for the southern district of indiana …krcomplexlit.com/wp-content/uploads/2015/09/plclass... ·...
TRANSCRIPT
1
UNITED STATES DISTRICT COURT FOR THE SOUTHERN DISTRICT OF INDIANA
INDIANAPOLIS DIVISION
DAVID IFVERSEN, individually and on behalf of all others similarly situated,
Plaintiff,
v.
ANTHEM, INC. an Indiana corporation,
Defendant.
) ) ) ) ) ) ) ) )
No. 15-cv-209
DEMAND FOR JURY TRIAL
PLAINTIFF’S CLASS ACTION COMPLAINT
Plaintiff David Ifversen (“Plaintiff”) files this Class Action Complaint (“Complaint”) on
behalf of himself and all others similarly situated, by and through the undersigned attorneys,
against Defendant Anthem, Inc. (“Defendant” or “Anthem”), which was known previously as
WellPoint, Inc., and alleges as follows upon personal knowledge as to himself and his own acts
and experiences, and, as to all other matters, upon information and belief based upon, inter alia,
investigation conducted by his attorneys.
I. NATURE OF THE ACTION
1. On February 4, 2015, Anthem revealed that it had suffered a catastrophic data
breach (“Data Breach”) of its information technology system (“Network”). Anthem is the
second largest health insurer in the United States. This was not the first time Anthem has
suffered a massive data breach, but it is the worst.
2. The hackers gained access to sensitive and confidential data entrusted to Anthem,
including full names, social security numbers/medical identification numbers, home addresses,
email addresses, employment information (including income data), dates of birth, and other
personal information (“Personally Identifying Information” or “PII”). To date, it has been
Case 1:15-cv-00209-SEB-DML Document 1 Filed 02/11/15 Page 1 of 22 PageID #: 1
2
reported that the Data Breach compromised the data of 80 million people, including current and
former members as well as Anthem’s own employees.
3. Anthem left the most sensitive PII of its consumers and employees vulnerable to
data breach and misuse because, in part, the data was unencrypted. Anthem suffered the
catastrophic Data Breach because it failed to develop, maintain, and implement sufficient
security measures on its database, particularly given the fact that its systems harbor medical and
other private data. Indeed, as discussed below, Anthem has previously been investigated for its
failure to reasonably protect PII and was subsequently the subject of a similar — though far less
massive — data breach, which resulted in a government fine, private litigation and a class action
settlement. Further, last summer, the FBI issued a warning that the health care industry might be
targeted by hackers. Nevertheless, Anthem has repeatedly failed to take these warnings to heart.
4. Anthem’s recent Data Breach also follows in the wake of a number of widely
publicized data breaches affecting companies such as Target, Home Depot, Neiman Marcus,
Community Health Systems, Inc., Michaels Stores, Jimmy Johns, Sony Pictures Entertainment,
J.P. Morgan Chase & Co., P.F. Chang’s, Staples, and others. Notwithstanding these earlier data
security incidents at Anthem and at others, Anthem failed to take adequate steps to prevent the
Data Breach from occurring.
5. Anthem’s reaction to the Data Breach has been anemic at best. It has failed to
timely notify affected employees and consumers including Plaintiff. For a portion of affected
consumers and employees, Anthem is offering credit monitoring protection for a period of one
year – a woefully deficient short-term solution to a lifelong problem. The Connecticut Attorney
General has already demanded that Anthem “immediately provide” two years’ worth of credit
monitoring “at the very least.” Indeed, in a class action settlement reached in Orange County,
Case 1:15-cv-00209-SEB-DML Document 1 Filed 02/11/15 Page 2 of 22 PageID #: 2
3
California, related to the unauthorized disclosure of personal and financial information on health
insurance applications, Anthem offered, inter alia, two full years of credit monitoring for those
who did not experience any identify theft losses (and a total of six years to those who did). See
https://AnthemBlueCrossSecuritySettlement.com.
6. Consumers and employees face a “lifelong battle” to control the damages of their
PII being stolen by hackers, including fraudulent tax returns, stolen identities, and/or medical
identify fraud.1 Anthem’s failure to adequately protect PII has caused, and will continue to
cause, substantial customer harm and injuries to Anthem consumers and employees across the
United States.
