Anthem Data Breach Lawsuit Heading for Trial
Following the mammoth 2015 data breach at Anthem Inc., around 100 lawsuits were filed by plan members seeking damages for the exposure of their protected health information. In June last year, the lawsuits were consolidated and moved to the Northern District of California and are being presided over by the Honorable Lucy H. Koh.
The cyberattack on Anthem was the largest healthcare data breach ever reported, involving approximately 37 million records and affecting close to 78.8 million individuals. The persons responsible for the cyberattack have not been identified, although the security breach is widely believed to have been a state-sponsored attack by Chinese hackers.
Class-action lawsuits are often filed by data breach victims following the exposure of personally identifiable information, although the cases are usually dismissed unless there is concrete evidence of actual harm of losses being suffered by the victims.
However, the huge data breach case has survived motions to dismiss and looks set to be heading to trial. Last week, Koh indicated the latest motion by the defense to dismiss the claims will likely to be rejected and told both sides that they should proceed with discovery.
At present there are seven claims, six of which are likely to survive the motion to dismiss. The 6 claims will require the court to consider an unprecedented number of contracts, and that is likely to make prompt adjudication extremely unlikely.
To ease the burden on the court, Koh asked both sides to consider reducing the number of claims to four. Even if both sides agree to reduce the number of claims, the case is unlikely to be resolved promptly. Due to the sheer number of contracts involved, discovery alone is likely to last between 6 months and a year.
Koh also pointed out the cases are particularly complex and there is a lack of precedents. “We are going to have to address a lot of novel issues,” she said.
The Case Against Anthem
While it is not reasonable to expect healthcare organizations to be able to prevent all cyberattacks, the plaintiffs allege that Anthem had not done enough to prevent attackers from gaining access to their data.
Anthem had previously been investigated by the Department of Health and Human Services’ Office for Civil Rights for a 2009 data breach that impacted 600,000 individuals. The company – then WellPoint – was fined $1.7 million for data security failures.
The plaintiffs claim that after experiencing a large-scale data breach in the past, and having being warned by the federal government of the high risk of cyberattacks, Anthem still failed to implement appropriate cybersecurity defenses such as encryption for all sensitive stored data.
Additionally, Mandiant – the security firm that Anthem contracted to investigate the 2015 data breach – issued a report claiming there was a lack of protections in place to prevent cyberattacks. The report said the health insurer and its affiliates “failed to take reasonable measures to secure the [personal and health information] in their possession.” Some of those protections included the failure to use 2-factor authentication, providing employees with access to more data than was necessary to perform work duties, a failure to ensure passwords were changed frequently, and insufficient controls to monitor data usage and exfiltration.
The plaintiffs claim that by failing to ensure appropriate protections were put in place to keep data private, Anthem breached its contractual obligations to plan members resulting in members being exposed to an unacceptable risk of harm and loss.
The case has been brought against Anthem Inc., 28 of its affiliates, the BlueCross Blue Shield Association and 17 non-BCBS companies. The deadline for adding plaintiffs to the class-action is July 11, 2016.