UNITED STATES DISTRICT COURT

SOUTHERN DISTRICT OF OHIO

Case No. 1:15-cv-00096
Margaret McKinley and Nicholas Bowes,
individually and on behalf of all others similarly
situated,
Plaintiffs,
vs.
ANTHEM, INC., d.b.a Anthem Health, Inc., an
Indiana Corporation, COMMUNITY
INSURANCE COMPANY, d.b.a. Anthem Blue
Cross and Blue Shield,
Defendants.

CLASS ACTION COMPLAINT AND DEMAND FOR JURY TRIAL

Plaintiffs Margaret McKinley and Nicholas Bowes (Plaintiffs) bring this class action
against Defendants ANTHEM, INC., d.b.a Anthem Health, Inc., an Indiana Corporation and
COMMUNITY INSURANCE COMPANY, d.b.a. Blue Cross Blue Shield (collectively,
ANTHEM or DEFENDANTS), as a result of the massive data breach suffered by as many as
80 million ANTHEM customers, on behalf of Plaintiffs and all others similarly situated to obtain
damages, restitution and injunctive relief for the Class, as defined below, from Defendants.
Plaintiffs make the following allegations upon information and belief, except as to their own
actions, the investigation of her counsel, and the facts that are a matter of public record:
NATURE OF CLAIM
1.

This is a consumer class action lawsuit brought on behalf of Plaintiffs,

individually, and on behalf of all other individuals, against Defendants for their failure to
safeguard and secure the medical records, and other personally identifiable information,

including names, dates of birth, social security numbers, billing information, and highly
confidential health and other types of information (collectively Personally Identifiable
Information or PII) and personal health related information (collectively Personal Health
Information or PHI) of Plaintiffs and Class Members. PHI and PII shall also be referred to
collectively as Personal Information. Defendants announced to the public this massive lost of
information on or about February 4, 2015.
2.

Defendants failed to keep safe their customers sensitive private, financial,

medical and personal information.

PARTIES
3.

Plaintiff Margaret McKinley is an individual who resides in this District.

4.

Plaintiff Nicholas Bowes is an individual who resides in this District.

5.

Defendant ANTHEM, INC., D.B.A. ANTHEM HEALTH, INC. is an Indiana

Corporation, registered with the California Secretary of State to do business in California, and
headquartered in Indianapolis, Indiana.
6.

Defendant COMMUNITY INSURANCE COMPANY is an Ohio Corporation,

that is headquartered in Mason, Ohio.

JURISDICTION AND VENUE
7.

This Court has original jurisdiction pursuant to 28 U.S.C. 1332(d)(2). In the

aggregate, Plaintiffs claims and the claims of the other members of the Class exceed $5,000,000
exclusive of interest and costs, and there are numerous class members who are citizens of states
other than Defendants states of citizenship, which are Indiana and California.
8.

This Court has personal jurisdiction over ANTHEM because ANTHEM is

authorized to do and does business in the State of Ohio.

9.

Venue is proper in this Court pursuant to 28 U.S.C. 1391 because many of the

acts and transactions giving rise to this action occurred in this District and because ANTHEM is
subject to personal jurisdiction in this District.
GENERAL ALLEGATIONS
10.

On or about February 4, 2015, ANTHEM published a website notifying its

insureds, including its Ohio insureds, that they had fallen victim to a data breach stating that the
personal information from our current and former members such as their names, birthdays,
member ID/Social Security numbers, street addresses, email addresses and employment
information, including income data. Available at <www.anthemfacts.com> (last visited
February 8, 2015).
11.

This is a consumer class action brought by Plaintiffs, individually and on behalf

of all other similarly situated persons, whose personally personally identifiable information (e.g.
patient names, addresses, birthdates, telephone numbers and social security numbers and,
possibly including, patient credit card, medical or clinical information)(hereinafter PII/PHI)
which is considered protected under the Health Insurance Portability and Accountability Act
(HIPAA)was entrusted to Defendants and was stolen, disclosed, and/or made accessible to
hackers and identity thieves.
12.

As a result of Defendants failure to implement and follow basic security

procedures, the PII/PHI of over 80 million patients (including Plaintiffs and the class they seek to
represent) is now in the hands of thieves.
13.

Defendants have a significant presence in the State of Ohio. Defendants have

acknowledged that they insure over three million Ohio residents, including many Ohio
municipalities, including Dayton, and several counties including Butler, Clayton, Engelwood,

Clark and Champaign. Gokavi, M. and Simon D., Hackers Steal Millions of Anthem Health
Insurance Customers Data, Dayton Daily News (Feb. 5, 2015), available at
<http://www.daytondailynews.-com/news/news/crime-law/hackers-steal-millions-of-anthemhealth-insurance-/nj5f4/>. In addition, Defendant Community Insurance Company was Ohios
largest health insurer by premium revenue in 2013 with more than $5 billion in revenue. Ohio
Hospital Association, Ohios Health Insuring Corporations Performance Report, Aug. 2014
available at <http://ohiohospitals.org/OHA/media/Images/News%20and%20Publications/Reports/Ohio-Health-Insuring-Corporations-Report-August-2014.pdf> .
14.

