giotta v anthem

8/9/2019 GIOTTA v Anthem

1/19


2/19

1 Class Action Complaint;Case No.:

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

1718

19

20

21

22

23

24

25

26

27

28

Plaintiff Loralee Giotta (“Plaintiff”) by her attorneys, brings this class action on her own

behalf and on behalf of all others similarly situated against Defendant Anthem, Inc. and Blue Cross

of California, doing business as Anthem Blue Cross (collectively “Anthem”), and other unknown

DOE defendants (collectively all defendants are referred to as “Defendants”), and allege as follows

upon information and belief based on, inter alia , the investigation of their counsel:

I. INTRODUCTION

1. This is an action against Anthem, Inc. and its subsidiary Blue Cross of California, one

of the largest health insurers in the United States (collectively “Anthem”), for their failure to secure

and protect customers’ sensitive personally identifiable and financial information, including names,

birth dates, Social Security numbers, addresses, phone numbers, email addresses, health insurer

member identification numbers and possibly personal health care data (collectively customers’

“Personal Information”). 1

2. On or about February 4, 2015, Anthem first publically disclosed that hackers had

breached its computer systems in which Anthem maintained the Personal Information of its

customers ( i.e ., the policy owners and insureds of the insurance policies it issues). As a result of this

security breach, these hackers stole and now possess Anthem customers’ Personal Information.

3. Anthem’s failure to safeguard consumers’ Personal Information is particularlyegregious because Anthem failed to encrypt customers’ Personal Information. Encryption uses

mathematical formulas to scramble sensitive data so that, should hackers steal the data, the hackers

would be unable to decipher it. Encryption thus safeguards consumers’ Personal Information since,

even if stolen, encrypted data is much harder to use for identity theft or other nefarious purposes

detrimental to the consumer who’s data is at issue. Anthem’s failure to encrypt Plaintiff’s and other

consumers’ Personal Information thus means the data is easily readable by the hackers who stole it.

Because Anthem failed to protect customers’ Personal Information, including the failure to encrypt

customers’ sensitive information, hackers were able to obtain and read critical Personal Information

1 Plaintiff identifies these categories of Personal Information stolen from Anthem based on presentlyavailable information. Plaintiff reserves the right to amend this complaint to add further detail to thePersonal Information stolen from Anthem.

Case5:15-cv-00618-HRL Document1 Filed02/09/15 Page2 of 19


3/19


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

1718

19

20

21

22

23

24

25

26

27

28

of up to 80 million Anthem’s customers that would allow them to steal their identities or otherwise

use their credit without authorization.

4. Consumers could face a “lifelong battle” to deal with the consequences of their

Personal Information being stolen by hackers, including fraudulent tax returns or medical identify

fraud. 2 Anthem’s failure to adequately protect customers’ Personal Information has caused, and will

continue to cause, substantial customer harm and injuries to consumers across the United States. In

particular, Anthem failed to adequately and reasonably ensure that its data systems were protected,

including the use of encryption; failed to take available steps to prevent and stop the breach from

happening in the first instance; failed to disclose that it did not have adequate computer systems and

security to prevent customers’ personal, financial and health information from being stolen; failed to

destroy former customers’ personal, financial and health information when it was no longer

necessary to maintain; and failed to provide timely and adequate notice of the data breach to all

affected persons.

5. As a result of Anthem’s failure to protect customers’ Personal Information, up to 80

million consumers have had their Personal Information stolen, and have been harmed in one or more

of the following ways: (i) having their personal and financial information stolen; (ii) the costs

associated with detection and prevention of identity theft and unauthorized use of their financialaccounts; (iii) the time and costs associated with preventing, mitigating or dealing with changes to

financial accounts; (iv) the time, costs, expenses and future consequence from being the victim of

fraudulent charges; and (v) damage to their credit.

6. Plaintiff brings this action seeking damages, restitution and injunctive relief on behalf

of herself and millions of Anthem’s customers throughout the United States who had their Personal

Information stolen due to Anthem’s failure to secure its computer systems.

