for the southern district of indiana …krcomplexlit.com/wp-content/uploads/2015/09/plclass... ·...

1

UNITED STATES DISTRICT COURT FOR THE SOUTHERN DISTRICT OF INDIANA

INDIANAPOLIS DIVISION

DAVID IFVERSEN, individually and on behalf of all others similarly situated,

Plaintiff,

v.

ANTHEM, INC. an Indiana corporation,

Defendant.

) ) ) ) ) ) ) ) )

No. 15-cv-209

DEMAND FOR JURY TRIAL

PLAINTIFF’S CLASS ACTION COMPLAINT

Plaintiff David Ifversen (“Plaintiff”) files this Class Action Complaint (“Complaint”) on

behalf of himself and all others similarly situated, by and through the undersigned attorneys,

against Defendant Anthem, Inc. (“Defendant” or “Anthem”), which was known previously as

WellPoint, Inc., and alleges as follows upon personal knowledge as to himself and his own acts

and experiences, and, as to all other matters, upon information and belief based upon, inter alia,

investigation conducted by his attorneys.

I. NATURE OF THE ACTION

1. On February 4, 2015, Anthem revealed that it had suffered a catastrophic data

breach (“Data Breach”) of its information technology system (“Network”). Anthem is the

second largest health insurer in the United States. This was not the first time Anthem has

suffered a massive data breach, but it is the worst.

2. The hackers gained access to sensitive and confidential data entrusted to Anthem,

including full names, social security numbers/medical identification numbers, home addresses,

email addresses, employment information (including income data), dates of birth, and other

personal information (“Personally Identifying Information” or “PII”). To date, it has been

Case 1:15-cv-00209-SEB-DML Document 1 Filed 02/11/15 of 22 PageID #: 1

2

reported that the Data Breach compromised the data of 80 million people, including current and

former members as well as Anthem’s own employees.

3. Anthem left the most sensitive PII of its consumers and employees vulnerable to

data breach and misuse because, in part, the data was unencrypted. Anthem suffered the

catastrophic Data Breach because it failed to develop, maintain, and implement sufficient

security measures on its database, particularly given the fact that its systems harbor medical and

other private data. Indeed, as discussed below, Anthem has previously been investigated for its

failure to reasonably protect PII and was subsequently the subject of a similar — though far less

massive — data breach, which resulted in a government fine, private litigation and a class action

settlement. Further, last summer, the FBI issued a warning that the health care industry might be

targeted by hackers. Nevertheless, Anthem has repeatedly failed to take these warnings to heart.

4. Anthem’s recent Data Breach also follows in the wake of a number of widely

publicized data breaches affecting companies such as Target, Home Depot, Neiman Marcus,

Community Health Systems, Inc., Michaels Stores, Jimmy Johns, Sony Pictures Entertainment,

J.P. Morgan Chase & Co., P.F. Chang’s, Staples, and others. Notwithstanding these earlier data

security incidents at Anthem and at others, Anthem failed to take adequate steps to prevent the

Data Breach from occurring.

5. Anthem’s reaction to the Data Breach has been anemic at best. It has failed to

timely notify affected employees and consumers including Plaintiff. For a portion of affected

consumers and employees, Anthem is offering credit monitoring protection for a period of one

year – a woefully deficient short-term solution to a lifelong problem. The Connecticut Attorney

General has already demanded that Anthem “immediately provide” two years’ worth of credit

monitoring “at the very least.” Indeed, in a class action settlement reached in Orange County,


3

California, related to the unauthorized disclosure of personal and financial information on health

insurance applications, Anthem offered, inter alia, two full years of credit monitoring for those

who did not experience any identify theft losses (and a total of six years to those who did). See

https://AnthemBlueCrossSecuritySettlement.com.

6. Consumers and employees face a “lifelong battle” to control the damages of their

PII being stolen by hackers, including fraudulent tax returns, stolen identities, and/or medical

identify fraud.1 Anthem’s failure to adequately protect PII has caused, and will continue to

cause, substantial customer harm and injuries to Anthem consumers and employees across the

United States.

7. Plaintiff, individually and on behalf of the Class defined below, seeks to hold

Anthem accountable for the Data Breach by ensuring that it provide adequate protection to those

affected. Plaintiff seeks relief for Anthem's breach of implied contractual obligations,

negligence, violations of certain statutes discussed infra, bailment and, alternatively, unjust

enrichment.

