Three class-action lawsuits have been filed against Anthem following a cyberattack that exposed the personal information of 80 million current and former members—and more lawsuits are likely in coming days.
The class-action suits were filed Thursday, less than 24 hours after news of the breach first broke, in federal courts in Alabama, California and Indiana.
An Anthem spokesman declined to comment on the lawsuits Friday, but Anthem President and CEO Joseph Swedish said in an earlier statement about the breach: “Safeguarding your personal, financial and medical information is one of our top priorities, and because of that, we have state-of-the-art information security systems to protect your data. However, despite our efforts, Anthem was the target of a very sophisticated external cyberattack.”
The statement noted that Anthem has now retained cybersecurity firm Mandiant to evaluate its systems and find solutions.
But Aashish Desai, an attorney for the woman who filed the California lawsuit, wonders why Anthem didn't take such steps earlier.
“It seems like a lot of companies try to get additional security measures in place, but it's after the horse has left the barn,” Desai said. “I don't know why these companies don't spend more on the front end.”
Desai said he expects a wave of additional class-action suits to be filed against Anthem shortly. Anthem might eventually ask for all the lawsuits to be coordinated, he said. If a court officially certifies a suit as a class action, then all those affected would automatically be considered part of the suit unless they opt out, he said.
In the California case, Anthem member Susan Morris of Orange County claims she and others have already been harmed by the breach because they “paid more than they would have had they known how the company would fail to properly secure and misuse their personal information.”
The complaint goes on to say, “The massive breach should not have come as a surprise to Anthem because its shoddy security protocols and track record made it susceptible to the massive hack that resulted.”
Morris alleges in her complaint that “it appears that Anthem's security system did not involve encrypting Social Security numbers and birthdates.” She also details past data breaches at Anthem, including a 2012 settlement over letters sent to 33,000 customers that included their Social Security numbers.
“Undeterred—and apparently unmotivated—by these events, Anthem still has failed to adequately protected (sic) its customers' private and sensitive information,” according to the complaint.
The complaint filed in Indiana, on behalf of Karen Meadows of Noblesville, also says Meadows suffered injury in that she would not have paid money to buy insurance from Anthem had she known “it lacked computer systems and data security practices adequate to safeguard customers' personal and financial information.”
The plaintiff in the Alabama case, Danny Juliano of Jefferson County, makes another argument, alleging that he and others are now in immediate and imminent danger of identity theft.
The personal information that was stolen “copied and transferred from defendant has all of the information wrongdoers need, and the American government and financial system requires, to completely and absolutely misuse plaintiff's and class members' identity to their detriment,” according to the complaint. “Consequently, defendant's customers and former customers have or will have to spend significant time and money to protect themselves.”
It’s entirely possible a jury might find Anthem liable for the breach, said Ken Dort, a partner in Drinker Biddle & Reath’s Intellectual Property Practice Group in Chicago. But getting damages out of Anthem for the breach is a different matter, he said.
The plaintiffs would have to show that the harm caused to them was directly traceable to the data breach, he said.
“That is very, very difficult to show,” Dort said. “You essentially have to prove that the difficulties someone is now experiencing can be tied directly back to the breach of Anthem. That’s almost impossible to show because every one of us has our social security number out on a variety of fronts. It’s very difficult, particularly if any group of plaintiffs in a class has been involved in a breach before.”
The Alabama lawsuit seeks lifetime consumer credit protection and monitoring for those affected; lifetime consumer credit insurance to protect against unauthorized use of personal information; restitution for any identity theft; and other unspecified damages.
The California lawsuit seeks unspecified economic and non-economic damages and unspecified restitution. The Indiana lawsuit also seeks unspecified damages.
HHS' Office of Inspector General has decided to look into the matter of the Anthem breach as has the California insurance commissioner.
Follow Lisa Schencker on Twitter: @lschencker