2 Shary Rudavsky, Anthem Data Breach Could Be “Lifelong Battle” for Customers , IndyStar,February 7, 2015, available at http://www.indystar.com/story/news/2015/02/05/anthem-data-breach-lifelong-battle-customers/22953623/ (last visited February 9, 2015).



4/19


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

1718

19

20

21

22

23

24

25

26

27

28

II. PARTIES

7. Plaintiff Loralee Giotta is a citizen of the State of California, residing in San Jose,

Santa Clara County, California. Ms. Giotta has Medicare Supplemental health insurance through

Anthem Blue Cross.

8. Defendant Anthem, Inc., previously known as WellPoint, Inc., is the second-largest

health insurer in the United States, and is incorporated and headquartered in Indianapolis, Indiana.

Anthem Inc. is licensed to conduct insurance operations in all 50 states, and conducts business in

California through the business operations of its wholly owned subsidiary, Anthem Blue Cross. One

in every nine Americans receives coverage through Anthem or one of its affiliated plans. 3 Anthem

provides health insurance coverage as Blue Cross and Blue Shield in Colorado, Connecticut,

Georgia, Indiana, Kentucky, Maine, Missouri, Nevada, New Hampshire, New York, Ohio, Virginia

and Wisconsin. Anthem offers health insurance through Americgroup, its wholly-owned subsidiary,

in Florida, Georgia, Kansas, Louisiana, Maryland, Nevada, New Jersey, New York, Tennessee,

Texas and Washington. 4 Anthem, Inc. also provides health insurance to customers throughout the

country as HealthLink, UniCare and in certain Arizona, California, Nevada, New York and Virginia

markets through our CareMore Health Group, Inc., or CareMore, subsidiary. 5

9. Defendant Anthem Blue Cross is a California corporation, and wholly ownedsubsidiary of Anthem, Inc. Anthem Blue Cross has more individual health insurance policyholders

in California than any other insurer.

3 Barbash and Phillip, Massive Data Hack of Health Insurer Anthem Potentially Exposes Millions ,Washington Post, February 5, 2015, available at http://www.washingtonpost.com/news/morning-mix/wp/2015/02/05/massive-data-hack-of-health-insurer-anthem-exposes-millions/ (last visitedFebruary 9, 2015).

4 SEC Form 10-k Annual Report for the Year Ending December 31, 2013, available athttp://www.sec.gov/Archives/edgar/data/1156039/000115603914000003/wlp-20131231x10k.htm .

5 Id .



5/19


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

1718

19

20

21

22

23

24

25

26

27

28

III. JURISDICTION AND VENUE

10. Jurisdiction of this Court is proper under 28 U.S.C. § 1332(d)(2). The matter in

controversy exceeds the sum or value of $5,000,000, exclusive of interest and costs, and is a class

action in which members of the class of plaintiffs are citizens of states different from Defendants.

11. Venue is proper within this judicial district pursuant to 28 U.S.C. §1391(b) and (c).

Defendants transact business and are found within this District, and a substantial portion of the

underlying transactions and events complained of by the enterprise occurred in this district, and

affected persons, including Plaintiff, who reside or resided in this judicial district at the material

time. Defendants have received substantial compensation from such transactions and business

activity in this District, including as the result of premiums paid for Anthem’s insurance within this

District.

IV. INTRA-DISTRICT ASSIGNMENT

12. Consistent with Northern District of California Civil Local Rule 3-5(b), assignment to

the San Jose Division is appropriate under Civil Local Rule 3-2(c) and 3-2(e), because acts giving

rise to the claims at issue in this lawsuit occurred, among other places, in this District, in Santa Clara

County, California.

V. FACTUAL ALLEGATIONS13. Health insurers, like Anthem, are obligated to keep customers’ personal, health and

financial information private and secured.

14. Health insurers such as Anthem know or should know of the risks their customers’

Personal Information is stolen and of the need to carefully safeguard this information, in part

because hackers breach the healthcare industry more frequently than any other segment of the

economy. 6

15. Anthem’s own Health Insurance Portability and Accountability Act of 1996 (HIPAA)

Notice of Privacy Protection tells its customers:

6 Greisiger, Cyber Liability & Data Breach Insurance Claims , NetDiligence 2013, at p. 2, availableat http://www.netdiligence.com/files/CyberClaimsStudy-2013.pdf (last visited February 9, 2015).