II. JURISDICTION AND VENUE

8. This Court has subject matter jurisdiction of this action pursuant to 28 U.S.C.

§ 1332 of the Class Action Fairness Act of 2005 because: (i) there are 100 or more class

members, (ii) there is an aggregate amount in controversy exceeding $5,000,000, exclusive of

interest and costs, and (iii) there is minimal diversity because at least one plaintiff and defendant

are citizens of different states. This Court also has supplemental jurisdiction over the state law

claims pursuant to 28 U.S.C. § 1367.

1 Shary Rudavsky, Anthem Data Breach Could Be “Lifelong Battle” for Customers, IndyStar, February 7, 2015, available at http://www.indystar.com/story/news/2015/02/05/anthem-data-breach-lifelong-battle-customers/22953623/ (last visited February 11, 2015).


4

9. This Court has personal jurisdiction over Defendant because it maintains its

principal place of business in this judicial district and division and has such minimum contacts in

this state to make this Court's exercise of jurisdiction proper.

10. Venue is proper in this judicial district and division pursuant to 28 U.S.C. § 1391

because Defendant is headquartered in this district and division, is subject to personal

jurisdiction in this district and division, and therefore is deemed to be a citizen of this district and

division. Additionally, a substantial part of the events and/or omissions giving rise to the claims

occurred within this district and division.

III. PARTIES

11. Plaintiff David Ifversen is currently a resident of the State of Nevada. Plaintiff

Ifversen has medical insurance coverage through Anthem Blue Cross Blue Shield. As a result of

Plaintiff Ifversen’s insurance coverage, on information and belief, Defendant Anthem obtained,

used, and stored his PII, which he expected to be safeguarded and kept confidential. On

information and belief, Plaintiff Ifversen’s PII was compromised when hackers accessed

Anthem’s Network, including but not limited to his full name, current address, date of birth,

medical identification number, social security number, email address, employment information,

and income data. Plaintiff Ifversen did not consent to relinquish control over his PII or allow his

PII to be publicized in providing this information and paying his insurance premium in exchange

for medical insurance coverage. He is greatly troubled by his loss of control over his PII and/or

publication of his PII, and believes that he paid part of his insurance premium to ensure

reasonable security of his PII. Plaintiff Ifversen also feels stress over his loss of control over his

PII and/or publication of his PII, which he fears will subject him to lifelong exposure to identity

theft, medical data misuse and other repercussions.


5

12. Due to the extremely problematic nature of the loss of control and/or publication

of Plaintiff Ifversen’s PII, his resulting stress, and Defendant’s lack of timely notice and response

to the Data Breach, to date, Plaintiff Ifversen has expended hours attempting to safeguard

himself from identity theft or other harms caused by the release of his PII as a result of the Data

Breach. Going forward, Plaintiff Ifversen anticipates spending considerable time each day in an

effort to contain the impact of Anthem’s Data Breach as it relates to his PII that, on information

and belief, is now in the public domain.

13. Defendant Anthem is an entity incorporated in the State of Indiana with its

headquarters and principal place of business located at 120 Monument Circle in Indianapolis,

Indiana. Anthem was previously known as WellPoint, Inc., and was formed when Anthem

Insurance Company bought WellPoint Health Networks in 2004. Anthem issues securities that

are publicly traded on the New York Stock Exchange under the ticker symbol “WLP.”

IV. FACTUAL ALLEGATIONS

Anthem Has Repeatedly Failed to Reasonably Protect Consumer and Employee PII.

14. In 2009, an investigation by the U.S. Department of Health and Human Services

(“HHS”) under the Health Insurance Portability and Accountability Act (“HIPAA”) found that

Anthem, doing business as WellPoint, did not adequately implement policies and procedures to

protect unsecured “electronic protected health information” covered by HIPPA.

15. In 2010, a second investigation by HHS found that WellPoint still did not

adequately implement policies and procedures to protect unsecured “electronic protected health

information” covered by HIPPA, and that names, dates of birth, addresses, Social Security

numbers, telephone numbers and health information of 612,000 WellPoint customers and

employees were disclosed as a result.

16. HHS fined Anthem approximately $1.7 million for the 2010 data breach.


6

17. WellPoint’s chief information security officer at the time of the fine was Roy

Mellinger. He currently remains chief information security officer for Anthem.

18. In addition, despite Anthem’s offer of one year of credit monitoring to its insureds

as a result of the 2010 data breach, private litigation, including class action litigation, was

initiated.

