giotta v anthem
TRANSCRIPT
-
8/9/2019 GIOTTA v Anthem
1/19
-
8/9/2019 GIOTTA v Anthem
2/19
1 Class Action Complaint;Case No.:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
1718
19
20
21
22
23
24
25
26
27
28
Plaintiff Loralee Giotta (“Plaintiff”) by her attorneys, brings this class action on her own
behalf and on behalf of all others similarly situated against Defendant Anthem, Inc. and Blue Cross
of California, doing business as Anthem Blue Cross (collectively “Anthem”), and other unknown
DOE defendants (collectively all defendants are referred to as “Defendants”), and allege as follows
upon information and belief based on, inter alia , the investigation of their counsel:
I. INTRODUCTION
1. This is an action against Anthem, Inc. and its subsidiary Blue Cross of California, one
of the largest health insurers in the United States (collectively “Anthem”), for their failure to secure
and protect customers’ sensitive personally identifiable and financial information, including names,
birth dates, Social Security numbers, addresses, phone numbers, email addresses, health insurer
member identification numbers and possibly personal health care data (collectively customers’
“Personal Information”). 1
2. On or about February 4, 2015, Anthem first publically disclosed that hackers had
breached its computer systems in which Anthem maintained the Personal Information of its
customers ( i.e ., the policy owners and insureds of the insurance policies it issues). As a result of this
security breach, these hackers stole and now possess Anthem customers’ Personal Information.
3. Anthem’s failure to safeguard consumers’ Personal Information is particularlyegregious because Anthem failed to encrypt customers’ Personal Information. Encryption uses
mathematical formulas to scramble sensitive data so that, should hackers steal the data, the hackers
would be unable to decipher it. Encryption thus safeguards consumers’ Personal Information since,
even if stolen, encrypted data is much harder to use for identity theft or other nefarious purposes
detrimental to the consumer who’s data is at issue. Anthem’s failure to encrypt Plaintiff’s and other
consumers’ Personal Information thus means the data is easily readable by the hackers who stole it.
Because Anthem failed to protect customers’ Personal Information, including the failure to encrypt
customers’ sensitive information, hackers were able to obtain and read critical Personal Information
1 Plaintiff identifies these categories of Personal Information stolen from Anthem based on presentlyavailable information. Plaintiff reserves the right to amend this complaint to add further detail to thePersonal Information stolen from Anthem.
Case5:15-cv-00618-HRL Document1 Filed02/09/15 Page2 of 19
-
8/9/2019 GIOTTA v Anthem
3/19
2 Class Action Complaint;Case No.:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
1718
19
20
21
22
23
24
25
26
27
28
of up to 80 million Anthem’s customers that would allow them to steal their identities or otherwise
use their credit without authorization.
4. Consumers could face a “lifelong battle” to deal with the consequences of their
Personal Information being stolen by hackers, including fraudulent tax returns or medical identify
fraud. 2 Anthem’s failure to adequately protect customers’ Personal Information has caused, and will
continue to cause, substantial customer harm and injuries to consumers across the United States. In
particular, Anthem failed to adequately and reasonably ensure that its data systems were protected,
including the use of encryption; failed to take available steps to prevent and stop the breach from
happening in the first instance; failed to disclose that it did not have adequate computer systems and
security to prevent customers’ personal, financial and health information from being stolen; failed to
destroy former customers’ personal, financial and health information when it was no longer
necessary to maintain; and failed to provide timely and adequate notice of the data breach to all
affected persons.
5. As a result of Anthem’s failure to protect customers’ Personal Information, up to 80
million consumers have had their Personal Information stolen, and have been harmed in one or more
of the following ways: (i) having their personal and financial information stolen; (ii) the costs
associated with detection and prevention of identity theft and unauthorized use of their financialaccounts; (iii) the time and costs associated with preventing, mitigating or dealing with changes to
financial accounts; (iv) the time, costs, expenses and future consequence from being the victim of
fraudulent charges; and (v) damage to their credit.
6. Plaintiff brings this action seeking damages, restitution and injunctive relief on behalf
of herself and millions of Anthem’s customers throughout the United States who had their Personal
Information stolen due to Anthem’s failure to secure its computer systems.
2 Shary Rudavsky, Anthem Data Breach Could Be “Lifelong Battle” for Customers , IndyStar,February 7, 2015, available at http://www.indystar.com/story/news/2015/02/05/anthem-data-breach-lifelong-battle-customers/22953623/ (last visited February 9, 2015).