6/19


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

1718

19

20

21

22

23

24

25

26

27

28

We are dedicated to protecting your [personal health information], and have set up a numberof policies and practices to help make sure your [personal health information] is kept secure…We keep your oral, written and electronic [personal health information] safe using physical,electronic, and procedural means. These safeguards follow federal and state laws. Some ofthe ways we keep your [personal health information] safe include securing offices that hold[personal health information], password-protecting computers, and locking storage areas andfiling cabinets. We require our employees to protect [personal health information] throughwritten policies and procedures. These policies limit access to [personal health information]to only those employees who need the data to do their job. Employees are also required towear ID badges to help keep people who do not belong out of areas where sensitive data iskept. Also, where required by law, our affiliates and nonaffiliates must protect the privacy ofdata we share in the normal course of business. They are not allowed to give [personal healthinformation] to others without your written OK, except as allowed by law and outlined in thisnotice. 7

16. As with customers’ health information that Anthem says it proactively protects,

Anthem also promises to keep its customers’ Personal Information protected as explained on its

website: “Anthem Blue Cross and Blue Shield maintains policies that protect the confidentiality of

personal information, including Social Security numbers, obtained from its members and associates

in the course of its regular business functions. Anthem Blue Cross and Blue Shield is committed to

protecting information about its customers and associates, especially the confidential nature of their

personal information.” 8

17. Consumers such as Anthem’s customers rely on health insurers such as Anthem to

maintain their sensitive health and Personal Information private and secure.18. Anthem claims to maintain state-of-the-art information security systems to protect its

customer personal health and financial data. 9

19. Yet, despite its promises, on January 29, 2015, hackers were able to access millions

of Anthem’s customers’ Personal Information, including names, birthdays, medical IDs/social

7 Anthem’s HIPPA notice titled, “Information that’s important to you,” located on its website athttps://www.anthem.com/health-insurance/nsecurepdf/english_common_11832ANMEN (last visitedFebruary 9, 2015).

8 Anthem’s HIPPA Notice of Privacy Practices, located on its website athttps://www.anthem.com/health-insurance/about-us/privacy#hipaa (last visited February 9, 2015).

9 Brandeisky, Anthem Health Insurance Was Hacked, Here’s What Customers Need to Know , Time,February 5, 2015, available at http://time.com/money/3697026/anthem-data-breach-social-security/(last visited February 9, 2015).



7/19


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

1718

19

20

21

22

23

24

25

26

27

28

security numbers, street addresses, email addresses and employment information, including income

data. 10

20. Anthem confirmed that all of its product lines were impacted by the cyber attack,

including Anthem Blue Cross, Blue Cross of California, Anthem Blue Cross and Blue Shield, Blue

Cross and Blue Shield of Georgia, Empire Blue Cross and Blue Shield, Amerigroup, Caremore,

Unicare, Healthlink, and DeCare.

21. The hackers who breached Anthem’s records were able to access a database

containing up to 80 million current and former customers, and employees’ records. 11

22. Anthem did not announce that its data systems maintaining personal, financial and

potentially health information of its customers and employees was compromised immediately.

Instead, Anthem waited to announce that its systems were compromised, and that up to 80 million

consumers’ records had been stolen, until February 4, 2015. Moreover, Anthem is still delaying

notifying individual consumers affected by the breach. 12

23. Before the breach, Anthem did not encrypt the data in this database, including Social

Security numbers and other Personal Information. 13 Encryption is considered the most effective way

to secure data. 14 Without encryption, the hackers who accessed the information will be able to easily

access all of the Personal Information accessed.

10 Anthem CEO Joseph R. Swedish’s statement to Anthem consumers, available at <http://www.anthemfacts.com/ (last visited February 9, 2015).