Non-Financial PII has Long-Term Value on the Black Market

19. In a carefully crafted letter to Anthem members that was posted on Anthem’s

website on February 6, 2015, Anthem CEO Joseph R. Swedish emphasized that while he was not

currently aware of evidence that “credit card or medical information, such as claims, test results

or diagnostic codes” had been compromised through the Data Breach, numerous types of PII had

been compromised by it:

[A]ttackers gained unauthorized access to Anthem’s IT system and have obtained personal information from our current and former members such as their names, birthdays, medical IDs/social security numbers, street addresses, email addresses and employment information, including income data.

20. As noted by Kiplinger, however, the current lack of confirmed credit card

information compromise is no reason to breathe a sigh of relief for the Class:

The truth is, you might have been better off if only card information had been stolen because what the hackers got is potentially much more valuable: full names, birthdays, street addresses and Social Security numbers. “They got your secret sauce,” says Neal O’Farrell, a security and identity theft expert for Credit Sesame. “It’s as good as your

DNA to hackers.” 2

21. Moreover, the value of the non-financial PII that Anthem admits was

compromised by the Data Breach is highlighted by HIPPA’s protection of it.

2 Tips, How to Protect Your Kids From the Anthem Data Breach,” Kiplinger (Feb. 10, 2015), available at http://www.kiplinger.com/article/credit/T048-C011-S001-how-to-protect-your-kids-from-the-anthem-data-brea.html (last visited February 11, 2015).


7

22. Senior HHS advisor Rachel Seeger has been quoted in the media emphasizing that

names and Social Security Numbers are protected under HIPPA—even if no specific diagnostic

or treatment information is disclosed:

The personally identifiable information that HIPAA-covered health plans maintain on enrollees and members — including names and Social Security Numbers — is protected under HIPAA, even if no specific diagnostic or treatment information is disclosed.

23. As reported by Reuters, non-financial data “is worth 10 times more than your

credit card number on the black market.” This is because non-financial data theft is often not

immediately identified, “giving criminals years to milk such credentials.” This makes non-

financial data more valuable than credit cards, “which tend to be quickly canceled by banks once

fraud is detected.”3

24. Today, as reported by CreditCards.com, hackers are looking to steal non-financial

information so they can “continue to monetize victims’ identifies over a longer period of time.”

Specifically, “[o]nce hackers have a medical ID, they can use it to procure prescription drugs or

expensive medical equipment or simply to commit financial fraud – often for months or years

before anyone notices.”4

25. As summed up by Kiplinger:

Unlike a credit card, you can’t cancel a Social Security number, which puts you at risk of being a lifelong victim, he says. Thieves can use that number to steal your identity and

file fraudulent tax returns, rack up debt in your name and more.5

3 Humer, Your Medical Record is Worth More to Hackers than Your Credit Card,” Reuters (Sept. 24, 2014), available at http://www.reuters.com/article/2014/09/24/us-cybersecurity-hospitals-idUSKCN0HJ21I20140924 (last visited February 11, 2015).

4McCarthy, How to Spot and Prevent Medical Identity Theft,” CreditCards.com (Aug. 19, 2014), available at

http://www.creditcards.com/credit-card-news/spot-prevent-medical-identity-theft-1282.php (last visited February 11, 2015).

5 Tips, How to Protect Your Kids From the Anthem Data Breach,” Kiplinger (Feb. 10, 2015), available at http://www.kiplinger.com/article/credit/T048-C011-S001-how-to-protect-your-kids-from-the-anthem-data-brea.html (last visited February 11, 2015).


8

Use of Compromised Non-Financial PII is Costly to Its Owners

26. Once use of compromised non-financial PII is detected, the emotional and

economic consequences to its owners is significant. As reported by CreditCards.com:

The Ponemon Institute found that 36 percent of medical ID theft victims pay to resolve the issue, and their out-of-pocket costs average nearly $19,000. Even if you don't end up paying out of pocket, such usage can wreak havoc on both medical and credit records, and clearing that up is a time-consuming headache. That's because medical records are scattered. Unlike personal financial information, which is consolidated and protected by credit bureaus, bits of your medical records end up in every doctor's office and hospital you check into, every pharmacy that fills a prescription and every facility that processes payments for those transactions.

Anthem Was Obligated to Keep Consumer and Employee PII Reasonably Secure.