Case5:15-cv-00618-HRL Document1 Filed02/09/15 Page3 of 19
-
8/9/2019 GIOTTA v Anthem
4/19
3 Class Action Complaint;Case No.:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
1718
19
20
21
22
23
24
25
26
27
28
II. PARTIES
7. Plaintiff Loralee Giotta is a citizen of the State of California, residing in San Jose,
Santa Clara County, California. Ms. Giotta has Medicare Supplemental health insurance through
Anthem Blue Cross.
8. Defendant Anthem, Inc., previously known as WellPoint, Inc., is the second-largest
health insurer in the United States, and is incorporated and headquartered in Indianapolis, Indiana.
Anthem Inc. is licensed to conduct insurance operations in all 50 states, and conducts business in
California through the business operations of its wholly owned subsidiary, Anthem Blue Cross. One
in every nine Americans receives coverage through Anthem or one of its affiliated plans. 3 Anthem
provides health insurance coverage as Blue Cross and Blue Shield in Colorado, Connecticut,
Georgia, Indiana, Kentucky, Maine, Missouri, Nevada, New Hampshire, New York, Ohio, Virginia
and Wisconsin. Anthem offers health insurance through Americgroup, its wholly-owned subsidiary,
in Florida, Georgia, Kansas, Louisiana, Maryland, Nevada, New Jersey, New York, Tennessee,
Texas and Washington. 4 Anthem, Inc. also provides health insurance to customers throughout the
country as HealthLink, UniCare and in certain Arizona, California, Nevada, New York and Virginia
markets through our CareMore Health Group, Inc., or CareMore, subsidiary. 5
9. Defendant Anthem Blue Cross is a California corporation, and wholly ownedsubsidiary of Anthem, Inc. Anthem Blue Cross has more individual health insurance policyholders
in California than any other insurer.
3 Barbash and Phillip, Massive Data Hack of Health Insurer Anthem Potentially Exposes Millions ,Washington Post, February 5, 2015, available at http://www.washingtonpost.com/news/morning-mix/wp/2015/02/05/massive-data-hack-of-health-insurer-anthem-exposes-millions/ (last visitedFebruary 9, 2015).
4 SEC Form 10-k Annual Report for the Year Ending December 31, 2013, available athttp://www.sec.gov/Archives/edgar/data/1156039/000115603914000003/wlp-20131231x10k.htm .
5 Id .
Case5:15-cv-00618-HRL Document1 Filed02/09/15 Page4 of 19
-
8/9/2019 GIOTTA v Anthem
5/19
4 Class Action Complaint;Case No.:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
1718
19
20
21
22
23
24
25
26
27
28
III. JURISDICTION AND VENUE
10. Jurisdiction of this Court is proper under 28 U.S.C. § 1332(d)(2). The matter in
controversy exceeds the sum or value of $5,000,000, exclusive of interest and costs, and is a class
action in which members of the class of plaintiffs are citizens of states different from Defendants.
11. Venue is proper within this judicial district pursuant to 28 U.S.C. §1391(b) and (c).
Defendants transact business and are found within this District, and a substantial portion of the
underlying transactions and events complained of by the enterprise occurred in this district, and
affected persons, including Plaintiff, who reside or resided in this judicial district at the material
time. Defendants have received substantial compensation from such transactions and business
activity in this District, including as the result of premiums paid for Anthem’s insurance within this
District.
IV. INTRA-DISTRICT ASSIGNMENT
12. Consistent with Northern District of California Civil Local Rule 3-5(b), assignment to
the San Jose Division is appropriate under Civil Local Rule 3-2(c) and 3-2(e), because acts giving
rise to the claims at issue in this lawsuit occurred, among other places, in this District, in Santa Clara
County, California.
V. FACTUAL ALLEGATIONS13. Health insurers, like Anthem, are obligated to keep customers’ personal, health and
financial information private and secured.
14. Health insurers such as Anthem know or should know of the risks their customers’
Personal Information is stolen and of the need to carefully safeguard this information, in part
because hackers breach the healthcare industry more frequently than any other segment of the
economy. 6
15. Anthem’s own Health Insurance Portability and Accountability Act of 1996 (HIPAA)
Notice of Privacy Protection tells its customers:
6 Greisiger, Cyber Liability & Data Breach Insurance Claims , NetDiligence 2013, at p. 2, availableat http://www.netdiligence.com/files/CyberClaimsStudy-2013.pdf (last visited February 9, 2015).