7. Plaintiff, individually and on behalf of the Class defined below, seeks to hold
Anthem accountable for the Data Breach by ensuring that it provide adequate protection to those
affected. Plaintiff seeks relief for Anthem's breach of implied contractual obligations,
negligence, violations of certain statutes discussed infra, bailment and, alternatively, unjust
enrichment.
II. JURISDICTION AND VENUE
8. This Court has subject matter jurisdiction of this action pursuant to 28 U.S.C.
§ 1332 of the Class Action Fairness Act of 2005 because: (i) there are 100 or more class
members, (ii) there is an aggregate amount in controversy exceeding $5,000,000, exclusive of
interest and costs, and (iii) there is minimal diversity because at least one plaintiff and defendant
are citizens of different states. This Court also has supplemental jurisdiction over the state law
claims pursuant to 28 U.S.C. § 1367.
1 Shary Rudavsky, Anthem Data Breach Could Be “Lifelong Battle” for Customers, IndyStar, February 7, 2015, available at http://www.indystar.com/story/news/2015/02/05/anthem-data-breach-lifelong-battle-customers/22953623/ (last visited February 11, 2015).
Case 1:15-cv-00209-SEB-DML Document 1 Filed 02/11/15 Page 3 of 22 PageID #: 3
4
9. This Court has personal jurisdiction over Defendant because it maintains its
principal place of business in this judicial district and division and has such minimum contacts in
this state to make this Court's exercise of jurisdiction proper.
10. Venue is proper in this judicial district and division pursuant to 28 U.S.C. § 1391
because Defendant is headquartered in this district and division, is subject to personal
jurisdiction in this district and division, and therefore is deemed to be a citizen of this district and
division. Additionally, a substantial part of the events and/or omissions giving rise to the claims
occurred within this district and division.
III. PARTIES
11. Plaintiff David Ifversen is currently a resident of the State of Nevada. Plaintiff
Ifversen has medical insurance coverage through Anthem Blue Cross Blue Shield. As a result of
Plaintiff Ifversen’s insurance coverage, on information and belief, Defendant Anthem obtained,
used, and stored his PII, which he expected to be safeguarded and kept confidential. On
information and belief, Plaintiff Ifversen’s PII was compromised when hackers accessed
Anthem’s Network, including but not limited to his full name, current address, date of birth,
medical identification number, social security number, email address, employment information,
and income data. Plaintiff Ifversen did not consent to relinquish control over his PII or allow his
PII to be publicized in providing this information and paying his insurance premium in exchange
for medical insurance coverage. He is greatly troubled by his loss of control over his PII and/or
publication of his PII, and believes that he paid part of his insurance premium to ensure
reasonable security of his PII. Plaintiff Ifversen also feels stress over his loss of control over his
PII and/or publication of his PII, which he fears will subject him to lifelong exposure to identity
theft, medical data misuse and other repercussions.
Case 1:15-cv-00209-SEB-DML Document 1 Filed 02/11/15 Page 4 of 22 PageID #: 4
5
12. Due to the extremely problematic nature of the loss of control and/or publication
of Plaintiff Ifversen’s PII, his resulting stress, and Defendant’s lack of timely notice and response
to the Data Breach, to date, Plaintiff Ifversen has expended hours attempting to safeguard
himself from identity theft or other harms caused by the release of his PII as a result of the Data
Breach. Going forward, Plaintiff Ifversen anticipates spending considerable time each day in an
effort to contain the impact of Anthem’s Data Breach as it relates to his PII that, on information
and belief, is now in the public domain.
13. Defendant Anthem is an entity incorporated in the State of Indiana with its
headquarters and principal place of business located at 120 Monument Circle in Indianapolis,
Indiana. Anthem was previously known as WellPoint, Inc., and was formed when Anthem
Insurance Company bought WellPoint Health Networks in 2004. Anthem issues securities that
are publicly traded on the New York Stock Exchange under the ticker symbol “WLP.”