27. As a health insurer, Anthem knows or should know of the risks its consumers and

employees face when their PII is misused and of the need to carefully safeguard this information,

in part because hackers breach the healthcare industry more frequently than any other segment of

the economy.6

28. Anthem’s own HIPAA Notice of Privacy Protection provides:

We are dedicated to protecting your [personal health information], and have set up a number of policies and practices to help make sure your [personal health information] is kept secure

…

We keep your oral, written and electronic [personal health information] safe using physical, electronic, and procedural means. These safeguards follow federal and state laws. Some of the ways we keep your [personal health information] safe include securing offices that hold [personal health information], password-protecting computers, and locking storage areas and filing cabinets. We require our employees to protect [personal health information] through written policies and procedures. These policies limit access to [personal health information] to only those employees who need the data to do their job. Employees are also required to wear ID badges to help keep people who do not belong out of areas where sensitive data is kept. Also, where required by law, our

6 Greisiger, Cyber Liability & Data Breach Insurance Claims, NetDiligence 2013, at p. 2, available at http://www.netdiligence.com/files/CyberClaimsStudy-2013.pdf (last visited February 11, 2015).


9

affiliates and nonaffiliates must protect the privacy of data we share in the normal course of business. They are not allowed to give [personal health information] to others without

your written OK, except as allowed by law and outlined in this notice.7

29. Consumers and employees rely on health insurers such as Anthem to maintain

their sensitive health and PII to ensure it is both private and secure.

30. Anthem claims to maintain state-of-the-art information security systems to protect

its customer personal health and financial data.8

31. Yet, despite its promises, on January 29, 2015, hackers were able to access

millions of Anthem’s unencrypted customers’ PII, including names, birthdays, medical

IDs/social security numbers, street addresses, email addresses and employment information,

including income data.9

32. Anthem confirmed that all of its product lines were impacted by the Data Breach,

including Anthem Blue Cross, Blue Cross of California, Anthem Blue Cross and Blue Shield,

Blue Cross and Blue Shield of Georgia, Empire Blue Cross and Blue Shield, Amerigroup,

Caremore, Unicare, Healthlink, and DeCare.

33. The hackers who breached Anthem’s records were able to access a database

containing up to 80 million current and former customers, and employees’ records.10

7 Anthem’s HIPPA notice titled, “Information that’s important to you,” located on its website at https://www.anthem.com/health-insurance/nsecurepdf/english common 11832ANMEN (last visited February 11, 2015).

8 Brandeisky, Anthem Health Insurance Was Hacked, Here’s What Customers Need to Know, Time, February 5, 2015, available at http://time.com/money/3697026/anthem-data-breach-social-security/ (last visited February 11, 2015).

9 Anthem CEO Joseph R. Swedish’s statement to Anthem consumers, available at < http://www.anthemfacts.com/

(last visited February 11, 2015). See also Health Insurer Anthem Didn’t Encrypt Data Stolen –Update, The Wall Street Journal, Feb. 5, 2015, attached as Exh A.

10 Brandeisky, Anthem Health Insurance Was Hacked, Here’s What Customers Need to Know, Time, February 5, 2015, available at http://time.com/money/3697026/anthem-data-breach-social-security/ (last visited February 11, 2015).


10

34. Anthem did not announce that its data systems maintaining personal, financial and

potentially health information of its customers and employees was compromised immediately.

Instead, Anthem waited to announce that its systems were compromised, and that up to 80

million consumer and employees’ records had been stolen, until February 4, 2015. Moreover,

Anthem is still delaying notifying individual consumers affected by the breach.11

35. Before the breach, Anthem did not encrypt the data in this database, including

Social Security numbers and other PII.12 Encryption is considered the most effective way to

secure data.13 Without encryption, the hackers who accessed the information will be able to

easily access all of the PII accessed.

36. It was not until after the Data Breach, that Anthem retained Mandiant, a leading

cybersecurity firm, to evaluate Anthem’s systems and identify solutions to Anthem’s systems’

vulnerabilities.14

37. Anthem could have retained Mandiant, or another cybersecurity consultant, prior

to the Data Breach to analyze and identify solutions for its systems’ vulnerabilities, and this

could have prevented the Data Breach from occurring, or at the least minimized the amount of

information stolen from Anthem’s systems.