Case5:15-cv-00618-HRL Document1 Filed02/09/15 Page5 of 19
-
8/9/2019 GIOTTA v Anthem
6/19
5 Class Action Complaint;Case No.:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
1718
19
20
21
22
23
24
25
26
27
28
We are dedicated to protecting your [personal health information], and have set up a numberof policies and practices to help make sure your [personal health information] is kept secure…We keep your oral, written and electronic [personal health information] safe using physical,electronic, and procedural means. These safeguards follow federal and state laws. Some ofthe ways we keep your [personal health information] safe include securing offices that hold[personal health information], password-protecting computers, and locking storage areas andfiling cabinets. We require our employees to protect [personal health information] throughwritten policies and procedures. These policies limit access to [personal health information]to only those employees who need the data to do their job. Employees are also required towear ID badges to help keep people who do not belong out of areas where sensitive data iskept. Also, where required by law, our affiliates and nonaffiliates must protect the privacy ofdata we share in the normal course of business. They are not allowed to give [personal healthinformation] to others without your written OK, except as allowed by law and outlined in thisnotice. 7
16. As with customers’ health information that Anthem says it proactively protects,
Anthem also promises to keep its customers’ Personal Information protected as explained on its
website: “Anthem Blue Cross and Blue Shield maintains policies that protect the confidentiality of
personal information, including Social Security numbers, obtained from its members and associates
in the course of its regular business functions. Anthem Blue Cross and Blue Shield is committed to
protecting information about its customers and associates, especially the confidential nature of their
personal information.” 8
17. Consumers such as Anthem’s customers rely on health insurers such as Anthem to
maintain their sensitive health and Personal Information private and secure.18. Anthem claims to maintain state-of-the-art information security systems to protect its
customer personal health and financial data. 9
19. Yet, despite its promises, on January 29, 2015, hackers were able to access millions
of Anthem’s customers’ Personal Information, including names, birthdays, medical IDs/social
7 Anthem’s HIPPA notice titled, “Information that’s important to you,” located on its website athttps://www.anthem.com/health-insurance/nsecurepdf/english_common_11832ANMEN (last visitedFebruary 9, 2015).
8 Anthem’s HIPPA Notice of Privacy Practices, located on its website athttps://www.anthem.com/health-insurance/about-us/privacy#hipaa (last visited February 9, 2015).
9 Brandeisky, Anthem Health Insurance Was Hacked, Here’s What Customers Need to Know , Time,February 5, 2015, available at http://time.com/money/3697026/anthem-data-breach-social-security/(last visited February 9, 2015).
Case5:15-cv-00618-HRL Document1 Filed02/09/15 Page6 of 19
-
8/9/2019 GIOTTA v Anthem
7/19
6 Class Action Complaint;Case No.:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
1718
19
20
21
22
23
24
25
26
27
28
security numbers, street addresses, email addresses and employment information, including income
data. 10
20. Anthem confirmed that all of its product lines were impacted by the cyber attack,
including Anthem Blue Cross, Blue Cross of California, Anthem Blue Cross and Blue Shield, Blue
Cross and Blue Shield of Georgia, Empire Blue Cross and Blue Shield, Amerigroup, Caremore,
Unicare, Healthlink, and DeCare.
21. The hackers who breached Anthem’s records were able to access a database
containing up to 80 million current and former customers, and employees’ records. 11
22. Anthem did not announce that its data systems maintaining personal, financial and
potentially health information of its customers and employees was compromised immediately.
Instead, Anthem waited to announce that its systems were compromised, and that up to 80 million
consumers’ records had been stolen, until February 4, 2015. Moreover, Anthem is still delaying
notifying individual consumers affected by the breach. 12
23. Before the breach, Anthem did not encrypt the data in this database, including Social
Security numbers and other Personal Information. 13 Encryption is considered the most effective way
to secure data. 14 Without encryption, the hackers who accessed the information will be able to easily
access all of the Personal Information accessed.
10 Anthem CEO Joseph R. Swedish’s statement to Anthem consumers, available at <http://www.anthemfacts.com/ (last visited February 9, 2015).
11 Brandeisky, Anthem Health Insurance Was Hacked, Here’s What Customers Need to Know , Time,February 5, 2015, available at http://time.com/money/3697026/anthem-data-breach-social-security/ (last visited February 9, 2015).
12 Tracer, After Hack, Anthem to Notify Affected Customers Within Two Weeks , Bloomberg,February 5, 2015, available at < http://www.bloomberg.com/news/articles/2015-02-05/anthem-to-tell-hacked-customers-in-two-weeks-no-earnings-impact > (last visited February 9, 2015).
