doe v anthem
DESCRIPTION
Data Breach Class Action Central District of California.TRANSCRIPT
CLASS ACTION COMPLAINT
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
ZIMMERMAN REED, PLLPBRADLEY C. BUHROW (CA Bar No. 283791)
E-mail: [email protected] N. Kierland Blvd., Suite 145Scottsdale, Arizona 85254(480) 348-6400(480) 348-6415 Facsimile
RIDOUT LYON + OTTOSON, LLPCHRISTOPHER P. RIDOUT (SBN: 143721)
E-mail: [email protected] MARKER (SBN: 294155)
E-mail: [email protected] E. Ocean Blvd., Suite 500Long Beach, California 90802(562) 216-7380(562) 216-7385 Facsimile
Attorneys for Plaintiffs
(Additional Counsel Listed Below)
UNITED STATES DISTRICT COURT
CENTRAL DISTRICT OF CALIFORNIA
John Doe, individually and on behalf ofall others similarly situated,
Plaintiff,v.
ANTHEM, INC., d/b/a Anthem Health,Inc., an Indiana corporation, THEANTHEM COMPANIES, INC., anIndiana corporation, THE ANTHEMCOMPANIES OF CALIFORNIA, INC.,a California corporation, ANTHEMBLUE CROSS LIFE AND HEALTHINSURANCE COMPANY, a Californiacorporation, and DOES 1-25,
Defendants.
Case No. ___________
CLASS ACTION COMPLAINT FOR:
1. Negligence2. Violations of Cal. Bus. & Prof.
Code §17200, et seq.3. Violation of Cal. Civ. Code
§1798.80, et seq.4. Violation of Cal. Civ. Code
§56, et seq.
DEMAND FOR JURY TRIAL
Case 2:15-cv-00934-SVW-JPR Document 1 Filed 02/09/15 Page 1 of 21 Page ID #:1
2
CLASS ACTION COMPLAINT
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
Plaintiff John Doe (“Plaintiff”), on behalf of himself and all others similarly
situated, brings this class action against Defendants Anthem, Inc., doing business as
Anthem Health, Inc., The Anthem Companies, Inc., The Anthem Companies of
California, Inc., Anthem Blue Cross Life and Health Insurance Company,
(collectively, “Anthem”), and Does 1-25 (collectively, “Defendants”). Plaintiff makes
the following allegations upon information and belief, except as to his own actions,
the investigation of his counsel, and the facts that are a matter of public record.
NATURE OF CLAIM
1. On February 4, 2015, Anthem announced that unauthorized persons had
accessed and obtained from Anthem’s IT Systems the personal information of current
and former Anthem members, including their names, birthdays, medical IDs, social
security numbers, street addresses, email addresses and employment information.
According to Anthem’s own public statements, all Anthem product lines across the
country were impacted by this data breach.
2. This massive breach of Anthem’s IT Systems (“Data Breach”) would
not have occurred, or would not have occurred with such severity, but for Anthem’s
failure to maintain adequate, reasonable and industry-standard data security, a failure
that represents gross disregard of the duties and obligations Anthem owed to Plaintiff
and the Class members.
3. Plaintiff brings this consumer class action against Defendants to recover
statutory and common law damages resulting from Defendants’ failure to safeguard
and secure the personally identifiable information “PII” and personal health related
information “PHI”) of Plaintiff and Class members that they provided to Defendants’
for safekeeping. In addition, Plaintiff seeks restitution and injunctive relief that will
ensure that Anthem protects Plaintiff’s and the Class members PII and PHI from any
future breaches.
4. As detailed below, Plaintiff brings this action on behalf of himself and all
similarly situated individuals in the United States, and a subclass of California
Case 2:15-cv-00934-SVW-JPR Document 1 Filed 02/09/15 Page 2 of 21 Page ID #:2
3
CLASS ACTION COMPLAINT
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
residents, whose PII and/or PHI was released to unauthorized persons as a result of
Anthem’s failure to safeguard that information while residing on Anthem’s IT
Systems.
PARTIES
5. Plaintiff is an individual who resides in Los Angeles, California.
6. At this time, Plaintiff brings this litigation under a pseudonym to prevent
public disclosure of his identity to protect information highly sensitive and personal to
him and to prevent further invasion of his privacy. Plaintiff will disclose his identity
to Defendants’ counsel and/or this Court upon demand.
7. Defendant Anthem, Inc., doing business as Anthem Health, Inc., is an
Indiana corporation, registered with the California Secretary of State to do business in
California, and headquartered in Indianapolis, Indiana.
8. Defendant The Anthem Companies, Inc. is an Indiana corporation,
registered with the California Secretary of State to do business in California, and
headquartered in Indianapolis, Indiana.