11

Tracer, After Hack, Anthem to Notify Affected Customers Within Two Weeks, Bloomberg, February 5, 2015, available at < http://www.bloomberg.com/news/articles/2015-02-05/anthem-to-tell-hacked-customers-in-two-weeks-no-earnings-impact> (last visited February 11, 2015).

12 Jaspen, Hackers Stole Data on 80 Million Anthem Customers. Why Wasn’t It Encrypted?, Forbes, February 6, 2015, available at < http://www.forbes.com/sites/brucejapsen/2015/02/06/anthem-didnt-encrypt-personal-data-and-privacy-laws-dont-require-it/> (last visited February 11, 2015).

13 Id.

14 Anthem CEO Joseph R. Swedish’s statement to Anthem consumers, available at < http://www.anthemfacts.com/ (last visited February 11, 2015).


11

38. Indeed, Anthem and other health insurers routinely maintain consumer and

employees’ health and financial information, and have been on notice of potential cyber attacks

seeking to get consumers and employees PII.

39. In 2014, the Federal Bureau of Investigation’s cyber division warned health care

systems that cyber attacks were likely to occur after January 2015, when healthcare companies

were required to transfer from paper medical records over to electronic records.15 The FBI

pointed out that healthcare companies were more susceptible to cyber attacks, making future

attacks likely. The FBI’s report was highly publicized, being reported by such news agencies as

Reuters.16

40. Indeed, even before the full transition over to electronic medical records, other

healthcare companies were the targets of major cyber attacks. According to a SANS Analyst

Whitepaper from February 2014 titled, “Health Care Cyberthreat Report: Widespread

Compromises Detected, Compliance Nightmare on Horizon,” healthcare providers, including

insurance companies, were regular targets of cyber attacks, and particularly vulnerable to them.17

41. Anthem was aware that it needed to maintain the security of its customers’ Private

Information. In its SEC Form 10-K filings dated February 20, 2014, Anthem acknowledged that

it must maintain and upgrade its data systems to protect its customers’ data.18

15

FBI Cyber Division Private Industry Notification, April 8, 2014, available at https://info.publicintelligence.net/FBI-HealthCareCyberIntrusions.pdf (last visited February 11, 2015).

16 Finkle, Exclusive: FBI Warns Healthcare Sector Vulnerable to Cyber Attacks, Reuters, April 23, 2014, available at http://www.reuters.com/article/2014/04/23/us-cybersecurity-healthcare-fbi-exclusiv-idUSBREA3M1Q920140423 (last visited February 11, 2014).

17 Filkins, Health Care Cyberthreat Report, SANS, February 2014, available at http://pages.norse-corp.com/rs/norse/images/Norse-SANS-Healthcare-Cyberthreat-Report2014.pdf (last visited February 11, 2015).

18 SEC Form 10-k Annual Report for the Year Ending December 31, 2013, available at http://www.sec.gov/Archives/edgar/data/1156039/000115603914000003/wlp-20131231x10k.htm.


12

42. Yet, despite the many warnings, Anthem’s own promises to maintain data

security, and the critical nature of maintaining the security of consumer and employees’ financial

information, Anthem did not even take steps to encrypt the sensitive PII of its customers and

employees that it maintained.

43. Anthem also did not disclose to anyone that it did not have adequate security

systems in place to keep Plaintiff and other customers’ personal, financial and health information

that Anthem maintained on its computer systems private and secure.

44. Due to Anthem’s failure to maintain the privacy and security of Plaintiff’s and

Class Members’ private personal, financial and health information, Anthem has violated the law

and breached its duties to its customers.

V. CLASS ALLEGATIONS

45. This action asserts claims on behalf of a nationwide class, and a Nevada subclass

(together “Class”) pursuant to Federal Rules Civil Procedure 23(a), 23(b)(1), 23(b)(2), 23(b)(3),

and/or 23(c)(4), which class and subclasses consist of persons who had their data stolen from

Anthem’s systems as follows:

All persons in the United State whose personal, medical or financial information was compromised by the data breach disclosed by Anthem on February 4, 2014 (the “National Class”).

All persons in Nevada whose personal, medical or financial information was compromised by the data breach disclosed by Anthem on February 4, 2015 (the “Nevada Subclass”).

46. Excluded from the Class are Defendant, its CEO, and the Judge(s) assigned to this

case. Plaintiff reserves the right to modify, change or expand the Class definition after

conducting discovery.


13

47. Numerosity: The Class is so numerous that joinder of all members is

impracticable. Anthem has acknowledged that as many as 80 million records may have been

compromised by the Data Breach.