13 Jaspen, Hackers Stole Data on 80 Million Anthem Customers. Why Wasn’t It Encrypted? , Forbes,February 6, 2015, available at < http://www.forbes.com/sites/brucejapsen/2015/02/06/anthem-didnt-encrypt-personal-data-and-privacy-laws-dont-require-it/ > (last visited February 9, 2015).
14 Id .
Case5:15-cv-00618-HRL Document1 Filed02/09/15 Page7 of 19
-
8/9/2019 GIOTTA v Anthem
8/19
7 Class Action Complaint;Case No.:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
1718
19
20
21
22
23
24
25
26
27
28
24. Only as a result of the cyber attack, Anthem retained Mandiant, a leading
cybersecurity firm, to evaluate Anthem’s systems and identify solutions to Anthem’s systems’
vulnerabilities. 15
25. Anthem could have retained Mandiant prior to the cyber attack to analyze and
identify solutions for its systems’ vulnerabilities, and this could have prevented the cyber attack
from occurring, or at the least minimized the amount of information stolen from Anthem’s systems.
26. Indeed, Anthem and other health insurers routinely maintain consumers’ health and
financial information, and have been on notice of potential cyber attacks seeking to get consumers
Personal Information.
27. In 2014, the Federal Bureau of Investigation’s cyber division warned health care
systems that cyber attacks were likely to occur after January 2015, when healthcare companies were
required to transfer from paper medical records over to electronic records. 16 The FBI pointed out
that healthcare companies were more susceptible to cyber attacks, making future attacks likely. The
FBI’s report was highly publicized, being reported by such news agencies as Reuters. 17
28. Indeed, even before the full transition over to electronic medical records, other
healthcare companies were the targets of major cyber attacks. According to a SANS Analyst
Whitepaper from February 2014 titled, “Health Care Cyberthreat Report: Widespread CompromisesDetected, Compliance Nightmare on Horizon,” healthcare providers, including insurance companies,
were regular targets of cyber attacks, and particularly vulnerable to them. 18
15 Anthem CEO Joseph R. Swedish’s statement to Anthem consumers, available at <http://www.anthemfacts.com/ (last visited February 9, 2015).
16 FBI Cyber Division Private Industry Notification, April 8, 2014, available at
https://info.publicintelligence.net/FBI-HealthCareCyberIntrusions.pdf (last visited February 9,2015).
17 Finkle, Exclusive: FBI Warns Healthcare Sector Vulnerable to Cyber Attacks , Reuters, April 23,2014, available at http://www.reuters.com/article/2014/04/23/us-cybersecurity-healthcare-fbi-exclusiv-idUSBREA3M1Q920140423 (last visited February 9, 2014).
18 Filkins, Health Care Cyberthreat Report , SANS, February 2014, available at http://pages.norse-corp.com/rs/norse/images/Norse-SANS-Healthcare-Cyberthreat-Report2014.pdf (last visitedFebruary 9, 2015).
Case5:15-cv-00618-HRL Document1 Filed02/09/15 Page8 of 19
-
8/9/2019 GIOTTA v Anthem
9/19
8 Class Action Complaint;Case No.:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
1718
19
20
21
22
23
24
25
26
27
28
29. Anthem was aware that it needed to maintain the security of its customers’ Private
Information. In its SEC Form 10-K filings dated February 20, 2014, Anthem acknowledged that it
must maintain and upgrade its data systems to protect its customers’ data. 19
30. Yet, despite the many warnings, Anthem’s own promises to maintain data security,
and the critical nature of maintaining the security of consumers’ financial information, Anthem did
not even take steps to encrypt the sensitive Personal Information of its customers and employees that
it maintained.
31. Anthem also did not disclose to anyone that it did not have adequate security systems
in place to keep Plaintiff and other customers’ personal, financial and health information that
Anthem maintained on its computer systems private and secure.
32. Due to Anthem’s failure to maintain the privacy and security of Plaintiff’s and Class
Members’ private personal, financial and health information, Anthem has violated the law and
breached its duties to its customers.
VI. CLASS ACTION ALLEGATIONS
33. This action asserts claims on behalf of a nationwide class, and a California subclass
pursuant to Federal Rules of Civil Procedure 23(a), (b)(1), (b)(2), (b)(3), and (c)(4), which class and
subclasses consist of persons who had their data stolen from Anthem’s systems as follows:
All persons in the United States whose personal, health or financial information wascompromised by the data breach disclosed by Anthem on February 4, 2015 (the “NationalClass”).