IV. FACTUAL ALLEGATIONS
Anthem Has Repeatedly Failed to Reasonably Protect Consumer and Employee PII.
14. In 2009, an investigation by the U.S. Department of Health and Human Services
(“HHS”) under the Health Insurance Portability and Accountability Act (“HIPAA”) found that
Anthem, doing business as WellPoint, did not adequately implement policies and procedures to
protect unsecured “electronic protected health information” covered by HIPPA.
15. In 2010, a second investigation by HHS found that WellPoint still did not
adequately implement policies and procedures to protect unsecured “electronic protected health
information” covered by HIPPA, and that names, dates of birth, addresses, Social Security
numbers, telephone numbers and health information of 612,000 WellPoint customers and
employees were disclosed as a result.
16. HHS fined Anthem approximately $1.7 million for the 2010 data breach.
Case 1:15-cv-00209-SEB-DML Document 1 Filed 02/11/15 Page 5 of 22 PageID #: 5
6
17. WellPoint’s chief information security officer at the time of the fine was Roy
Mellinger. He currently remains chief information security officer for Anthem.
18. In addition, despite Anthem’s offer of one year of credit monitoring to its insureds
as a result of the 2010 data breach, private litigation, including class action litigation, was
initiated.
Non-Financial PII has Long-Term Value on the Black Market
19. In a carefully crafted letter to Anthem members that was posted on Anthem’s
website on February 6, 2015, Anthem CEO Joseph R. Swedish emphasized that while he was not
currently aware of evidence that “credit card or medical information, such as claims, test results
or diagnostic codes” had been compromised through the Data Breach, numerous types of PII had
been compromised by it:
[A]ttackers gained unauthorized access to Anthem’s IT system and have obtained personal information from our current and former members such as their names, birthdays, medical IDs/social security numbers, street addresses, email addresses and employment information, including income data.
20. As noted by Kiplinger, however, the current lack of confirmed credit card
information compromise is no reason to breathe a sigh of relief for the Class:
The truth is, you might have been better off if only card information had been stolen because what the hackers got is potentially much more valuable: full names, birthdays, street addresses and Social Security numbers. “They got your secret sauce,” says Neal O’Farrell, a security and identity theft expert for Credit Sesame. “It’s as good as your
DNA to hackers.” 2
21. Moreover, the value of the non-financial PII that Anthem admits was
compromised by the Data Breach is highlighted by HIPPA’s protection of it.
2 Tips, How to Protect Your Kids From the Anthem Data Breach,” Kiplinger (Feb. 10, 2015), available at http://www.kiplinger.com/article/credit/T048-C011-S001-how-to-protect-your-kids-from-the-anthem-data-brea.html (last visited February 11, 2015).
Case 1:15-cv-00209-SEB-DML Document 1 Filed 02/11/15 Page 6 of 22 PageID #: 6
7
22. Senior HHS advisor Rachel Seeger has been quoted in the media emphasizing that
names and Social Security Numbers are protected under HIPPA—even if no specific diagnostic
or treatment information is disclosed:
The personally identifiable information that HIPAA-covered health plans maintain on enrollees and members — including names and Social Security Numbers — is protected under HIPAA, even if no specific diagnostic or treatment information is disclosed.
23. As reported by Reuters, non-financial data “is worth 10 times more than your
credit card number on the black market.” This is because non-financial data theft is often not
immediately identified, “giving criminals years to milk such credentials.” This makes non-
financial data more valuable than credit cards, “which tend to be quickly canceled by banks once
fraud is detected.”3
24. Today, as reported by CreditCards.com, hackers are looking to steal non-financial
information so they can “continue to monetize victims’ identifies over a longer period of time.”
Specifically, “[o]nce hackers have a medical ID, they can use it to procure prescription drugs or
expensive medical equipment or simply to commit financial fraud – often for months or years
before anyone notices.”4
25. As summed up by Kiplinger:
Unlike a credit card, you can’t cancel a Social Security number, which puts you at risk of being a lifelong victim, he says. Thieves can use that number to steal your identity and
file fraudulent tax returns, rack up debt in your name and more.5
3 Humer, Your Medical Record is Worth More to Hackers than Your Credit Card,” Reuters (Sept. 24, 2014), available at http://www.reuters.com/article/2014/09/24/us-cybersecurity-hospitals-idUSKCN0HJ21I20140924 (last visited February 11, 2015).