48. Existence and Predominance of Common Questions of Fact and Law:

Common questions of law and fact exist as to all members of the Class. These questions

predominate over the questions affecting individual Class members. These common legal and

factual questions include, but are not limited to:

A. whether Defendant's data security and retention policies were

unreasonable;

B. whether Defendant failed to protect the confidential and highly sensitive

information to which it was entrusted;

C. whether Defendant breached any legal duties in connection with the data

breach;

D. whether Defendant's conduct violated the Indiana Deceptive Consumer

Sales Act;

E. whether Defendant was negligent;

F. whether Defendant was unjustly enriched; and

G. whether Plaintiff and Class members are entitled to monetary damages

and/or other remedies and, if so, the nature of any such relief.

49. Typicality: All of Plaintiff’s claims are typical of the claims of the Class since

Plaintiff and all members of the Class had their personal, confidential, and highly sensitive

information compromised in the Data Breach announced on February 4, 2015.


14

50. Adequacy: Plaintiff is an adequate representative because his interests do not

materially or irreconcilably conflict with the interests of the Class that he seeks to represent, he

has retained counsel competent and highly experienced in complex class action litigation, and he

intends to prosecute this action vigorously. The interests of the Class will be fairly and

adequately protected by Plaintiff and his counsel.

51. Superiority: A class action is superior to all other available means of fair and

efficient adjudication of the claims of Plaintiff and members of the Class. The injury suffered by

each individual Class member is relatively small in comparison to the burden and expense of

individual prosecution of the complex and extensive litigation necessitated by Defendant’s

conduct. It would be virtually impossible for members of the Class individually to effectively

redress the wrongs done to them. Even if the members of the Class could afford such individual

litigation, the court system could not. Individualized litigation presents a potential for

inconsistent or contradictory judgments. Individualized litigation increases the delay and

expense to all parties and to the court system presented by the complex legal and factual issues

of the case. By contrast, the class action device presents far fewer management difficulties, and

provides the benefits of single adjudication, economy of scale, and comprehensive supervision

by a single court. Members of the Class can be readily identified and notified based on, inter

alia, Defendant's records and databases. Indeed, Anthem claims to already be in the process of

notifying them.

52. Defendant has acted, and refused to act, on grounds generally applicable to the

Class, thereby making appropriate final relief with respect to the Class as a whole.


15

FIRST CAUSE OF ACTION NEGLIGENCE

53. Plaintiff and the Class reallege and incorporate by reference the allegations

contained in each of the preceding paragraphs of this Complaint as if fully set forth herein.

54. Defendant owed a duty to the Class to exercise reasonable care in obtaining,

securing, safeguarding, deleting and protecting Plaintiff’s and the Class’ PII within its possession

or control from being compromised, lost, stolen, accessed and misused by unauthorized persons.

This duty included, among other things, designing, maintaining and testing Anthem’s security

systems to ensure that Plaintiff’s and Class members’ PII in Anthem’s possession was

adequately secured and protected. Anthem further owed a duty to Plaintiff and the Class to

implement processes that would detect a breach of its security system in a timely manner and to

timely act upon warning and alerts including those generated by its own security systems.

55. Anthem owed a duty to Plaintiff and the members of the Class to provide security,

including consistent with of industry standards and requirements, to ensure that its systems and

networks, and the personnel responsible for them, adequately protected the PII of its consumers

and employees.

56. Anthem owed a duty of care to Plaintiff and the members of the Class because

they were foreseeable and probable victims of any inadequate security practices. Anthem knew

or should have known it had inadequately safeguarded its Network, particularly in light of its

prior breaches, as noted above, and yet Anthem failed to take reasonable precautions to

safeguard consumers and employees’ PII.

57. Anthem owed a duty to timely and accurately disclose to Plaintiff and members of

the Class that their PII had been or was reasonably believed to have been compromised. Timely

disclosure was required, appropriate and necessary so that, among other things, Plaintiff and the


16

members of the Class could take appropriate measures to avoid identify theft or fraudulent

charges, including, monitor their account information and credit reports for fraudulent activity,

contact their banks or other financial institutions, obtain credit monitoring services, file reports

with law enforcement and other governmental agencies and take other steps to mitigate or

ameliorate the damages caused by Anthem’s misconduct.

