Professional Documents
Culture Documents
individually, and on behalf of all other individuals, against Defendants for their failure to
safeguard and secure the medical records, and other personally identifiable information,
including names, dates of birth, social security numbers, billing information, and highly
confidential health and other types of information (collectively Personally Identifiable
Information or PII) and personal health related information (collectively Personal Health
Information or PHI) of Plaintiffs and Class Members. PHI and PII shall also be referred to
collectively as Personal Information. Defendants announced to the public this massive lost of
information on or about February 4, 2015.
2.
4.
5.
Corporation, registered with the California Secretary of State to do business in California, and
headquartered in Indianapolis, Indiana.
6.
aggregate, Plaintiffs claims and the claims of the other members of the Class exceed $5,000,000
exclusive of interest and costs, and there are numerous class members who are citizens of states
other than Defendants states of citizenship, which are Indiana and California.
8.
9.
Venue is proper in this Court pursuant to 28 U.S.C. 1391 because many of the
acts and transactions giving rise to this action occurred in this District and because ANTHEM is
subject to personal jurisdiction in this District.
GENERAL ALLEGATIONS
10.
insureds, including its Ohio insureds, that they had fallen victim to a data breach stating that the
personal information from our current and former members such as their names, birthdays,
member ID/Social Security numbers, street addresses, email addresses and employment
information, including income data. Available at <www.anthemfacts.com> (last visited
February 8, 2015).
11.
of all other similarly situated persons, whose personally personally identifiable information (e.g.
patient names, addresses, birthdates, telephone numbers and social security numbers and,
possibly including, patient credit card, medical or clinical information)(hereinafter PII/PHI)
which is considered protected under the Health Insurance Portability and Accountability Act
(HIPAA)was entrusted to Defendants and was stolen, disclosed, and/or made accessible to
hackers and identity thieves.
12.
procedures, the PII/PHI of over 80 million patients (including Plaintiffs and the class they seek to
represent) is now in the hands of thieves.
13.
acknowledged that they insure over three million Ohio residents, including many Ohio
municipalities, including Dayton, and several counties including Butler, Clayton, Engelwood,
Clark and Champaign. Gokavi, M. and Simon D., Hackers Steal Millions of Anthem Health
Insurance Customers Data, Dayton Daily News (Feb. 5, 2015), available at
<http://www.daytondailynews.-com/news/news/crime-law/hackers-steal-millions-of-anthemhealth-insurance-/nj5f4/>. In addition, Defendant Community Insurance Company was Ohios
largest health insurer by premium revenue in 2013 with more than $5 billion in revenue. Ohio
Hospital Association, Ohios Health Insuring Corporations Performance Report, Aug. 2014
available at <http://ohiohospitals.org/OHA/media/Images/News%20and%20Publications/Reports/Ohio-Health-Insuring-Corporations-Report-August-2014.pdf> .
14.
Plaintiffs and class members now face a substantially increased risk of additional
instances of identity theft and resulting losses, if not additional acts of identity theft and resulting
losses.
15.
Plaintiffs and class members are imminently in danger of sustaining direct injury
as a result of the identify theft they suffered when Defendants failed to protect and secure his
PII/PHI and disclosed his PII/PHI to hackers. These further instances of identity theft are
certainly impending and imminent. The PII/PHI access, copied, and transferred from Defendants
has all of the information wrongdoers need, and the American government and financial system
requires, to completely and absolutely misuse Plaintiffs and class members identity to their
detriment.
16.
As a result, Plaintiffs and class members have and will continue to spend
significant time and money to protect themselves, including: the cost of responding to the data
breach, cost of assessing damages, mitigation costs, costs to rehabilitate PII/PHI, and costs to
reimburse from losses proximately caused by the breach.
17.
In addition, Plaintiffs and class members have received a diminished value of the
services they paid Defendants to provide, as a direct and proximate result of Defendants failure
to follow contractually agreed upon, federally mandated, and industry standard security
procedures.
18.
Plaintiffs have health insurance issued by ANTHEM, and as a result, Anthem has
On information and belief, Plaintiffs PHI and PII was disclosed in the data
breach.
CLASS ACTION ALLEGATIONS
20.
Plaintiffs bring this action on their own behalf, and on behalf of all other persons
similarly situated (the Class). The Class that Plaintiffs seek to represent is:
All persons who reside in Ohio and have purchased health insurance
from Anthem, Inc. d.b.a Anthem Health, Inc. or Community Insurance
Company and whose personal and/or financial information was breached as a
result of the data breach announced on or about February 4, 2015.
Excluded from the Class are Defendants; officers, directors, and
employees of Defendants; any entity in which Defendants have a controlling
interest; the affiliates, legal representatives, attorneys, heirs, and assigns of
the Defendants.
21.
The members of the Class are so numerous that the joinder of all members is
impractical. While the exact number of Class members is unknown to Plaintiffs at this time,
based on information and belief, it is in the millions.