9. Defendant The Anthem Companies of California, Inc. is a California
corporation and headquartered in Indianapolis, Indiana.
10. Defendant Anthem Blue Cross Life and Health Insurance Company is a
California corporation and headquartered in Indianapolis, Indiana.
JURISDICTION AND VENUE
11. This Court has original jurisdiction pursuant to 28 U.S.C. §1332(d)(2).
In the aggregate, Plaintiff’s claims and the claims of the other members of the Class
exceed $5,000,000 exclusive of interest and costs, and there are numerous class
members who are citizens of states other than Defendants’ states of citizenship, which
are Indiana and California.
12. This Court has personal jurisdiction over Anthem because Anthem is
authorized to do and does business in the State of California.
13. Venue is proper in this Court pursuant to 28 U.S.C. §1391 because many
Case 2:15-cv-00934-SVW-JPR Document 1 Filed 02/09/15 Page 3 of 21 Page ID #:3
4
CLASS ACTION COMPLAINT
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
of the acts and transactions giving rise to this action occurred in this District and
because Anthem is subject to personal jurisdiction in this District.
GENERAL ALLEGATIONS
14. Anthem, Inc., previously known as WellPoint, Inc., is one of the largest
for-profit managed health care companies in the United States. According to its fourth
quarter 2014 earnings report, Anthem has over 37 million members enrolled in its
health insurance products nationwide, with a $2.6 billion net income for 2014.
15. Plaintiff is a member of an Anthem Blue Cross HMO Plan. As an
Anthem Plan Member, Plaintiff provided his PII and PHI to Anthem for safekeeping
on Anthem’s IT Systems.
16. On or about February 4, 2015, Anthem published a notice at
anthemfacts.com that Anthem’s members had fallen victim to a data breach stating
that “the personal information from our current and former members such as their
names, birthdays, medical IDs/Social Security numbers, street addresses, email
addresses and employment information, including income data.”
<www.anthemfacts.com/faq> (last visited Feb. 9, 2015).
17. In its answers to Frequently Asked Questions (“Answers”), Anthem
admitted that all of its health insurance product lines had been impacted by the Data
Breach. Id.
18. Defendant Anthem Blue Cross Life And Health Insurance Company
recently stated that of these 80 million current and former members affected by the
breach, roughly 8 million are enrollees within the State of California.1
19. Recent reports indicate that the Data Breach may have started as far back
as April 2014.2
20. On February 6, 2015, Anthem’s spokeswoman Cindy Wakefield
1 <www.californiahealthline.org/articles/2015/2/6/doi-launches-investigation-into--anthems-response-to-breach> (last visited Feb. 9, 2015).2 <http://krebsonsecurity.com/2015/02/anthem-breach-may-have-started-in-april-2014/> (last visited Feb. 9, 2015).
Case 2:15-cv-00934-SVW-JPR Document 1 Filed 02/09/15 Page 4 of 21 Page ID #:4
5
CLASS ACTION COMPLAINT
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
confirmed news reports that the information released to unauthorized persons as a
result of the Data Breach had not been encrypted. <www.reuters.com/article/
2015/02/07/us-anthem-cybersecurity-warning-idUSKBN0LA24F20150207> (last
visited Feb. 9, 2015).
21. On the same day, Anthem amended its Answers to warn its members that
scam e-mail campaigns launched in the wake of the Data Breach were targeting
current and former Anthem members. According to Anthem, such “phishing”
activities “are designed to appear as if they are from Anthem and the emails include a
‘click here’ link for credit monitoring.” Id. Anthem cautions that the emails are not
from Anthem and instructs members not to click on any links provided in the emails
and not to provide any information to the senders of such “phishing” emails.
22. As amended, Anthem’s Answers do not provide any information as to
when its IT System was first compromised, how long unauthorized persons had access
to its IT System or what measures have been taken to prevent further breaches.
23. As Amended, Anthem’s Answers do not definitely state that its
members’ banking and medical information was not disclosed to third parties.
24. Given Anthem’s carefully worded and conclusory Answers, Plaintiff
believes and therefore alleges that his and the Class members’ medical information
was released and disclosed to third parties as a result of the Data Breach.
25. Given Anthem’s carefully worded and conclusory Answers, Plaintiff
believes and therefore alleges that his and the Class members’ banking and credit card
information was also released and disclosed to third parties as a result of the Data
Breach.
26. On information and belief, Plaintiff’s and the Class members’ PII and
PHI was disclosed to unauthorized persons as a result of the Data Breach, resulting in
the breach of confidentiality of that PII and PHI.