4McCarthy, How to Spot and Prevent Medical Identity Theft,” CreditCards.com (Aug. 19, 2014), available at
http://www.creditcards.com/credit-card-news/spot-prevent-medical-identity-theft-1282.php (last visited February 11, 2015).
5 Tips, How to Protect Your Kids From the Anthem Data Breach,” Kiplinger (Feb. 10, 2015), available at http://www.kiplinger.com/article/credit/T048-C011-S001-how-to-protect-your-kids-from-the-anthem-data-brea.html (last visited February 11, 2015).
Case 1:15-cv-00209-SEB-DML Document 1 Filed 02/11/15 Page 7 of 22 PageID #: 7
8
Use of Compromised Non-Financial PII is Costly to Its Owners
26. Once use of compromised non-financial PII is detected, the emotional and
economic consequences to its owners is significant. As reported by CreditCards.com:
The Ponemon Institute found that 36 percent of medical ID theft victims pay to resolve the issue, and their out-of-pocket costs average nearly $19,000. Even if you don't end up paying out of pocket, such usage can wreak havoc on both medical and credit records, and clearing that up is a time-consuming headache. That's because medical records are scattered. Unlike personal financial information, which is consolidated and protected by credit bureaus, bits of your medical records end up in every doctor's office and hospital you check into, every pharmacy that fills a prescription and every facility that processes payments for those transactions.
Anthem Was Obligated to Keep Consumer and Employee PII Reasonably Secure.
27. As a health insurer, Anthem knows or should know of the risks its consumers and
employees face when their PII is misused and of the need to carefully safeguard this information,
in part because hackers breach the healthcare industry more frequently than any other segment of
the economy.6
28. Anthem’s own HIPAA Notice of Privacy Protection provides:
We are dedicated to protecting your [personal health information], and have set up a number of policies and practices to help make sure your [personal health information] is kept secure
…
We keep your oral, written and electronic [personal health information] safe using physical, electronic, and procedural means. These safeguards follow federal and state laws. Some of the ways we keep your [personal health information] safe include securing offices that hold [personal health information], password-protecting computers, and locking storage areas and filing cabinets. We require our employees to protect [personal health information] through written policies and procedures. These policies limit access to [personal health information] to only those employees who need the data to do their job. Employees are also required to wear ID badges to help keep people who do not belong out of areas where sensitive data is kept. Also, where required by law, our
6 Greisiger, Cyber Liability & Data Breach Insurance Claims, NetDiligence 2013, at p. 2, available at http://www.netdiligence.com/files/CyberClaimsStudy-2013.pdf (last visited February 11, 2015).
Case 1:15-cv-00209-SEB-DML Document 1 Filed 02/11/15 Page 8 of 22 PageID #: 8
9
affiliates and nonaffiliates must protect the privacy of data we share in the normal course of business. They are not allowed to give [personal health information] to others without
your written OK, except as allowed by law and outlined in this notice.7
29. Consumers and employees rely on health insurers such as Anthem to maintain
their sensitive health and PII to ensure it is both private and secure.
30. Anthem claims to maintain state-of-the-art information security systems to protect
its customer personal health and financial data.8
31. Yet, despite its promises, on January 29, 2015, hackers were able to access
millions of Anthem’s unencrypted customers’ PII, including names, birthdays, medical
IDs/social security numbers, street addresses, email addresses and employment information,
including income data.9
32. Anthem confirmed that all of its product lines were impacted by the Data Breach,
including Anthem Blue Cross, Blue Cross of California, Anthem Blue Cross and Blue Shield,
Blue Cross and Blue Shield of Georgia, Empire Blue Cross and Blue Shield, Amerigroup,
Caremore, Unicare, Healthlink, and DeCare.