All persons in California whose personal, health or financial information was compromised by the data breach disclosed by Anthem on February 4, 2015 (the “California Subclass”).
34. Excluded from each of the class and subclasses are: (i) Anthem Inc., and its
employees, principals, affiliated entities, legal representatives, successors and assigns; (ii) Blue
Cross of California, and its employees, principals, affiliated entities, legal representatives, successors
19 SEC Form 10-k Annual Report for the Year Ending December 31, 2013, available athttp://www.sec.gov/Archives/edgar/data/1156039/000115603914000003/wlp-20131231x10k.htm .
Case5:15-cv-00618-HRL Document1 Filed02/09/15 Page9 of 19
-
8/9/2019 GIOTTA v Anthem
10/19
9 Class Action Complaint;Case No.:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
1718
19
20
21
22
23
24
25
26
27
28
and assigns; (iii) the judges to whom this action is assigned and any members of their immediate
families.
35. There are thousands of members in each of the National Class and California
Subclass who are geographically dispersed throughout California and the United States. Therefore,
individual joinder of the members of any of the classes defined above would be impracticable.
36. Common questions of law or fact exist as to all members of the National Class and
California Subclass. These common legal or factual questions include:
a. Whether Anthem engaged in the wrongful conduct alleged herein;
b. Whether Anthem’s conduct was deceptive, unfair, unconscionable and/or
unlawful;
c. Whether Anthem owed a duty to Plaintiff and members of the National Class
and/or California Subclass to protect their Personal Information;
d. Whether Anthem breached its duty owed to Plaintiff and members of the National
Class and/or California Subclass to protect their Personal Information;
e. Whether Anthem owed a duty to Plaintiff and members of the National Class
and/or California Subclass to timely and accurately provide notice of Anthem’s
data breach;f. Whether Anthem breached its duty owed to Plaintiff and members of the National
Class and/or California Subclass to timely or accurately provide notice of
Anthem’s data breach;
g. Whether Anthem knew or should have known that its computer systems were
vulnerable to attack;
h. Whether Anthem had a duty to encrypt Plaintiff’s and members of the National
Class’ and/or California Subclass’ Personal Information;
i. Whether Anthem breached its duty to encrypt Plaintiff’s and members of the
National Class’ and/or California Subclass’ Personal Information;
j. Whether Plaintiff and members of the National Class and California Subclass
suffered injury as a result of Anthem’s conduct or failure to act; and
Case5:15-cv-00618-HRL Document1 Filed02/09/15 Page10 of 19
-
8/9/2019 GIOTTA v Anthem
11/19
10 Class Action Complaint;Case No.:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
1718
19
20
21
22
23
24
25
26
27
28
k. Whether Plaintiff and members of the National Class and California Subclass are
entitled to damages, restitution and/or equitable relief.
37. Plaintiff’s claims are typical of the claims of the National Class and California
Subclass. Plaintiff is an Anthem customer whose Personal Information was compromised by the
data breach announced by Anthem on February 4, 2015. Therefore, Plaintiff is no different in any
material respect from any other members of the National Class or California Subclass, and the relief
sought by Plaintiff is common to the relief sought by the class and subclass.
38. Plaintiff is an adequate representative of the National Class and California Subclass
because her interests do not conflict with the interests of the class or subclass members she seeks to
represent, and she has retained counsel competent and experienced in conducting complex class
action litigation. Plaintiff and her counsel will adequately protect the interests of the class and
subclass.
39. A class action is superior to other available means for the fair and efficient
adjudication of this dispute. The damages suffered by each individual member of the National Class
and California Subclass are relatively small, while the burden and monetary expense needed to
individually prosecute this case against Defendants is substantial. Thus, it would be virtually
impossible for class and subclass members individually to redress effectively the wrongs done tothem. Moreover, even if members of the class and subclass defined herein could afford individual
actions, a multitude of such individual actions still would not be preferable to class wide litigation.
Individual actions also present the potential for inconsistent or contradictory judgments, which
would be dispositive of at least some of the issues and hence interests of the other members not party
to the individual actions, would substantially impair or impede their ability to protect their interests,
and would establish incompatible standards of conduct for the party opposing the class.
40. By contrast, a class action presents far fewer litigation management difficulties, and
provides the benefits of single adjudication, economies of scale, and comprehensive supervision by a
single court. Also, or in the alternative, the National Class and California Subclass may be certified
because Defendants have acted or refused to act on grounds generally applicable to each of the
respective class and subclass, thereby making preliminary and final declaratory relief appropriate.