11 Brandeisky, Anthem Health Insurance Was Hacked, Here’s What Customers Need to Know , Time,February 5, 2015, available at http://time.com/money/3697026/anthem-data-breach-social-security/ (last visited February 9, 2015).

12 Tracer, After Hack, Anthem to Notify Affected Customers Within Two Weeks , Bloomberg,February 5, 2015, available at < http://www.bloomberg.com/news/articles/2015-02-05/anthem-to-tell-hacked-customers-in-two-weeks-no-earnings-impact > (last visited February 9, 2015).

13 Jaspen, Hackers Stole Data on 80 Million Anthem Customers. Why Wasn’t It Encrypted? , Forbes,February 6, 2015, available at < http://www.forbes.com/sites/brucejapsen/2015/02/06/anthem-didnt-encrypt-personal-data-and-privacy-laws-dont-require-it/ > (last visited February 9, 2015).

14 Id .



8/19


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

1718

19

20

21

22

23

24

25

26

27

28

24. Only as a result of the cyber attack, Anthem retained Mandiant, a leading

cybersecurity firm, to evaluate Anthem’s systems and identify solutions to Anthem’s systems’

vulnerabilities. 15

25. Anthem could have retained Mandiant prior to the cyber attack to analyze and

identify solutions for its systems’ vulnerabilities, and this could have prevented the cyber attack

from occurring, or at the least minimized the amount of information stolen from Anthem’s systems.

26. Indeed, Anthem and other health insurers routinely maintain consumers’ health and

financial information, and have been on notice of potential cyber attacks seeking to get consumers

Personal Information.

27. In 2014, the Federal Bureau of Investigation’s cyber division warned health care

systems that cyber attacks were likely to occur after January 2015, when healthcare companies were

required to transfer from paper medical records over to electronic records. 16 The FBI pointed out

that healthcare companies were more susceptible to cyber attacks, making future attacks likely. The

FBI’s report was highly publicized, being reported by such news agencies as Reuters. 17

28. Indeed, even before the full transition over to electronic medical records, other

healthcare companies were the targets of major cyber attacks. According to a SANS Analyst

Whitepaper from February 2014 titled, “Health Care Cyberthreat Report: Widespread CompromisesDetected, Compliance Nightmare on Horizon,” healthcare providers, including insurance companies,

were regular targets of cyber attacks, and particularly vulnerable to them. 18

15 Anthem CEO Joseph R. Swedish’s statement to Anthem consumers, available at <http://www.anthemfacts.com/ (last visited February 9, 2015).

16 FBI Cyber Division Private Industry Notification, April 8, 2014, available at

https://info.publicintelligence.net/FBI-HealthCareCyberIntrusions.pdf (last visited February 9,2015).

17 Finkle, Exclusive: FBI Warns Healthcare Sector Vulnerable to Cyber Attacks , Reuters, April 23,2014, available at http://www.reuters.com/article/2014/04/23/us-cybersecurity-healthcare-fbi-exclusiv-idUSBREA3M1Q920140423 (last visited February 9, 2014).

18 Filkins, Health Care Cyberthreat Report , SANS, February 2014, available at http://pages.norse-corp.com/rs/norse/images/Norse-SANS-Healthcare-Cyberthreat-Report2014.pdf (last visitedFebruary 9, 2015).



9/19


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

1718

19

20

21

22

23

24

25

26

27

28

29. Anthem was aware that it needed to maintain the security of its customers’ Private

Information. In its SEC Form 10-K filings dated February 20, 2014, Anthem acknowledged that it

must maintain and upgrade its data systems to protect its customers’ data. 19

30. Yet, despite the many warnings, Anthem’s own promises to maintain data security,

and the critical nature of maintaining the security of consumers’ financial information, Anthem did

not even take steps to encrypt the sensitive Personal Information of its customers and employees that

it maintained.

31. Anthem also did not disclose to anyone that it did not have adequate security systems

in place to keep Plaintiff and other customers’ personal, financial and health information that

Anthem maintained on its computer systems private and secure.

32. Due to Anthem’s failure to maintain the privacy and security of Plaintiff’s and Class

Members’ private personal, financial and health information, Anthem has violated the law and

breached its duties to its customers.