22.
because common questions of law and fact predominate, Plaintiffs claims are typical of the
members of the Class, and Plaintiffs can fairly and adequately represent the interests of the
Class.
23.
This action satisfies the requirements of Federal Rule of Civil Procedure 23(b)(3)
because it involves questions of law and fact common to the member of the Class that
predominate over any questions affecting only individual members, including, but not limited to:
a.
procedures and practices appropriate to the nature and scope of the information compromised in
the data breach.
d.
e.
f.
Facts;
Whether Plaintiffs and the Class are entitled to damages, civil penalties,
Plaintiffs claims are typical of those of other Class members because Plaintiffs
PHI and PII, like that of every other class member, was misused and/or disclosed by Defendants.
25.
Plaintiffs will fairly and accurately represent the interests of the Class.
26.
create a risk of inconsistent or varying adjudications with respect to individual members of the
Class, which would establish incompatible standards of conduct for Defendants and would lead
to repetitive adjudication of common questions of law and fact. Accordingly, class treatment is
superior to any other method for adjudicating the controversy. Plaintiffs knows of no difficulty
that will be encountered in the management of this litigation that would preclude its maintenance
as a class action under Rule 23(b)(3).
27.
Damages for any individual class member are likely insufficient to justify the cost
of individual litigation, so that in the absence of class treatment, Defendants violations of law
inflicting substantial damages in the aggregate would go un-remedied without certification of the
Class.
28.
Defendants have acted or refused to act on grounds that apply generally to the
Plaintiffs and Class Members paid money to Defendants in exchange for services,
which included promises to secure, safeguard, protect, keep private, and not disclose Plaintiffs
and Class Members PII/PHI.
31.
promised Plaintiffs and Class Members that it would protect, secure, keep private, and not
disclose their PII/PHI.
32.
These documents were provided in a manner and during a time where they
Defendants promised to comply with all HIPAA standards and to make sure that
Plaintiffs PII/PHI was protected, secured, kept private, and not disclosed.
34.
Alternatively, to the extent it was not expressed or, again alternatively, an implied
contract existed in the absence of an express contract whereby, Defendants promised to comply
with all HIPAA standards and regulations and to ensure that Plaintiffs and Class Members
PII/PHI was secured, safeguarded, kept private, protected, and not disclosed to third parties.
35.
To the extent that it was not expressed, an implied contract was created whereby
Defendants promised to safeguard Plaintiffs and Class Members health information and
PII/PHI from being accessed, copied, and transferred by or disclosed to third parties.
36.
Alternatively, an express contract did not exist, but an implied contract existed
between the parties whereby, in exchange for monies from Plaintiffs and Class Members,
Defendants agreed to protect, safeguard, secure, keep private, and not disclose to third-parties
Plaintiffs and Class Members PII/PHI.
37.
Plaintiffs and Class Members with prompt and sufficient notice of any and all unauthorized
access and/or theft of their PII/PHI.
38.
Defendants failed to secure, safeguard, protect, and/or keep private Plaintiffs and
Class Members health information and PII/PHI and, therefore, breached its contract with
Plaintiffs and Class Members.
39.
obligations resulted in Defendants providing services to Plaintiffs and Class Members that were
of a diminished value.
40.
As a result, Plaintiffs and Class Members have been harmed, damaged, and/or
injured.
41.
Plaintiffs and the Class members delivered and entrusted their Private Information
During the time of bailment, Defendants owed Plaintiffs and the Class members a
duty to safeguard this information properly and maintain reasonable security procedures and
practices to protect such information. Defendants breached this duty by failing to maintain
Plaintiffs and Class Members PII/PHI in a reasonably secure manner.
45.
As a result of these breaches of duty, Plaintiffs and the Class members have
suffered harm.
46.
47.
Plaintiffs and Class Members have conferred benefits on Defendant. The monthly
insurance premiums paid by Plaintiffs and Class Members to Defendants comprise the benefits
conferred. Defendants used these premiums, in part, to pay for the administrative costs of data
management and security.
49.
The circumstances are such that it would be inequitable for Defendants to retain
the benefits conferred without paying fair value for it. Since Defendants failed to implement the
data management and security protocols and procedures required by law and by industry
standards, it should not be permitted to retain the premiums paid by Plaintiffs and Class
Members.
PRAYER FOR RELIEF
WHEREFORE Plaintiffs pray for judgment as follows:
A.
For an Order certifying this action as a class action and appointing Plaintiffs and
For equitable relief enjoining Defendants from engaging in the wrongful conduct
complained of herein pertaining to the misuse and/or disclosure of Plaintiffs and Class
members Private Information, and from refusing to issue prompt, complete and accurate
disclosures to the Plaintiffs and Class members;
C.
F.
For an award of costs of suit and attorneys fees, as allowable by law; and
G.
Such other and further relief as this court may deem just and proper.
DEMAND FOR JURY TRIAL
Plaintiffs hereby demand a jury trial of his claims to the extent authorized by law.
10
11