Case5:15-cv-00618-HRL Document1 Filed02/09/15 Page11 of 19
-
8/9/2019 GIOTTA v Anthem
12/19
11 Class Action Complaint;Case No.:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
1718
19
20
21
22
23
24
25
26
27
28
Also in the alternative, the National Class and California Subclass may be certified with respect to
particular issues pursuant to Fed.R.Civ.P. 23(c)(4).
41. All records concerning Anthem’s data breach, including records sufficient to identify
members of the National Class and California Subclass, are in the possession and control of Anthem
and its agents and are available through discovery.
VII. CLAIMS FOR RELIEF
FIRST CAUSE OF ACTIONNegligence (on Behalf of Plaintiff and the National Class against all Defendants)
42. Plaintiff hereby incorporates the foregoing paragraphs of this Complaint and restates
them as if they were fully written herein.
43. Anthem owed a duty to Plaintiff and National Class members to exercise reasonable
care in retaining, maintaining, securing and safeguarding the Personal Information of customers in
Anthem’s possession from being compromised, stolen, accessed or misused by unauthorized
persons. This duty included, inter alia , creating, maintaining, testing and securing Anthem’s
databases containing customers personal, financial and health information to ensure that Plaintiff’s
and National Class members’ personal, financial and health information was secured from cyber
attack. This duty also included, at the minimum, that Plaintiff’s and National Class members’
personal, financial and health information be maintained in encrypted form.
44. Anthem owed a duty to Plaintiff and National Class members to implement processes
to detect a breach of its security systems in a timely manner, and to act upon any warnings or alerts
that Anthem’s security systems were breached.
45. Anthem owed a duty to Plaintiff and National Class members to timely disclose any
breach of its security systems.
46. Anthem owed a duty to disclose to Plaintiff and National Class members to disclose
that it could not adequately keep private the Personal Information of its customers.
47. Anthem breached these duties owed to Plaintiff and National Class members by its
conduct alleged herein by, inter alia , (i) failing to exercise reasonable care in retaining, maintaining,
securing and safeguarding the Personal Information of customers in Anthem’s possession from being
Case5:15-cv-00618-HRL Document1 Filed02/09/15 Page12 of 19
-
8/9/2019 GIOTTA v Anthem
13/19
12 Class Action Complaint;Case No.:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
1718
19
20
21
22
23
24
25
26
27
28
compromised, stolen, accessed or misused by unauthorized persons, including failing to encrypt
customers’ Personal Information; (ii) failing to implement processes to detect a breach of its security
systems in a timely manner, and to act upon any warnings or alerts that Anthem’s security systems
were breached; (iii) failing to timely disclose to Plaintiff and members of the National Class any
breach of its security systems; (iv) failing to timely disclose any breach of its security systems; and
(v) failing to disclose that it could not adequately keep private the personal, financial and health
information of its customers.
48. As a result of Anthem’s conduct described throughout this Complaint, Plaintiff and
National Class members have been harmed. Such harm includes the theft of their identities,
personal, financial and health information; costs associated with detecting and preventing identity
theft and unauthorized use of their personal, financial and health information; costs associated with
the loss of work or productivity addressing, ameliorating, mitigating and otherwise dealing with
actual and future consequences of the data breach, including finding unauthorized charges on credit
cards, cancelling credit cards, purchasing credit monitoring and identity theft protection services,
and stress, nuisance and annoyance with the issues resulting from Anthem’s data breach; actual and
certain future injuries from fraud and identity theft due to Plaintiff’s and National Class members’
personal, financial and health information being stolen by hackers; damages to Plaintiff’s and National Class members’ credit; premiums Plaintiff and National Class members paid to Anthem for
health insurance where, had Plaintiff and National Class members known Anthem would not protect
their personal, financial and/or health information private, they would have paid to another health
insurance provider; and the overpayment of premium to Anthem for the cost of Anthem providing
reasonable and adequate safeguards for Plaintiff’s and National Class members’ personal, private
and health information.
SECOND CAUSE OF ACTIONBreach of Contract (on behalf of Plaintiff and National Class against all Defendants)
49. Plaintiff hereby incorporates the foregoing paragraphs of this Complaint and restates
them as if they were fully written herein.