/ / /
/ / /
Case 2:15-cv-00934-SVW-JPR Document 1 Filed 02/09/15 Page 5 of 21 Page ID #:5
6
CLASS ACTION COMPLAINT
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
DEFENDANTS’ FAILURE TO IMPLEMENTADEQUATE SECURITY OF ITS IT SYSTEMS VIOLATED
FEDERAL AND CALIFORNIA LAWS
27. Under HIPAA and the HITECH Act, Defendants must implement
policies and procedures that limit physical access to their electronic information
systems and the facility or facilities in which they are housed, while ensuring that
properly authorized access is allowed. 45 C.F.R. §164.310.
28. Such policies and procedures must: (a) ensure the confidentiality,
integrity, and availability of all electronic protected health information the covered
entity or business associate creates, receives, maintains, or transmits; (b) protect
against any reasonably anticipated threats or hazards to the security or integrity of
such information; and, (c) protect against any reasonably anticipated uses or
disclosures of such information that are not permitted. Id. at §164.306
29. Further, Defendants must implement technical policies and procedures
for electronic information systems that maintain PII/PHI to allow access only to those
persons or software programs that have been granted access rights under applicable
HIPAA regulations. Id. at §164.312.
30. When Defendants permit business associates to create, receive, maintain,
or transmit electronic PII/PHI, they must ensure that those business associates comply
with HIPAA and the HITECH Act. Id. at §164.314.
31. Defendants must also conduct an accurate and thorough assessment of
the potential risks and vulnerabilities to the confidentiality, integrity and availability
of electronic protected information held by the covered entity or business associate;
implement procedures to regularly review records of information system activity, such
as audit logs, access reports, and security incident tracking reports; and implement
procedures for guarding against, detecting, and reporting malicious software. Id. at
§164.308.
32. Similarly, the California Confidentiality of Medical Information Act: (a)
requires health care service plans, including Defendants, to protect and secure the
Case 2:15-cv-00934-SVW-JPR Document 1 Filed 02/09/15 Page 6 of 21 Page ID #:6
7
CLASS ACTION COMPLAINT
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
PII/PHI of their members; (b) imposes penalties for violations of the Act; and, (c)
authorizes individuals to bring suit to recover actual and nominal damages for
violations of the Act.
33. On information and belief, Defendants, in violation of HIPAA and the
California Act, did not establish and implement adequate security measures to protect
the PII/PHI residing on Defendants’ IT Systems.
34. Defendants were on notice of the need re-visit and tighten the security of
their IT Systems but, upon information and belief, failed to do so.
35. In April 2011, the California Department of Managed Healthcare
published a letter “to emphasize to health care service plans (health plans) their
obligations to protect and secure the private medical information of their enrollees.”
In doing so, the Department cautioned that “[a]s the use of electronic protected health
information (PHI) becomes more widespread, the likelihood of unintentional breaches
and disclosures also increases. The foreseeable nature of these events requires that
preventative measures be taken to ensure that enrollee information is protected.”
36. In April 2014, the FBI issued two Private Industry Notifications (“PIN”)
to the healthcare industry warning that healthcare organizing systems, including
medical devices, could be vulnerable to cyber-attacks.
37. Specifically, on April 8, 2014, the FBI issued a PIN to the healthcare
industry warning that “[c]yber actors will likely increase cyber intrusions against
health care systems --- to include medical devices --- due to mandatory transition from
paper to electronic health records (HER), lax cyber security standards and a higher
financial payout for medical records in the black market.” The FBI Notice also
cautioned that the “health care industry is not as resilient to cyber intrusions compared
to the financial and retail sectors, therefore the possibility of increased cyber
intrusions is likely.”
38. Thereafter, on April 17, 2014, the FBI issued its second PIN, which,
upon information and belief, contained updates on information disclosed in the April
Case 2:15-cv-00934-SVW-JPR Document 1 Filed 02/09/15 Page 7 of 21 Page ID #:7
8
CLASS ACTION COMPLAINT
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
8, 2014 PIN.
39. Despite these warnings of foreseeable security breaches, Defendants
flagrantly disregarded their obligations to safeguard Plaintiff’s and the Class
members’ PII/PHI by intentionally, willfully, recklessly and/or negligently failing to
establish and implement adequate security of their IT Systems. Anthem improperly
handled and stored Plaintiff’s and the Class members’ PII/PHI, leaving it unsecured
and unencrypted on Defendants’ IT Systems and, as a result, failed to maintain the
PII/PHI in accordance with applicable, required, and appropriate cyber-security
protocols, policies and procedures.
40. As a direct result of Defendants’ common course of unlawful conduct,
Plaintiff’s and the Class members’ PII/PHI was released, accessed, breached and
disclosed to unauthorized persons.