58. Plaintiff and members of the Class entrusted Anthem with their PII on the premise

and with the understanding that Anthem would safeguard their information, and Anthem was in a

position to protect against the harm suffered by Plaintiff and members of the Class as a result of

the Data Breach.

59. Anthem knew, or should have known, of the inherent risks in collecting and

storing the PII of Plaintiff and members of the Class and of the critical importance of providing

adequate security of that information.

60. Anthem’s own conduct also created a foreseeable risk of harm to Plaintiff and

members of the Class. Anthem’s misconduct included, but was not limited to, its failure to take

the steps and opportunities to prevent and stop the Data Breach as set forth herein. Anthem’s

misconduct also included its decision not to comply with industry standards for the safekeeping

and maintenance of the PII of Plaintiff and members of the Class.

61. Through its acts and omissions described herein, Anthem unlawfully breached its

duty to use reasonable care to protect and secure Plaintiff’s and the Class’ PII within its

possession or control. More specifically, Defendant failed to maintain a number of reasonable

security procedures and practices designed to protect the PII of Plaintiff and the Class, including,

but not limited to, establishing and maintaining industry-standard systems to safeguard its


17

consumers and employees’ PII. Given the risk involved and the amount of data at issue,

Anthem’s breach of its duties was entirely unreasonable.

62. Anthem breached its duties to timely and accurately disclose that Plaintiff’s and

Class members’ PII in Anthem’s possession had been or was reasonably believed to have been,

stolen or compromised.

63. As a direct and proximate result of Defendant’s breach of its duties, Plaintiff and

members of the Class have been harmed by the release of their PII, causing them to expend

personal income on credit monitoring services and putting them at an increased risk of identity

theft. Plaintiff and members of the Class have spent time and money to protect themselves as a

result of Defendant’s conduct, and will continue to be required to spend time and money

protecting themselves, their identities, their credit, and their reputations.

SECOND CAUSE OF ACTION NEGLIGENCE PER SE


contained in the preceding paragraphs.

65. Pursuant to the Gramm-Leach-Bliley Act, 15 U.S.C. § 6801, Anthem had a duty

to keep and protect the personal information of its customers.

66. Anthem violated the Gramm-Leach-Bliley Act by failing to keep and protect

Plaintiff’s and Class members’ personal and financial information, failing to monitor, and/or

failing to ensure that Defendant complied with PCI data security standards, card association

standards, statutes and/or other regulations to protect such personal and financial information.

67. Anthem’s failure to comply with the Gramm-Leach-Bliley Act, and/or other

industry standards and regulations, constitutes negligence per se.


18

68. Pursuant to HIPAA, Anthem had a duty to keep and protect the personal

information of its customers.

69. Anthem violated HIPAA by failing to keep and protect Plaintiff’s and Class

members’ personal and financial information, failing to monitor, and/or failing to ensure that

Defendant complied with PCI data security standards, statutes and/or other regulations to protect

such personal and financial information.

70. Anthem’s failure to comply with HIPAA, and/or other industry standards and

regulations, constitutes negligence per se.

THIRD CAUSE OF ACTION BREACH OF IMPLIED CONTRACT



72. Anthem provided an implied contract to Plaintiff and Class members to safeguard

and protect the PII provided to it by Plaintiff and Class members when Plaintiff and Class

members provided their PII to Anthem when they purchased health insurance from Anthem (or

when health insurances was purchased from Anthem on their behalf).

73. Plaintiff and Class members would not have provided their PII to Anthem absent

Anthem’s implied promise to safeguard and protect consumer and employees’ PII.

74. Plaintiff and Class members performed all the obligations required by them under

the implied contract when they purchased health insurance from Anthem.

75. Anthem breached its implied contracts with Plaintiff and Class members by

failing to safeguard and protect the personal, financial and health information provided to it by

Plaintiff and Class members.


19

76. As a direct and proximate result of Anthem’s breach of its implied contracts,

Plaintiff and Class members suffered the damages and injuries described herein.

FOURTH CAUSE OF ACTION VIOLATION OF INDIANA DECEPTIVE CONSUMER SALES ACT



78. Anthem’s conduct as alleged in this Complaint violated Ind. Code § 24-5-0.5-

3(b)(1), (2), including without limitation that (a) Anthem represented that it protected its

consumers and employees’ personal, financial and medical information, but Anthem failed to

protect that sensitive information; (b) Anthem’s failure to maintain adequate computer systems

and data security practices to safeguard consumer and employees’ personal, medical, and

financial information; (c) Anthem’s failure to disclose the material fact that Anthem’s computer

systems and data security practices were inadequate to safeguard consumer and employees’

personal and financial data from theft; and (d) Anthem’s failure to disclose in a timely and

accurate manner to Plaintiff and members of the Class the material fact of the Anthem data

breach.