Case5:15-cv-00618-HRL Document1 Filed02/09/15 Page13 of 19
-
8/9/2019 GIOTTA v Anthem
14/19
-
8/9/2019 GIOTTA v Anthem
15/19
14 Class Action Complaint;Case No.:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
1718
19
20
21
22
23
24
25
26
27
28
when they purchased health insurance from Anthem (or when health insurances was purchased from
Anthem on their behalf).
57. Plaintiff and National Class members would not have provided their Personal
Information to Anthem absent Anthem’s implied promise to safeguard and protect consumers’
Personal Information.
58. Plaintiff and National Class members performed all the obligations required by them
under the implied contract when they purchased health insurance from Anthem.
59. Anthem breached its implied contracts with Plaintiff and National Class members by
failing to safeguard and protect the personal, financial and health information provided to it by
Plaintiff and National Class members.
60. As a direct and proximate result of Anthem’s breach of its implied contracts, Plaintiff
and National Class members suffered the damages and injuries described herein.
FOURTH CAUSE OF ACTIONViolations of the California Data Breach Act, California Civil Code §§ 1798.80, et seq . (on
behalf of Plaintiff and the California Subclass against all Defendants)
61. Plaintiff hereby incorporates the foregoing paragraphs of this Complaint and restates
them as if they were fully written herein.62. The Personal Information maintained by Anthem, and that was taken in the data
breach revealed on February 4, 2015, constitutes protected personal information under California’s
Data Breach Act.
63. Anthem was required to implement and maintain reasonable security procedures and
practices to protect Plaintiff’s and California Subclass members’ personal information from
unauthorized access, destruction, use, modification, or disclosure. Cal. Civ. Code. § 1798.81.5.
64. Anthem was required to take all reasonable steps to dispose, or arrange for the
disposal, of customer records within its custody or control containing personal information when the
records are no longer to be retained by the business by (a) shredding, (b) erasing, or (c) otherwise
modifying the personal information in those records to make it unreadable or undecipherable
through any means. Cal. Civ. Code § 1798.81.
Case5:15-cv-00618-HRL Document1 Filed02/09/15 Page15 of 19
-
8/9/2019 GIOTTA v Anthem
16/19
15 Class Action Complaint;Case No.:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
1718
19
20
21
22
23
24
25
26
27
28
65. Anthem was also required to disclose a breach of the security of the system following
discovery or notification of the breach in the security of the data to a resident of California whose
unencrypted personal information was, or is reasonably believed to have been, acquired by an
unauthorized person. The disclosure shall be made in the most expedient time possible and without
unreasonable delay…. Cal Civ. Code § 1798.82.
66. Anthem has violated California’s Data Breach Act by (i) failing to implement and
maintain reasonable security procedures and practices to protect Plaintiff’s and California Subclass
members’ personal information from unauthorized access, destruction, use, modification, or
disclosure; (ii) failing to take all reasonable steps to dispose, or arrange for the disposal, of customer
records within its custody or control containing personal information when the records are no longer
to be retained by the business by (a) shredding, (b) erasing, or (c) otherwise modifying the personal
information in those records to make it unreadable or undecipherable through any means; and (iii)
failing to disclose in the most expedient time possible without delay that California residents’
unencrypted personal information was, or was reasonably believed to have been, acquired by an
unauthorized person.
67. As a result of Anthem’s violation of California’s Data Breach Act, Plaintiff and
California Subclass members are entitled to recover damages sustained as a result of Anthem’sviolation of the Data Breach Act, as well as attorneys’ fees, costs, and expenses incurred in bringing
this action.
FIFTH CAUSE OF ACTIONViolation of The “Unlawful” prong of the Unfair Competition Law, Bus. & Prof. Code §§
17200, et seq . (on behalf of Plaintiff and the California Default-Related Service Fee Subclassagainst all Defendants)
68. Plaintiff hereby incorporates the foregoing paragraphs of this Complaint and restates
them as if they were fully written herein.
69. Plaintiff brings this cause of action on behalf of herself and the members of the
California Subclass.
Case5:15-cv-00618-HRL Document1 Filed02/09/15 Page16 of 19
-
8/9/2019 GIOTTA v Anthem
17/19
16 Class Action Complaint;Case No.:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
1718
19
20
21
22
23
24
25
26
27
28
70. The Unfair Competition Law (“UCL”), California Business and Professions Code §§
17200, et seq ., defines unfair business competition to include any “unlawful, unfair or fraudulent”
act or practice.
71. A business act or practice is “unlawful” if it violates any established state or federal
law.