DEFENDANTS’ FAILURE TO IMPLEMENTADEQUATE SECURITY OF ITS IT SYSTEMS
HARMED PLAINTIFF AND THE CLASS
41. In the words of the Federal Trade Commission (“FTC”), the information
Defendants released to unauthorized persons, including Plaintiff’s PII and PHI, is “as
good as gold” to identity thieves.3
42. Identity theft occurs when someone uses another’s PII and/or PHI, such
as that person’s name, address, credit card number, credit card expiration dates, and
other information, without permission, to commit fraud or other crimes. Id. The FTC
estimates that as many as 9 million Americans have their identities stolen each year.
Id.
43. Identity thieves can use identifying data to open new financial accounts
and incur charges in another person’s name, take out loans in another person’s name,
incur charges on existing accounts, or clone ATM, debit, or credit cards. Id.
44. Identity thieves can use PII and PHI such as that pertaining to Plaintiff
3 FTC, About Identity Theft, available at: <www.vanderbilt.edu/PersonalIdentityTheftProtection.pdf> (last visited Feb. 5, 2015).
Case 2:15-cv-00934-SVW-JPR Document 1 Filed 02/09/15 Page 8 of 21 Page ID #:8
9
CLASS ACTION COMPLAINT
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
and the Class, which Defendants failed to keep secure to perpetrate a variety of crimes
that do not cause financial loss, but nonetheless harm the victims. For instance,
identity thieves may commit various types of government fraud such as: immigration
fraud; obtaining a driver’s license or identification card in the victim’s name but with
another’s picture; using the victim’s information to obtain government benefits; or,
filing a fraudulent tax return using the victim’s information to obtain a fraudulent
refund.
45. In addition, identity thieves may get medical services using the Plaintiff’s
PII and PHI or commit any number of other frauds, such as obtaining a job, procuring
housing or even giving false information to police during an arrest.
46. Annual monetary losses from identity theft are in the billions of dollars.
According to a Presidential Report on identity theft produced in 2008:
In addition to the losses that result when identity thieves fraudulentlyopen accounts or misuse existing accounts,...individual victims oftensuffer indirect financial costs, including the costs incurred in both civillitigation initiated by creditors and in overcoming the many obstaclesthey face in obtaining or retaining credit. Victims of non-financialidentity theft, for example, health-related or criminal record fraud, faceother types of harm and frustration.
In addition to out-of-pocket expenses that can reach thousands of dollarsfor the victims of new account identity theft, and the emotional tollidentity theft can take, some victims have to spend what can be aconsiderable amount of time to repair the damage caused by the identitythieves. Victims of new account identity theft, for example, must correctfraudulent information in their credit reports and monitor their reports forfuture inaccuracies, close existing bank accounts and open new ones, anddispute charges with individual creditors.
The President’s Identity Theft Task Force, Combating Identity Theft: A Strategic
Plan, at p.11 (April 2007), available at <www.ftc.gov/sites/default/files/
documents/reports/combating-identity-theft-strategic-plan/strategicplan.pdf> (last
visited Feb. 5, 2015).
47. According to the U.S. Government Accountability Office (“GAO”),
which conducted a study regarding data breaches:
[L]aw enforcement officials told us that in some cases, stolen data may
Case 2:15-cv-00934-SVW-JPR Document 1 Filed 02/09/15 Page 9 of 21 Page ID #:9
10
CLASS ACTION COMPLAINT
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
be held for up to a year or more before being used to commit identitytheft. Further, once stolen data have been sold or posted on the Web,fraudulent use of that information may continue for years. As a result,studies that attempt to measure the harm resulting from data breachescannot necessarily rule out all future harm.
GAO, Report to Congressional Requesters, at p.33 (June 2007), available at
<www.gao.gov/new.items/d07737.pdf> (last visited Feb. 5, 2015).
48. “In addition to the financial harm associated with other types of identity
theft, victims of medical identity theft may have their health endangered by inaccurate
entries in their medical records. This inaccurate information can potentially cause
victims to receive improper medical care, have their insurance depleted, become
ineligible for health or life insurance, or become disqualified from some jobs.
Victims may not even be aware that a theft has occurred because medical identity
theft can be difficult to discover, as few consumers regularly review their medical
records, and victims may not realize that they have been victimized until they receive
collection notices, or they attempt to seek medical care themselves, only to discover
that they have reached their coverage limits.” Id. at 30.
49. “With the advent of the prescription drug benefit of Medicare Part D, the
Department of Health and Human Services’ Office of the Inspector General (HHS
OIG) has noted a growing incidence of health care frauds involving identity theft.”
Identity thieves can use such information “fraudulently to enroll unwilling
beneficiaries in alternate Part D plans in order to increase...sales commissions” or
commit other types of fraud. “The types of fraud that can be perpetrated by an identity
thief are limited only by the ingenuity and resources of the criminal.” Id. at 31.