33. The hackers who breached Anthem’s records were able to access a database
containing up to 80 million current and former customers, and employees’ records.10
7 Anthem’s HIPPA notice titled, “Information that’s important to you,” located on its website at https://www.anthem.com/health-insurance/nsecurepdf/english common 11832ANMEN (last visited February 11, 2015).
8 Brandeisky, Anthem Health Insurance Was Hacked, Here’s What Customers Need to Know, Time, February 5, 2015, available at http://time.com/money/3697026/anthem-data-breach-social-security/ (last visited February 11, 2015).
9 Anthem CEO Joseph R. Swedish’s statement to Anthem consumers, available at < http://www.anthemfacts.com/
(last visited February 11, 2015). See also Health Insurer Anthem Didn’t Encrypt Data Stolen –Update, The Wall Street Journal, Feb. 5, 2015, attached as Exh A.
10 Brandeisky, Anthem Health Insurance Was Hacked, Here’s What Customers Need to Know, Time, February 5, 2015, available at http://time.com/money/3697026/anthem-data-breach-social-security/ (last visited February 11, 2015).
Case 1:15-cv-00209-SEB-DML Document 1 Filed 02/11/15 Page 9 of 22 PageID #: 9
10
34. Anthem did not announce that its data systems maintaining personal, financial and
potentially health information of its customers and employees was compromised immediately.
Instead, Anthem waited to announce that its systems were compromised, and that up to 80
million consumer and employees’ records had been stolen, until February 4, 2015. Moreover,
Anthem is still delaying notifying individual consumers affected by the breach.11
35. Before the breach, Anthem did not encrypt the data in this database, including
Social Security numbers and other PII.12 Encryption is considered the most effective way to
secure data.13 Without encryption, the hackers who accessed the information will be able to
easily access all of the PII accessed.
36. It was not until after the Data Breach, that Anthem retained Mandiant, a leading
cybersecurity firm, to evaluate Anthem’s systems and identify solutions to Anthem’s systems’
vulnerabilities.14
37. Anthem could have retained Mandiant, or another cybersecurity consultant, prior
to the Data Breach to analyze and identify solutions for its systems’ vulnerabilities, and this
could have prevented the Data Breach from occurring, or at the least minimized the amount of
information stolen from Anthem’s systems.
11
Tracer, After Hack, Anthem to Notify Affected Customers Within Two Weeks, Bloomberg, February 5, 2015, available at < http://www.bloomberg.com/news/articles/2015-02-05/anthem-to-tell-hacked-customers-in-two-weeks-no-earnings-impact> (last visited February 11, 2015).
12 Jaspen, Hackers Stole Data on 80 Million Anthem Customers. Why Wasn’t It Encrypted?, Forbes, February 6, 2015, available at < http://www.forbes.com/sites/brucejapsen/2015/02/06/anthem-didnt-encrypt-personal-data-and-privacy-laws-dont-require-it/> (last visited February 11, 2015).
13 Id.
14 Anthem CEO Joseph R. Swedish’s statement to Anthem consumers, available at < http://www.anthemfacts.com/ (last visited February 11, 2015).
Case 1:15-cv-00209-SEB-DML Document 1 Filed 02/11/15 Page 10 of 22 PageID #: 10
11
38. Indeed, Anthem and other health insurers routinely maintain consumer and
employees’ health and financial information, and have been on notice of potential cyber attacks
seeking to get consumers and employees PII.
39. In 2014, the Federal Bureau of Investigation’s cyber division warned health care
systems that cyber attacks were likely to occur after January 2015, when healthcare companies
were required to transfer from paper medical records over to electronic records.15 The FBI
pointed out that healthcare companies were more susceptible to cyber attacks, making future
attacks likely. The FBI’s report was highly publicized, being reported by such news agencies as
Reuters.16
40. Indeed, even before the full transition over to electronic medical records, other
healthcare companies were the targets of major cyber attacks. According to a SANS Analyst
Whitepaper from February 2014 titled, “Health Care Cyberthreat Report: Widespread
Compromises Detected, Compliance Nightmare on Horizon,” healthcare providers, including
insurance companies, were regular targets of cyber attacks, and particularly vulnerable to them.17
41. Anthem was aware that it needed to maintain the security of its customers’ Private
Information. In its SEC Form 10-K filings dated February 20, 2014, Anthem acknowledged that
it must maintain and upgrade its data systems to protect its customers’ data.18
15
FBI Cyber Division Private Industry Notification, April 8, 2014, available at https://info.publicintelligence.net/FBI-HealthCareCyberIntrusions.pdf (last visited February 11, 2015).