VI. CLASS ACTION ALLEGATIONS

33. This action asserts claims on behalf of a nationwide class, and a California subclass

pursuant to Federal Rules of Civil Procedure 23(a), (b)(1), (b)(2), (b)(3), and (c)(4), which class and

subclasses consist of persons who had their data stolen from Anthem’s systems as follows:

All persons in the United States whose personal, health or financial information wascompromised by the data breach disclosed by Anthem on February 4, 2015 (the “NationalClass”).

All persons in California whose personal, health or financial information was compromised by the data breach disclosed by Anthem on February 4, 2015 (the “California Subclass”).

34. Excluded from each of the class and subclasses are: (i) Anthem Inc., and its

employees, principals, affiliated entities, legal representatives, successors and assigns; (ii) Blue

Cross of California, and its employees, principals, affiliated entities, legal representatives, successors

19 SEC Form 10-k Annual Report for the Year Ending December 31, 2013, available athttp://www.sec.gov/Archives/edgar/data/1156039/000115603914000003/wlp-20131231x10k.htm .



10/19


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

1718

19

20

21

22

23

24

25

26

27

28

and assigns; (iii) the judges to whom this action is assigned and any members of their immediate

families.

35. There are thousands of members in each of the National Class and California

Subclass who are geographically dispersed throughout California and the United States. Therefore,

individual joinder of the members of any of the classes defined above would be impracticable.

36. Common questions of law or fact exist as to all members of the National Class and

California Subclass. These common legal or factual questions include:

a. Whether Anthem engaged in the wrongful conduct alleged herein;

b. Whether Anthem’s conduct was deceptive, unfair, unconscionable and/or

unlawful;

c. Whether Anthem owed a duty to Plaintiff and members of the National Class

and/or California Subclass to protect their Personal Information;

d. Whether Anthem breached its duty owed to Plaintiff and members of the National

Class and/or California Subclass to protect their Personal Information;

e. Whether Anthem owed a duty to Plaintiff and members of the National Class

and/or California Subclass to timely and accurately provide notice of Anthem’s

data breach;f. Whether Anthem breached its duty owed to Plaintiff and members of the National

Class and/or California Subclass to timely or accurately provide notice of

Anthem’s data breach;

g. Whether Anthem knew or should have known that its computer systems were

vulnerable to attack;

h. Whether Anthem had a duty to encrypt Plaintiff’s and members of the National

Class’ and/or California Subclass’ Personal Information;

i. Whether Anthem breached its duty to encrypt Plaintiff’s and members of the

National Class’ and/or California Subclass’ Personal Information;

j. Whether Plaintiff and members of the National Class and California Subclass

suffered injury as a result of Anthem’s conduct or failure to act; and



11/19


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

1718

19

20

21

22

23

24

25

26

27

28

k. Whether Plaintiff and members of the National Class and California Subclass are

entitled to damages, restitution and/or equitable relief.

37. Plaintiff’s claims are typical of the claims of the National Class and California

Subclass. Plaintiff is an Anthem customer whose Personal Information was compromised by the

data breach announced by Anthem on February 4, 2015. Therefore, Plaintiff is no different in any

material respect from any other members of the National Class or California Subclass, and the relief

sought by Plaintiff is common to the relief sought by the class and subclass.

38. Plaintiff is an adequate representative of the National Class and California Subclass

because her interests do not conflict with the interests of the class or subclass members she seeks to

represent, and she has retained counsel competent and experienced in conducting complex class

action litigation. Plaintiff and her counsel will adequately protect the interests of the class and

subclass.

39. A class action is superior to other available means for the fair and efficient

adjudication of this dispute. The damages suffered by each individual member of the National Class

and California Subclass are relatively small, while the burden and monetary expense needed to

individually prosecute this case against Defendants is substantial. Thus, it would be virtually

impossible for class and subclass members individually to redress effectively the wrongs done tothem. Moreover, even if members of the class and subclass defined herein could afford individual

actions, a multitude of such individual actions still would not be preferable to class wide litigation.