50. The unauthorized disclosure of Social Security Numbers can be
particularly damaging, because Social Security Numbers cannot easily be replaced. In
order to obtain a new number, a person must prove, among other things, which he or
she continues to be disadvantaged by the misuse. Thus, no new number can be
obtained until the damage has been done. Furthermore, as the Social Security
Administration (“SSA”) warns:
Case 2:15-cv-00934-SVW-JPR Document 1 Filed 02/09/15 Page 10 of 21 Page ID #:10
11
CLASS ACTION COMPLAINT
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
a new number probably will not solve all your problems. This is becauseother governmental agencies (such as the Internal Revenue Service andstate motor vehicle agencies) and private businesses (such as banks andcredit reporting companies) likely will have records under your oldnumber. Also, because credit reporting companies use the number, alongwith other personal information, to identify your credit record, using anew number will not guarantee you a fresh start. This is especially true ifyour other personal information, such as your name and address, remainsthe same.
If you receive a new Social Security Number, you will not be able to usethe old number anymore.
For some victims of identity theft, a new number actually creates newproblems. If the old credit information is not associated with the newnumber, the absence of any credit history under the new number maymake it more difficult for you to get credit.
SSA, Identity Theft and Your Social Security Number, SSA Publication No. 05-10064
(Aug. 2009), available at <www.ssa.gov/pubs/10064.html> (last visited Feb. 5, 2015).
51. Anthem’s wrongful actions and inaction directly and proximately caused
the release and disclosure into the public domain of Plaintiff’s and Class members’
unencrypted PII/PHI without their authorization, knowledge or consent.
52. As a further and direct and proximate result of Anthem’s wrongful
actions and inaction and the resulting Data Breach, Plaintiff and Class members have
suffered and will continue to suffer, economic damages and other actual harm
including, without limitation: (i) the untimely and inadequate notification of the Data
Breach; (ii) improper release and disclosure of their PII/PHI; (iii) loss of privacy; (iv)
out-of-pocket expenses incurred to mitigate the increased risk of identity theft and
identity fraud pressed upon them by the Data Breach; (v) the value of their time spent
mitigating identity theft and/or identity fraud and/or the increased risk of identity theft
and/or identity fraud; (vi) deprivation of the value of their PII/PHI, for which there is
a well-established national and international market; (vii) anxiety and emotional
distress; and, (viii) violation of rights they possess under the California statutes as
detailed below.
53. Plaintiff and the Class he seeks to represent now face years of constant
surveillance of their financial and medical records, monitoring, loss of rights, and
Case 2:15-cv-00934-SVW-JPR Document 1 Filed 02/09/15 Page 11 of 21 Page ID #:11
12
CLASS ACTION COMPLAINT
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
potential medical problems.
54. Indeed, according to one identity theft expert quoted in a recent news
article, the Data Breach represents a “mass victimization of the worst kind:”
“This is absolutely the worst kind of data breach, because thieves havestolen the information that’s the most valuable, the most dangerous andimpossible to change or cancel,” said Neal O’Farrell, Credit Sesame’s(http://www.creditsesame.com) security and identity theft expert in anemail. “This is mass victimization of the worst kind.”
Anthem Data Breach Could be “Lifelong” Battle for Customers, Shari Rudavsky
<http://indystar.com/story/news/2015/02/05/anthem-data-breach-lifelong-battle-
customers/22953623> (last visited 2/6/15).
CLASS ACTION ALLEGATIONS
55. Plaintiff brings this action on his own behalf, and on behalf of all other
persons similarly situated in the United States (the “Nationwide Class”). The
Nationwide Class that Plaintiff seeks to represent is:
All persons who reside in the United States and have purchased healthinsurance from Anthem, Inc. d/b/a Anthem Health, Inc., The AnthemCompanies, Inc., The Anthem Companies Of California, Inc., and/orAnthem Blue Cross Life And Health Insurance Company, and whosepersonally identifiable information, personal health information, and/orfinancial information was breached as a result of the data breachannounced on or about February 4, 2015.
56. Further, Plaintiff brings this action on his own behalf, and on behalf of
all other persons similarly situated who reside in the State of California (the
“California Class”). The California Class that Plaintiff seeks to represent is:
All persons who reside in the California and have purchased healthinsurance from Anthem, Inc. d/b/a Anthem Health, Inc., The AnthemCompanies, Inc., The Anthem Companies Of California, Inc., and/orAnthem Blue Cross Life And Health Insurance Company, and whosepersonally identifiable information, personal health information, and/orfinancial information was breached as a result of the data breachannounced on or about February 4, 2015.
57. Specifically excluded from the Nationwide Class and the California
Class are: (a) Defendants; any officers, directors, or employees of Defendants; any
entity in which Defendants have a controlling interest; any affiliates, legal
representatives, attorneys, heirs, and assigns of Defendants; (b) the Court, Court
Case 2:15-cv-00934-SVW-JPR Document 1 Filed 02/09/15 Page 12 of 21 Page ID #:12
13
CLASS ACTION COMPLAINT
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
Personnel and members of their immediate families; and, (c) Plaintiff’s counsel and
their staff and members of their immediate families.