16 Finkle, Exclusive: FBI Warns Healthcare Sector Vulnerable to Cyber Attacks, Reuters, April 23, 2014, available at http://www.reuters.com/article/2014/04/23/us-cybersecurity-healthcare-fbi-exclusiv-idUSBREA3M1Q920140423 (last visited February 11, 2014).
17 Filkins, Health Care Cyberthreat Report, SANS, February 2014, available at http://pages.norse-corp.com/rs/norse/images/Norse-SANS-Healthcare-Cyberthreat-Report2014.pdf (last visited February 11, 2015).
18 SEC Form 10-k Annual Report for the Year Ending December 31, 2013, available at http://www.sec.gov/Archives/edgar/data/1156039/000115603914000003/wlp-20131231x10k.htm.
Case 1:15-cv-00209-SEB-DML Document 1 Filed 02/11/15 Page 11 of 22 PageID #: 11
12
42. Yet, despite the many warnings, Anthem’s own promises to maintain data
security, and the critical nature of maintaining the security of consumer and employees’ financial
information, Anthem did not even take steps to encrypt the sensitive PII of its customers and
employees that it maintained.
43. Anthem also did not disclose to anyone that it did not have adequate security
systems in place to keep Plaintiff and other customers’ personal, financial and health information
that Anthem maintained on its computer systems private and secure.
44. Due to Anthem’s failure to maintain the privacy and security of Plaintiff’s and
Class Members’ private personal, financial and health information, Anthem has violated the law
and breached its duties to its customers.
V. CLASS ALLEGATIONS
45. This action asserts claims on behalf of a nationwide class, and a Nevada subclass
(together “Class”) pursuant to Federal Rules Civil Procedure 23(a), 23(b)(1), 23(b)(2), 23(b)(3),
and/or 23(c)(4), which class and subclasses consist of persons who had their data stolen from
Anthem’s systems as follows:
All persons in the United State whose personal, medical or financial information was compromised by the data breach disclosed by Anthem on February 4, 2014 (the “National Class”).
All persons in Nevada whose personal, medical or financial information was compromised by the data breach disclosed by Anthem on February 4, 2015 (the “Nevada Subclass”).
46. Excluded from the Class are Defendant, its CEO, and the Judge(s) assigned to this
case. Plaintiff reserves the right to modify, change or expand the Class definition after
conducting discovery.
Case 1:15-cv-00209-SEB-DML Document 1 Filed 02/11/15 Page 12 of 22 PageID #: 12
13
47. Numerosity: The Class is so numerous that joinder of all members is
impracticable. Anthem has acknowledged that as many as 80 million records may have been
compromised by the Data Breach.
48. Existence and Predominance of Common Questions of Fact and Law:
Common questions of law and fact exist as to all members of the Class. These questions
predominate over the questions affecting individual Class members. These common legal and
factual questions include, but are not limited to:
A. whether Defendant's data security and retention policies were
unreasonable;
B. whether Defendant failed to protect the confidential and highly sensitive
information to which it was entrusted;
C. whether Defendant breached any legal duties in connection with the data
breach;
D. whether Defendant's conduct violated the Indiana Deceptive Consumer
Sales Act;
E. whether Defendant was negligent;
F. whether Defendant was unjustly enriched; and
G. whether Plaintiff and Class members are entitled to monetary damages
and/or other remedies and, if so, the nature of any such relief.
49. Typicality: All of Plaintiff’s claims are typical of the claims of the Class since
Plaintiff and all members of the Class had their personal, confidential, and highly sensitive
information compromised in the Data Breach announced on February 4, 2015.
