiff’s

and Class members’ personally identifiable information, personal health information,

and financial information, and from failing to issue prompt, complete and accurate

disclosures to the Plaintiff and Class members;

C. For equitable relief requiring restitution and disgorgement of the

revenues wrongfully retained as a result of Defendants’ wrongful conduct;

D. For an award of actual damages, compensatory damages, statutory

damages, and statutory penalties, in an amount to be determined;

E. For an award of punitive damages;

F. For an award of attorneys’ fees and costs, as allowable by law; and,

G. Such other and further relief as this court may deem just and proper.

DEMAND FOR JURY TRIAL

Plaintiff hereby demands a jury trial of his claims to the extent authorized by

law.

Respectfully submitted,

ZIMMERMAN REED, PLLP

Dated: February 9, 2015 /s/ Bradley C. BuhrowBradley C. Buhrow, Esq.14646 N. Kierland Blvd., Suite 145Scottsdale, AZ 85254(480) 348-6400

RIDOUT LYON + OTTOSON, LLPChristopher P. Ridout, Esq.Caleb Marker, Esq.555 E. Ocean Blvd., Suite 500Long Beach, CA 90802(562) 216-7380


21


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

RIDOUT LYON + OTTOSON, LLPDavid A. McKay (GA Bar No. 666557)(Pending Admission Pro Hac Vice)

E-mail: [email protected] North Point Center East, Suite 400Alpharetta, Georgia 30022(678) 366-5050(678) 366-5001 Facsimile

Attorneys for Plaintiffs


doe v anthem

Documents