58. All requirements for class certification in Fed. R. Civ. P. 23(a) and
23(b)(3) are satisfied with respect to the Nationwide Class and the California Class.
59. Numerosity of the Class. The members of the Nationwide Class and the
California Class are so numerous that the joinder of all members is impractical.
While the exact number of the members of each Class is unknown to Plaintiff at this
time, based upon information and belief, each Class has in excess of one million
members.
60. Ascertainable Class. The community of interest among the Class
members in the litigation is well-defined and the proposed class is ascertainable from
objective criteria. If necessary to preserve the case as a class action, the court itself
can redefine the Classes and/or create sub-classes.
61. Common Questions of Fact and Law Exist and Predominate over
Individual Issues. There is a well-defined community of interest in the questions of
law and fact involved affecting the parties to be represented. These common
questions of law and fact exist as to all members of the Class and predominate over
any questions affecting only individual members, including, but not limited to:
a. Whether Defendants unlawfully used, maintained, lost or disclosed
Class members’ PII and PHI;
b. Whether Anthem unreasonably delayed in notifying affected
customers of the data breach;
c. Whether Defendants failed to implement and maintain reasonable
security procedures and practices appropriate to the nature and
scope of the information compromised in the data breach;
d. Whether Defendants violated the requirements of HIPAA and the
HITECH Act;
e. Whether Defendants violated the requirements of California Civil
Case 2:15-cv-00934-SVW-JPR Document 1 Filed 02/09/15 Page 13 of 21 Page ID #:13
14
CLASS ACTION COMPLAINT
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
Code §1798.80, et seq.(California Class);
f. Whether Defendants’ conduct violated the California Business &
Professions Code §17200, et seq.(California Class);
g. Whether Defendants’ conduct was negligent;
h. Whether Defendants acted willfully and/or with oppression, fraud,
or malice;
i. Whether Defendants unlawfully used, maintained, lost or disclosed
Class members’ PII and PHI;
j. Whether Defendants’ conduct violated the California
Confidentiality of Medical Information Act, California Civil Code
§56, et seq. (California Class); and
k. Whether Plaintiff and the Class are entitled to damages, civil
penalties, punitive damages, and/or injunctive relief.
62. Typicality. Plaintiff is a member of and presents claims that are typical
of members of each Class. Plaintiff’s claims are typical of those of other Class
members because Plaintiff’s PII and PHI, like that of every other Class member, was
misused and/or disclosed by Defendants’ common course of misconduct – i.e.,
Defendants’ failure to implement security of the IT Systems that housed Plaintiff’s
and the Class members’ PII/PHI.
63. Adequacy of Representation. Plaintiff will fairly and accurately
represent the interests of each Class. Plaintiff shares a common interest with all Class
members, with respect to Defendants’ conduct described herein and redress of same.
Plaintiff has retained counsel who are competent and experienced in the prosecution
of complex litigation and class actions. Plaintiff and his undersigned counsel intend
to prosecute this action vigorously and faithfully for the benefit of the Class members.
Plaintiff has no interests contrary to the class members, and will fairly and adequately
protect the interests of the Class members.
64. Predominance / Community of Interest. The proposed Classes have a
Case 2:15-cv-00934-SVW-JPR Document 1 Filed 02/09/15 Page 14 of 21 Page ID #:14
15
CLASS ACTION COMPLAINT
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
well-defined community of interest in the questions of fact and law to be litigated.
The common questions of law and fact are predominate with respect to the liability
issues, relief issues and anticipated affirmative defenses. Plaintiff has claims typical of
the Class members. Without limitation, as a result of Defendants’ conduct alleged
herein, Plaintiff was: (a) injured; and, (b) sustained pecuniary loss in an ascertainable
amount to be proven at the time of trial.
65. Superiority of Class Adjudication. The prosecution of separate actions
by individual members of each Class would create a risk of inconsistent or varying
adjudications with respect to individual members of each Class, which would
establish incompatible standards of conduct for Defendants and would lead to
repetitive adjudication of common questions of law and fact. Accordingly, class
treatment is superior to any other method for adjudicating the controversy. Plaintiff
knows of no difficulty that will be encountered in the management of this litigation
that would preclude its maintenance as a class action under Rule 23(b)(3). Damages
for any individual class member are likely insufficient to justify the cost of individual
litigation, so that in the absence of class treatment, Defendants’ violations of law
inflicting substantial damages in the aggregate would go un-remedied without
certification of the Nationwide Class and the California Class
66. Damages for any individual class member are likely insufficient to
justify the cost of individual litigation, so that in the absence of class treatment,
Defendants’ violations of law inflicting substantial damages in the aggregate would
go un-remedied without certification of the Nationwide Class and the California
Class.