Plaintiffs and class members now face a substantially increased risk of additional

instances of identity theft and resulting losses, if not additional acts of identity theft and resulting
losses.
15.

Plaintiffs and class members are imminently in danger of sustaining direct injury

as a result of the identify theft they suffered when Defendants failed to protect and secure his
PII/PHI and disclosed his PII/PHI to hackers. These further instances of identity theft are
certainly impending and imminent. The PII/PHI access, copied, and transferred from Defendants
has all of the information wrongdoers need, and the American government and financial system
requires, to completely and absolutely misuse Plaintiffs and class members identity to their
detriment.
16.

As a result, Plaintiffs and class members have and will continue to spend

significant time and money to protect themselves, including: the cost of responding to the data
breach, cost of assessing damages, mitigation costs, costs to rehabilitate PII/PHI, and costs to
reimburse from losses proximately caused by the breach.
17.

In addition, Plaintiffs and class members have received a diminished value of the

services they paid Defendants to provide, as a direct and proximate result of Defendants failure
to follow contractually agreed upon, federally mandated, and industry standard security
procedures.
18.

Plaintiffs have health insurance issued by ANTHEM, and as a result, Anthem has

required that Plaintiffs provide their PII/PHI to Anthem.

19.

On information and belief, Plaintiffs PHI and PII was disclosed in the data

breach.
CLASS ACTION ALLEGATIONS
20.

Plaintiffs bring this action on their own behalf, and on behalf of all other persons

similarly situated (the Class). The Class that Plaintiffs seek to represent is:
All persons who reside in Ohio and have purchased health insurance
from Anthem, Inc. d.b.a Anthem Health, Inc. or Community Insurance
Company and whose personal and/or financial information was breached as a
result of the data breach announced on or about February 4, 2015.
Excluded from the Class are Defendants; officers, directors, and
employees of Defendants; any entity in which Defendants have a controlling
interest; the affiliates, legal representatives, attorneys, heirs, and assigns of
the Defendants.
21.

The members of the Class are so numerous that the joinder of all members is

impractical. While the exact number of Class members is unknown to Plaintiffs at this time,
based on information and belief, it is in the millions.
22.

There is a well-defined community of interest among the members of the Class

because common questions of law and fact predominate, Plaintiffs claims are typical of the
members of the Class, and Plaintiffs can fairly and adequately represent the interests of the
Class.
23.

This action satisfies the requirements of Federal Rule of Civil Procedure 23(b)(3)

because it involves questions of law and fact common to the member of the Class that
predominate over any questions affecting only individual members, including, but not limited to:
a.

Whether Defendants unlawfully used, maintained, lost or disclosed Class

members PHI and PII;

b.

Whether ANTHEM unreasonably delayed in notifying affected customers

of the data breach;

c.

Whether Defendants failed to implement and maintain reasonable security

procedures and practices appropriate to the nature and scope of the information compromised in
the data breach.
d.

Whether Defendants conduct constituted Public Disclosure of Private

e.

Whether Defendants conduct constituted Bailment;

f.

Whether Defendants unlawfully used, maintained, lost or disclosed Class

Facts;

members PHI and PII;

g.

Whether Plaintiffs and the Class are entitled to damages, civil penalties,

punitive damages, and/or injunctive relief.

24.

Plaintiffs claims are typical of those of other Class members because Plaintiffs

PHI and PII, like that of every other class member, was misused and/or disclosed by Defendants.
25.

Plaintiffs will fairly and accurately represent the interests of the Class.

26.

The prosecution of separate actions by individual members of the Class would

create a risk of inconsistent or varying adjudications with respect to individual members of the
Class, which would establish incompatible standards of conduct for Defendants and would lead
to repetitive adjudication of common questions of law and fact. Accordingly, class treatment is

superior to any other method for adjudicating the controversy. Plaintiffs knows of no difficulty
that will be encountered in the management of this litigation that would preclude its maintenance
as a class action under Rule 23(b)(3).
27.

Damages for any individual class member are likely insufficient to justify the cost

of individual litigation, so that in the absence of class treatment, Defendants violations of law
inflicting substantial damages in the aggregate would go un-remedied without certification of the
Class.
28.

Defendants have acted or refused to act on grounds that apply generally to the

class, as alleged above, and certification is proper under Rule 23(b)(2).

FIRST COUNT
Breach of Contract
29.

Plaintiffs incorporate the substantive allegations contained in all previous

paragraphs as if fully set forth herein.

30.

Plaintiffs and Class Members paid money to Defendants in exchange for services,

which included promises to secure, safeguard, protect, keep private, and not disclose Plaintiffs
and Class Members PII/PHI.
31.

In documents that memorialize the obligations of the parties, Defendants

promised Plaintiffs and Class Members that it would protect, secure, keep private, and not
disclose their PII/PHI.
32.

These documents were provided in a manner and during a time where they

became part of the agreement for services.

33.

Defendants promised to comply with all HIPAA standards and to make sure that

Plaintiffs PII/PHI was protected, secured, kept private, and not disclosed.

34.