Individual actions also present the potential for inconsistent or contradictory judgments, which

would be dispositive of at least some of the issues and hence interests of the other members not party

to the individual actions, would substantially impair or impede their ability to protect their interests,

and would establish incompatible standards of conduct for the party opposing the class.

40. By contrast, a class action presents far fewer litigation management difficulties, and

provides the benefits of single adjudication, economies of scale, and comprehensive supervision by a

single court. Also, or in the alternative, the National Class and California Subclass may be certified

because Defendants have acted or refused to act on grounds generally applicable to each of the

respective class and subclass, thereby making preliminary and final declaratory relief appropriate.



12/19


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

1718

19

20

21

22

23

24

25

26

27

28

Also in the alternative, the National Class and California Subclass may be certified with respect to

particular issues pursuant to Fed.R.Civ.P. 23(c)(4).

41. All records concerning Anthem’s data breach, including records sufficient to identify

members of the National Class and California Subclass, are in the possession and control of Anthem

and its agents and are available through discovery.

VII. CLAIMS FOR RELIEF

FIRST CAUSE OF ACTIONNegligence (on Behalf of Plaintiff and the National Class against all Defendants)

42. Plaintiff hereby incorporates the foregoing paragraphs of this Complaint and restates

them as if they were fully written herein.

43. Anthem owed a duty to Plaintiff and National Class members to exercise reasonable

care in retaining, maintaining, securing and safeguarding the Personal Information of customers in

Anthem’s possession from being compromised, stolen, accessed or misused by unauthorized

persons. This duty included, inter alia , creating, maintaining, testing and securing Anthem’s

databases containing customers personal, financial and health information to ensure that Plaintiff’s

and National Class members’ personal, financial and health information was secured from cyber

attack. This duty also included, at the minimum, that Plaintiff’s and National Class members’

personal, financial and health information be maintained in encrypted form.

44. Anthem owed a duty to Plaintiff and National Class members to implement processes

to detect a breach of its security systems in a timely manner, and to act upon any warnings or alerts

that Anthem’s security systems were breached.

45. Anthem owed a duty to Plaintiff and National Class members to timely disclose any

breach of its security systems.

46. Anthem owed a duty to disclose to Plaintiff and National Class members to disclose

that it could not adequately keep private the Personal Information of its customers.

47. Anthem breached these duties owed to Plaintiff and National Class members by its

conduct alleged herein by, inter alia , (i) failing to exercise reasonable care in retaining, maintaining,

securing and safeguarding the Personal Information of customers in Anthem’s possession from being



13/19


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

1718

19

20

21

22

23

24

25

26

27

28

compromised, stolen, accessed or misused by unauthorized persons, including failing to encrypt

customers’ Personal Information; (ii) failing to implement processes to detect a breach of its security

systems in a timely manner, and to act upon any warnings or alerts that Anthem’s security systems

were breached; (iii) failing to timely disclose to Plaintiff and members of the National Class any

breach of its security systems; (iv) failing to timely disclose any breach of its security systems; and

(v) failing to disclose that it could not adequately keep private the personal, financial and health

information of its customers.

48. As a result of Anthem’s conduct described throughout this Complaint, Plaintiff and

National Class members have been harmed. Such harm includes the theft of their identities,

personal, financial and health information; costs associated with detecting and preventing identity

theft and unauthorized use of their personal, financial and health information; costs associated with

the loss of work or productivity addressing, ameliorating, mitigating and otherwise dealing with

actual and future consequences of the data breach, including finding unauthorized charges on credit

cards, cancelling credit cards, purchasing credit monitoring and identity theft protection services,

and stress, nuisance and annoyance with the issues resulting from Anthem’s data breach; actual and

certain future injuries from fraud and identity theft due to Plaintiff’s and National Class members’

personal, financial and health information being stolen by hackers; damages to Plaintiff’s and National Class members’ credit; premiums Plaintiff and National Class members paid to Anthem for

health insurance where, had Plaintiff and National Class members known Anthem would not protect

their personal, financial and/or health information private, they would have paid to another health

insurance provider; and the overpayment of premium to Anthem for the cost of Anthem providing

reasonable and adequate safeguards for Plaintiff’s and National Class members’ personal, private

and health information.