67. Defendants have acted or refused to act on grounds that apply generally
to each Class, as alleged above, and certification is proper under Rule 23(b)(2).
/ / /
/ / /
/ / /
Case 2:15-cv-00934-SVW-JPR Document 1 Filed 02/09/15 Page 15 of 21 Page ID #:15
16
CLASS ACTION COMPLAINT
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
FIRST COUNT
(On behalf of the National Class)
Negligence
68. Plaintiff incorporates the substantive allegations contained in all previous
paragraphs as if fully set forth herein.
69. Defendants came into possession of Plaintiff’s PII and PHI and had a
duty to exercise reasonable care in safeguarding and protecting such information from
being compromised, lost, stolen, misused, and/or disclosed to unauthorized parties.
70. Defendants had a duty to timely disclose that Plaintiff’s PII and PHI
within its possession had been compromised.
71. Defendants had a duty to have procedures in place to detect and prevent
the loss or unauthorized dissemination of Plaintiff’s PII and PHI.
72. Defendants, through their actions and/or omissions, unlawfully breached
their duty to Plaintiff by failing to exercise reasonable care in protecting and
safeguarding Plaintiff’s PII and PHI within Defendants’ possession.
73. Defendants, through their actions and/or omissions, unlawfully breached
their duty to Plaintiff by failing to exercise reasonable care by failing to have
appropriate procedures in place to detect and prevent access and dissemination of
Plaintiff’s PII and PHI to unauthorized persons.
74. Defendants, through their actions and/or omissions, unlawfully breached
their duty to timely disclose to the Plaintiff and the Class members the fact that their
PII and PHI within their possession had been released to unauthorized persons.
75. Defendants’ negligent and wrongful breach of their duties owed to
Plaintiff and the Class proximately caused Plaintiff’s and Class members’ PII and PHI
to be released to unauthorized persons.
76. Plaintiff seeks the award of actual damages on behalf of the Class.
/ / /
/ / /
Case 2:15-cv-00934-SVW-JPR Document 1 Filed 02/09/15 Page 16 of 21 Page ID #:16
17
CLASS ACTION COMPLAINT
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
SECOND COUNT
(On Behalf of the California Class)
Violations of the California Unfair Competition Law,
Cal. Bus. & Prof. Code §17200, et seq.
77. Plaintiff incorporates the substantive allegations contained in all previous
paragraphs as if fully set forth herein.
78. Defendants’ conduct constitutes unfair and illegal and fraudulent
business practices within the meaning of the California Business & Professions Code
§17200, et seq. (the “UCL”).
79. Defendants’ conduct violated certain laws as alleged herein. By
engaging in the said conduct in the course of doing business, Defendants engaged in
unlawful business practices in violation of the UCL, including violations of HIPAA
and the HITECH Act requirements and the California requirements for protecting PII
and PHI in Defendants’ possession, custody and control.
80. By engaging in the above-described conduct in the course of doing
business, Defendants engaged in unfair business practices in violation of the UCL.
The harm to each Plaintiff outweighed any utility that Defendants’ conduct may have
produced.
81. Plaintiff suffered injury in fact and lost property and money as a result of
Defendants’ conduct.
82. Plaintiff seeks restitution and injunctive relief on behalf of the Class.
THIRD COUNT
(On behalf of the California Class)
Violation of Cal. Civ. Code §1798.80, et seq.
83. Plaintiff incorporates the substantive allegations contained in all previous
paragraphs as if fully set forth herein.
84. The data breach described above constituted a “breach of the security
system” of Defendants, within the meaning of §1798.82(g) of the California Civil
Case 2:15-cv-00934-SVW-JPR Document 1 Filed 02/09/15 Page 17 of 21 Page ID #:17
18
CLASS ACTION COMPLAINT
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
Code.
85. The information lost in the data breach constituted “personal
information” within the meaning of §1798.80(e) of the California Civil Code.
86. Defendants failed to implement and maintain reasonable security
procedures and practices appropriate to the nature and scope of the information
compromised in the data breach.
87. Defendants unreasonably delayed informing anyone about the breach of
security of Class members’ confidential and non-public information after Defendants
knew the data breach had occurred.
88. Defendants failed to disclose to Class members, without unreasonable
delay, and in the most expedient time possible, the breach of security of their
unencrypted, or not properly and securely encrypted, personal Information when they
knew or reasonably believed such information had been compromised.
89. Upon information and belief, no law enforcement agency instructed
Defendants that notification to Class members would impede investigation.
90. As a result of Defendants’ violation of Cal. Civ. Code §1798.80 et seq.,
Plaintiff and other Class members have incurred and/or will incur economic damages,
including expenses associated with necessary credit monitoring.