Alternatively, to the extent it was not expressed or, again alternatively, an implied

contract existed in the absence of an express contract whereby, Defendants promised to comply
with all HIPAA standards and regulations and to ensure that Plaintiffs and Class Members
PII/PHI was secured, safeguarded, kept private, protected, and not disclosed to third parties.
35.

To the extent that it was not expressed, an implied contract was created whereby

Defendants promised to safeguard Plaintiffs and Class Members health information and
PII/PHI from being accessed, copied, and transferred by or disclosed to third parties.
36.

Alternatively, an express contract did not exist, but an implied contract existed

between the parties whereby, in exchange for monies from Plaintiffs and Class Members,
Defendants agreed to protect, safeguard, secure, keep private, and not disclose to third-parties
Plaintiffs and Class Members PII/PHI.
37.

Under the implied contract, Defendants were further obligated to provide

Plaintiffs and Class Members with prompt and sufficient notice of any and all unauthorized
access and/or theft of their PII/PHI.
38.

Defendants failed to secure, safeguard, protect, and/or keep private Plaintiffs and

Class Members health information and PII/PHI and, therefore, breached its contract with
Plaintiffs and Class Members.
39.

Furthermore, Defendants failure to satisfy their confidentiality and privacy

obligations resulted in Defendants providing services to Plaintiffs and Class Members that were
of a diminished value.
40.

As a result, Plaintiffs and Class Members have been harmed, damaged, and/or

injured.
41.

Plaintiffs seek an award of compensatory damages from Defendants on behalf of

themselves and the class.

SECOND COUNT
Bailment
42.

Plaintiffs incorporate the substantive allegations contained in all previous

paragraphs as if fully set forth herein.

43.

Plaintiffs and the Class members delivered and entrusted their Private Information

to Defendants for the sole purpose of receiving services from Defendants.

44.

During the time of bailment, Defendants owed Plaintiffs and the Class members a

duty to safeguard this information properly and maintain reasonable security procedures and
practices to protect such information. Defendants breached this duty by failing to maintain
Plaintiffs and Class Members PII/PHI in a reasonably secure manner.
45.

As a result of these breaches of duty, Plaintiffs and the Class members have

suffered harm.
46.

Plaintiffs seek actual damages on behalf of the Class.

THIRD COUNT
Unjust Enrichment

47.

Plaintiffs incorporate the substantive allegations contained in all previous

paragraphs as if fully set forth herein.

48.

Plaintiffs and Class Members have conferred benefits on Defendant. The monthly

insurance premiums paid by Plaintiffs and Class Members to Defendants comprise the benefits
conferred. Defendants used these premiums, in part, to pay for the administrative costs of data
management and security.
49.

Defendants have knowledge of the benefits conferred by Plaintiffs and Class

Members and has retained these benefits.

50.

The circumstances are such that it would be inequitable for Defendants to retain

the benefits conferred without paying fair value for it. Since Defendants failed to implement the
data management and security protocols and procedures required by law and by industry
standards, it should not be permitted to retain the premiums paid by Plaintiffs and Class
Members.
PRAYER FOR RELIEF
WHEREFORE Plaintiffs pray for judgment as follows:
A.

For an Order certifying this action as a class action and appointing Plaintiffs and

their Counsel to represent the Class;

B.

For equitable relief enjoining Defendants from engaging in the wrongful conduct

complained of herein pertaining to the misuse and/or disclosure of Plaintiffs and Class
members Private Information, and from refusing to issue prompt, complete and accurate
disclosures to the Plaintiffs and Class members;
C.

For equitable relief requiring restitution and disgorgement of the revenues

wrongfully retained as a result of Defendants wrongful conduct;

D.

For an award of actual damages, compensatory damages, statutory damages, and

statutory penalties, in an amount to be determined;

E.

For an award of punitive damages;

F.

For an award of costs of suit and attorneys fees, as allowable by law; and

G.

Such other and further relief as this court may deem just and proper.
DEMAND FOR JURY TRIAL

Plaintiffs hereby demand a jury trial of his claims to the extent authorized by law.

10

Dated: February 9, 2015

/s/ Phillip A. Kuri________________________

Phillip A. Kuri (Ohio Bar No. 0061910)
Email: pkuri@elkandelk.com
Kimberly C. Young (Ohio Bar No. 0085794)
Email: kyoung@elkandelk.com
ELK AND ELK CO., LTD.
6105 Parkland Boulevard
Cleveland, Ohio 44124
Telephone: (440) 442-6622
Facsimile: (440) 442-7999

/s/ Steven R. Jaffe________________________

Steven R. Jaffe (Fla. Bar No. 390770)*
Email: steve@pathtojustice.com
Mark S. Fistos (Fla. Bar No. 909191)*
Email: mark@pathtojustice.com
Seth M. Lehrman (Fla. Bar No. 132896)*
Email: seth@pathtojustice.com
FARMER, JAFFE, WEISSING,
EDWARDS, FISTOS & LEHRMAN, P.L.
425 North Andrews Avenue, Suite 2
Fort Lauderdale, FL 33301
Telephone: (954) 524-2820
Facsimile: (954) 524-2822
*Seeking Pro Hac Vice Admission

11