79. Plaintiff and Class members relied on Anthem’s misrepresentations.

80. Anthem’s deceptive acts were done as part of a scheme, artifice, or device with

intent to defraud or mislead and constitute incurable deceptive acts under Ind. Code § 24-5-0.5-1

et seq.

81. Plaintiff and Class members are entitled to the greater of damages actually

suffered or statutory damages, as well as treble damages, reasonable attorneys’ fees, costs of suit,

an ordering enjoining Anthem’s unlawful practices, and any other relief which the Court deems

proper.


20

FIFTH CAUSE OF ACTION UNJUST ENRICHMENT



83. Plaintiff and Class members conferred a monetary benefit on Anthem in the form

of monies paid for the purchase of health insurance from Anthem during the period of the

Anthem data breach.

84. The monies paid by the Plaintiff and Class were supposed to be used by Anthem,

in part, to pay for the administrative and other costs of providing reasonable data security and

protection to Plaintiff and Class members.

85. Anthem failed to provide reasonable security, safeguards, and protections to the

personal, medical, and financial information of Plaintiff and Class members, and as a result the

Plaintiff and Class overpaid Anthem for the health insurance they purchased.

86. Under principles of equity and good conscience, Anthem should not be permitted

to retain the money belonging to Plaintiff and Class members because Anthem failed to provide

adequate safeguards and security measures to protect Plaintiff’s and Class members’ personal,

medical, and financial information that they paid for but did not receive.

87. Anthem wrongfully accepted and retained these benefits to the detriment of

Plaintiff and Class members.

88. Anthem’s enrichment at the expense of Plaintiff and Class members is and was

unjust.

89. As a result of Anthem’s wrongful conduct, as alleged above, Plaintiff and the

Class are entitled to restitution and disgorgement of profits, benefits, and other compensation

obtained by Anthem, plus attorneys’ fees, costs, and interest thereon.


21

PRAYER FOR RELIEF

WHEREFORE, Plaintiff, on behalf of himself and all members of the Class and request

the following relief:

A. An order certifying that this action is properly brought and may be maintained as

a class action, that Plaintiff David Ifversen be appointed a Class Representatives for the National

Class and Nevada Subclass, and that Plaintiff’s counsel be appointed Counsel for the National

Class and Nevada Subclass.

B. Awarding compensatory damages in an amount determined at trial for each Cause

of Action asserted herein for which these damages are available.

C. Awarding restitution in an amount determined at trial for each Cause of Action

asserted herein for which this relief is available.

D. An order enjoining Defendants from continuing the unlawful practices as set forth

herein, and directing Defendants to identify, with Court supervision, victims of their conduct and

pay them restitution.

E. Awarding interest on the monies wrongfully obtained from the date of collection

through the date of entry of judgment in this action.

F. An order awarding Plaintiff his costs of suit, including reasonable attorneys’ fees

and pre and post-judgment interest, as provided by law, or equity, or as otherwise available.

G. Such other and further relief as may be available as part of the statutory claims

asserted herein, or otherwise as may be deemed necessary or appropriate for any of the claims

asserted.

JURY DEMAND

Plaintiff requests a trial by jury of all claims that can so be tried.


22

RESPECTFULLY SUBMITTED this 11th day of February, 2015. MATTINGLY BURKE COHEN BIDERMAN LLP By: /s/ Hamish S. Cohen Hamish Cohen, #22931-53 Sean P. Burke, #26995-49 3646 N. Washington Blvd. Indianapolis, IN 46205 Tel: (317) 614-7320 [email protected] [email protected] KELLER ROHRBACK L.L.P. Gretchen Freeman Cappio, pro hac vice forthcoming Cari Campen Laufenberg, pro hac vice forthcoming Amy N. L. Hanson, pro hac vice forthcoming 1201 Third Avenue, Suite 3200 Seattle, Washington 98101-3052 Tel: (206) 623-1900 Fax: (206) 623-3384 [email protected] [email protected] [email protected] Attorneys for Plaintiff


for the southern district of indiana …krcomplexlit.com/wp-content/uploads/2015/09/plclass... ·...

Documents