SECOND CAUSE OF ACTIONBreach of Contract (on behalf of Plaintiff and National Class against all Defendants)





14/19


15/19


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

1718

19

20

21

22

23

24

25

26

27

28

when they purchased health insurance from Anthem (or when health insurances was purchased from

Anthem on their behalf).

57. Plaintiff and National Class members would not have provided their Personal

Information to Anthem absent Anthem’s implied promise to safeguard and protect consumers’

Personal Information.

58. Plaintiff and National Class members performed all the obligations required by them

under the implied contract when they purchased health insurance from Anthem.

59. Anthem breached its implied contracts with Plaintiff and National Class members by

failing to safeguard and protect the personal, financial and health information provided to it by

Plaintiff and National Class members.

60. As a direct and proximate result of Anthem’s breach of its implied contracts, Plaintiff

and National Class members suffered the damages and injuries described herein.

FOURTH CAUSE OF ACTIONViolations of the California Data Breach Act, California Civil Code §§ 1798.80, et seq . (on

behalf of Plaintiff and the California Subclass against all Defendants)


them as if they were fully written herein.62. The Personal Information maintained by Anthem, and that was taken in the data

breach revealed on February 4, 2015, constitutes protected personal information under California’s

Data Breach Act.

63. Anthem was required to implement and maintain reasonable security procedures and

practices to protect Plaintiff’s and California Subclass members’ personal information from

unauthorized access, destruction, use, modification, or disclosure. Cal. Civ. Code. § 1798.81.5.

64. Anthem was required to take all reasonable steps to dispose, or arrange for the

disposal, of customer records within its custody or control containing personal information when the

records are no longer to be retained by the business by (a) shredding, (b) erasing, or (c) otherwise

modifying the personal information in those records to make it unreadable or undecipherable

through any means. Cal. Civ. Code § 1798.81.



16/19


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

1718

19

20

21

22

23

24

25

26

27

28

65. Anthem was also required to disclose a breach of the security of the system following

discovery or notification of the breach in the security of the data to a resident of California whose

unencrypted personal information was, or is reasonably believed to have been, acquired by an

unauthorized person. The disclosure shall be made in the most expedient time possible and without

unreasonable delay…. Cal Civ. Code § 1798.82.

66. Anthem has violated California’s Data Breach Act by (i) failing to implement and

maintain reasonable security procedures and practices to protect Plaintiff’s and California Subclass

members’ personal information from unauthorized access, destruction, use, modification, or

disclosure; (ii) failing to take all reasonable steps to dispose, or arrange for the disposal, of customer

records within its custody or control containing personal information when the records are no longer

to be retained by the business by (a) shredding, (b) erasing, or (c) otherwise modifying the personal

information in those records to make it unreadable or undecipherable through any means; and (iii)

failing to disclose in the most expedient time possible without delay that California residents’

unencrypted personal information was, or was reasonably believed to have been, acquired by an

unauthorized person.

67. As a result of Anthem’s violation of California’s Data Breach Act, Plaintiff and

California Subclass members are entitled to recover damages sustained as a result of Anthem’sviolation of the Data Breach Act, as well as attorneys’ fees, costs, and expenses incurred in bringing

this action.

FIFTH CAUSE OF ACTIONViolation of The “Unlawful” prong of the Unfair Competition Law, Bus. & Prof. Code §§

17200, et seq . (on behalf of Plaintiff and the California Default-Related Service Fee Subclassagainst all Defendants)



69. Plaintiff brings this cause of action on behalf of herself and the members of the

California Subclass.



17/19


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

1718

19

20

21

22

23

24

25

26

27

28

70. The Unfair Competition Law (“UCL”), California Business and Professions Code §§

17200, et seq ., defines unfair business competition to include any “unlawful, unfair or fraudulent”

act or practice.

71. A business act or practice is “unlawful” if it violates any established state or federal

law.