91. Plaintiff, individually and on behalf of the Class, seeks all remedies
available under Cal. Civ. Code §1798.84, including, but not limited to: (a) damages
suffered by Class members as alleged above; (b) statutory damages for Defendants’
willful, intentional, and/or reckless violation of Cal. Civ. Code §1798.83; and, (c)
equitable relief.
92. Plaintiff, individually and on behalf of the Class, also seeks reasonable
attorneys’ fees and costs under Cal. Civ. Code §1798.84(g).
/ / /
/ / /
/ / /
Case 2:15-cv-00934-SVW-JPR Document 1 Filed 02/09/15 Page 18 of 21 Page ID #:18
19
CLASS ACTION COMPLAINT
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
FOURTH COUNT
(On behalf of the California Class)
Violation of the California Confidentiality of Medical Information Act,
Cal. Civ. Code §56, et seq.
93. Plaintiff incorporates the substantive allegations contained in all previous
paragraphs as if fully set forth herein.
94. Defendants are health care service plans and/or providers of health care
within the meaning of the California Confidentiality of Medical Information Act, Cal.
Civ. Code §56 et seq. (“CCMIA”).
95. Plaintiff is a subscriber, enrollee and/or patient as defined in the CCMIA.
96. Defendants maintain medical information as defined in the CCMIA,
including the medical information of Plaintiff and the Class.
97. Defendants have misused and/or disclosed medical information regarding
Plaintiff and the Class without written authorization as required under the CCMIA.
98. As a result of Defendants’ failure to safeguard Plaintiff’s and the Class
members’ medical information, such information has been disclosed to unauthorized
persons, resulting in the breach of confidentiality of that medical information.
99. Defendants’ misuse and/or disclosure of medical information regarding
the Plaintiff and the Class constitute a violation of Civil Code §§56.10, 56.11, 56.13,
and 56.26.
100. Plaintiff and the Class have suffered damages from the improper misuse
and/or disclosure of their medical information and therefore Plaintiff and the Class
seek relief under Civil Code §§56.35 and 56.36.
101. Even in absence of actual damages, Plaintiff and members of the Class
are entitled to nominal damages under Civil Code §56.36(b).
102. Plaintiff and the Class seek actual damages, statutory damages, nominal
damages, statutory penalties, attorney fees and costs pursuant to Civil Code §§56.35
and 56.36.
Case 2:15-cv-00934-SVW-JPR Document 1 Filed 02/09/15 Page 19 of 21 Page ID #:19
20
CLASS ACTION COMPLAINT
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
PRAYER FOR RELIEF
WHEREFORE Plaintiff prays for judgment as follows:
A. For an Order certifying this action as a class action and appointing
Plaintiff and his Counsel to represent the Class;
B. For equitable relief enjoining Defendants from engaging in the wrongful
conduct complained of herein pertaining to the misuse and/or disclosure of Plaintiff’s
and Class members’ personally identifiable information, personal health information,
and financial information, and from failing to issue prompt, complete and accurate
disclosures to the Plaintiff and Class members;
C. For equitable relief requiring restitution and disgorgement of the
revenues wrongfully retained as a result of Defendants’ wrongful conduct;
D. For an award of actual damages, compensatory damages, statutory
damages, and statutory penalties, in an amount to be determined;
E. For an award of punitive damages;
F. For an award of attorneys’ fees and costs, as allowable by law; and,
G. Such other and further relief as this court may deem just and proper.
DEMAND FOR JURY TRIAL
Plaintiff hereby demands a jury trial of his claims to the extent authorized by
law.
Respectfully submitted,
ZIMMERMAN REED, PLLP
Dated: February 9, 2015 /s/ Bradley C. BuhrowBradley C. Buhrow, Esq.14646 N. Kierland Blvd., Suite 145Scottsdale, AZ 85254(480) 348-6400
RIDOUT LYON + OTTOSON, LLPChristopher P. Ridout, Esq.Caleb Marker, Esq.555 E. Ocean Blvd., Suite 500Long Beach, CA 90802(562) 216-7380
Case 2:15-cv-00934-SVW-JPR Document 1 Filed 02/09/15 Page 20 of 21 Page ID #:20
21
CLASS ACTION COMPLAINT
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
RIDOUT LYON + OTTOSON, LLPDavid A. McKay (GA Bar No. 666557)(Pending Admission Pro Hac Vice)
E-mail: [email protected] North Point Center East, Suite 400Alpharetta, Georgia 30022(678) 366-5050(678) 366-5001 Facsimile
Attorneys for Plaintiffs
Case 2:15-cv-00934-SVW-JPR Document 1 Filed 02/09/15 Page 21 of 21 Page ID #:21