72. Defendants have and continue to violate the “unlawful” prong of the UCL by failing
to securely maintain Plaintiff’s and California Subclass members’ Personal Information, failing to
destroy Plaintiff’s and California Subclass members’ Personal Information when it was not needed,
and failing to timely notify Plaintiff and California Subclass members of the data breach as
described herein in violation of California’s Data Breach Act, Cal. Civ. Code §§ 1798 , et seq .
73. Through their unlawful acts and practices, Defendants have obtained, and continue to
unfairly obtain, money from Plaintiff and members of the California Subclass. As such, Plaintiff
requests on behalf of herself and all California Subclass members the relief set forth in the Prayer,
including that this Court enjoin Defendants from continuing to violate the Unfair Competition Law
as discussed herein. Otherwise, the California Subclass may be irreparably harmed and/or denied an
effective and complete remedy if such an order is not granted.
SIXTH CAUSE OF ACTIONRestitution Based On Unjust Enrichment /Quasi-Contract (on behalf of Plaintiff and theNational Class against All Defendants)
74. Plaintiff hereby incorporates the foregoing paragraphs of this Complaint and restates
them as if they were fully written herein. Plaintiff pleads this Cause of Action in the alternative.
75. Defendants’ failure to secure Plaintiff’s and National Class members’ Personal
Information, failure to destroy said information when it was no longer necessary to maintain, and
failure to timely notify Plaintiff and National Class members of the data breach was unlawful as
described herein. Defendants took money from (or on behalf of) Plaintiff and National Class
members based upon assurances that it would maintain the security of the Personal Information
provided to it. By failing to maintain the security and privacy of Plaintiff and National Class
members’ personal, financial and health information, Defendants have been unjustly enriched at the
Case5:15-cv-00618-HRL Document1 Filed02/09/15 Page17 of 19
-
8/9/2019 GIOTTA v Anthem
18/19
17 Class Action Complaint;Case No.:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
1718
19
20
21
22
23
24
25
26
27
28
expense of Plaintiff and National Class members, thereby creating a quasi-contractual obligation on
Defendants to restore these ill-gotten gains to Plaintiff and the National Class.
76. As a direct and proximate result of Defendants’ unjust enrichment, Plaintiff and the
National Class are entitled to restitution or restitutionary disgorgement in an amount to be proved at
trial.
VIII. PRAYER
WHEREFORE, Plaintiff, on behalf of herself all members of the National Class and
California Subclass requests award and relief as follows:
A. An order certifying that this action is properly brought and may be maintained as a
class action, that Plaintiff Loralee Giotta be appointed a Class Representatives for the National Class
and California Subclass, and that Plaintiff’s counsel be appointed Counsel for the National Class and
California Subclass.
B. Awarding compensatory damages in an amount determined at trial for each Cause of
Action asserted herein for which these damages are available.
C. Awarding restitution in an amount determined at trial for each Cause of Action
asserted herein for which this relief is available.
D. An order enjoining Defendants from continuing the unlawful practices as set forthherein, and directing Defendants to identify, with Court supervision, victims of their conduct and
pay them restitution.
E. Awarding interest on the monies wrongfully obtained from the date of collection
through the date of entry of judgment in this action.
F. An order awarding Plaintiff her costs of suit, including reasonable attorneys’ fees and
pre and post-judgment interest, as provided by law, or equity, or as otherwise available.
G. Such other and further relief as may be available as part of the statutory claims
asserted herein, or otherwise as may be deemed necessary or appropriate for any of the claims
asserted.
Case5:15-cv-00618-HRL Document1 Filed02/09/15 Page18 of 19
-
8/9/2019 GIOTTA v Anthem
19/19
18
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
1718
19
20
21
22
23
24
25
26
27
28
IX. DEMAND FOR JURY TRIAL
Plaintiff hereby demands a trial by jury on all claims and/or issues so triable.
DATED: February 9, 2015 Respectfully Submitted,
/s/William T. PayneWilliam T. Payne (CSB 90988)
Joseph N. Kravec, Jr.Wyatt A. LisonFEINSTEIN DOYLE
PAYNE & KRAVEC, LLCAllegheny Building, 17 th Floor429 Forbes AvenuePittsburgh, PA 15219Tel: (412) 281-8400Fax: (412) 281-1007Email: [email protected]: [email protected]: [email protected]
ATTORNEYS FOR PLAINTIFF AND THE PROPOSED CLASS ANDSUBCLASS
Case5:15-cv-00618-HRL Document1 Filed02/09/15 Page19 of 19