72. Defendants have and continue to violate the “unlawful” prong of the UCL by failing

to securely maintain Plaintiff’s and California Subclass members’ Personal Information, failing to

destroy Plaintiff’s and California Subclass members’ Personal Information when it was not needed,

and failing to timely notify Plaintiff and California Subclass members of the data breach as

described herein in violation of California’s Data Breach Act, Cal. Civ. Code §§ 1798 , et seq .

73. Through their unlawful acts and practices, Defendants have obtained, and continue to

unfairly obtain, money from Plaintiff and members of the California Subclass. As such, Plaintiff

requests on behalf of herself and all California Subclass members the relief set forth in the Prayer,

including that this Court enjoin Defendants from continuing to violate the Unfair Competition Law

as discussed herein. Otherwise, the California Subclass may be irreparably harmed and/or denied an

effective and complete remedy if such an order is not granted.

SIXTH CAUSE OF ACTIONRestitution Based On Unjust Enrichment /Quasi-Contract (on behalf of Plaintiff and theNational Class against All Defendants)


them as if they were fully written herein. Plaintiff pleads this Cause of Action in the alternative.

75. Defendants’ failure to secure Plaintiff’s and National Class members’ Personal

Information, failure to destroy said information when it was no longer necessary to maintain, and

failure to timely notify Plaintiff and National Class members of the data breach was unlawful as

described herein. Defendants took money from (or on behalf of) Plaintiff and National Class

members based upon assurances that it would maintain the security of the Personal Information

provided to it. By failing to maintain the security and privacy of Plaintiff and National Class

members’ personal, financial and health information, Defendants have been unjustly enriched at the



18/19


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

1718

19

20

21

22

23

24

25

26

27

28

expense of Plaintiff and National Class members, thereby creating a quasi-contractual obligation on

Defendants to restore these ill-gotten gains to Plaintiff and the National Class.

76. As a direct and proximate result of Defendants’ unjust enrichment, Plaintiff and the

National Class are entitled to restitution or restitutionary disgorgement in an amount to be proved at

trial.

VIII. PRAYER

WHEREFORE, Plaintiff, on behalf of herself all members of the National Class and

California Subclass requests award and relief as follows:

A. An order certifying that this action is properly brought and may be maintained as a

class action, that Plaintiff Loralee Giotta be appointed a Class Representatives for the National Class

and California Subclass, and that Plaintiff’s counsel be appointed Counsel for the National Class and

California Subclass.

B. Awarding compensatory damages in an amount determined at trial for each Cause of

Action asserted herein for which these damages are available.

C. Awarding restitution in an amount determined at trial for each Cause of Action

asserted herein for which this relief is available.

D. An order enjoining Defendants from continuing the unlawful practices as set forthherein, and directing Defendants to identify, with Court supervision, victims of their conduct and

pay them restitution.

E. Awarding interest on the monies wrongfully obtained from the date of collection

through the date of entry of judgment in this action.

F. An order awarding Plaintiff her costs of suit, including reasonable attorneys’ fees and

pre and post-judgment interest, as provided by law, or equity, or as otherwise available.

G. Such other and further relief as may be available as part of the statutory claims

asserted herein, or otherwise as may be deemed necessary or appropriate for any of the claims

asserted.



19/19

18

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

1718

19

20

21

22

23

24

25

26

27

28

IX. DEMAND FOR JURY TRIAL

Plaintiff hereby demands a trial by jury on all claims and/or issues so triable.

DATED: February 9, 2015 Respectfully Submitted,

/s/William T. PayneWilliam T. Payne (CSB 90988)

Joseph N. Kravec, Jr.Wyatt A. LisonFEINSTEIN DOYLE

PAYNE & KRAVEC, LLCAllegheny Building, 17 th Floor429 Forbes AvenuePittsburgh, PA 15219Tel: (412) 281-8400Fax: (412) 281-1007Email: [email protected]: [email protected]: [email protected]

ATTORNEYS FOR PLAINTIFF AND THE PROPOSED CLASS ANDSUBCLASS


giotta v anthem

Documents