Case 1:15-cv-00209-SEB-DML Document 1 Filed 02/11/15 Page 13 of 22 PageID #: 13
14
50. Adequacy: Plaintiff is an adequate representative because his interests do not
materially or irreconcilably conflict with the interests of the Class that he seeks to represent, he
has retained counsel competent and highly experienced in complex class action litigation, and he
intends to prosecute this action vigorously. The interests of the Class will be fairly and
adequately protected by Plaintiff and his counsel.
51. Superiority: A class action is superior to all other available means of fair and
efficient adjudication of the claims of Plaintiff and members of the Class. The injury suffered by
each individual Class member is relatively small in comparison to the burden and expense of
individual prosecution of the complex and extensive litigation necessitated by Defendant’s
conduct. It would be virtually impossible for members of the Class individually to effectively
redress the wrongs done to them. Even if the members of the Class could afford such individual
litigation, the court system could not. Individualized litigation presents a potential for
inconsistent or contradictory judgments. Individualized litigation increases the delay and
expense to all parties and to the court system presented by the complex legal and factual issues
of the case. By contrast, the class action device presents far fewer management difficulties, and
provides the benefits of single adjudication, economy of scale, and comprehensive supervision
by a single court. Members of the Class can be readily identified and notified based on, inter
alia, Defendant's records and databases. Indeed, Anthem claims to already be in the process of
notifying them.
52. Defendant has acted, and refused to act, on grounds generally applicable to the
Class, thereby making appropriate final relief with respect to the Class as a whole.
Case 1:15-cv-00209-SEB-DML Document 1 Filed 02/11/15 Page 14 of 22 PageID #: 14
15
FIRST CAUSE OF ACTION NEGLIGENCE
53. Plaintiff and the Class reallege and incorporate by reference the allegations
contained in each of the preceding paragraphs of this Complaint as if fully set forth herein.
54. Defendant owed a duty to the Class to exercise reasonable care in obtaining,
securing, safeguarding, deleting and protecting Plaintiff’s and the Class’ PII within its possession
or control from being compromised, lost, stolen, accessed and misused by unauthorized persons.
This duty included, among other things, designing, maintaining and testing Anthem’s security
systems to ensure that Plaintiff’s and Class members’ PII in Anthem’s possession was
adequately secured and protected. Anthem further owed a duty to Plaintiff and the Class to
implement processes that would detect a breach of its security system in a timely manner and to
timely act upon warning and alerts including those generated by its own security systems.
55. Anthem owed a duty to Plaintiff and the members of the Class to provide security,
including consistent with of industry standards and requirements, to ensure that its systems and
networks, and the personnel responsible for them, adequately protected the PII of its consumers
and employees.
56. Anthem owed a duty of care to Plaintiff and the members of the Class because
they were foreseeable and probable victims of any inadequate security practices. Anthem knew
or should have known it had inadequately safeguarded its Network, particularly in light of its
prior breaches, as noted above, and yet Anthem failed to take reasonable precautions to
safeguard consumers and employees’ PII.
57. Anthem owed a duty to timely and accurately disclose to Plaintiff and members of
the Class that their PII had been or was reasonably believed to have been compromised. Timely
disclosure was required, appropriate and necessary so that, among other things, Plaintiff and the
Case 1:15-cv-00209-SEB-DML Document 1 Filed 02/11/15 Page 15 of 22 PageID #: 15
16
members of the Class could take appropriate measures to avoid identify theft or fraudulent
charges, including, monitor their account information and credit reports for fraudulent activity,
contact their banks or other financial institutions, obtain credit monitoring services, file reports
with law enforcement and other governmental agencies and take other steps to mitigate or
ameliorate the damages caused by Anthem’s misconduct.
58. Plaintiff and members of the Class entrusted Anthem with their PII on the premise
and with the understanding that Anthem would safeguard their information, and Anthem was in a
position to protect against the harm suffered by Plaintiff and members of the Class as a result of
the Data Breach.
59. Anthem knew, or should have known, of the inherent risks in collecting and
storing the PII of Plaintiff and members of the Class and of the critical importance of providing
adequate security of that information.
60. Anthem’s own conduct also created a foreseeable risk of harm to Plaintiff and
members of the Class. Anthem’s misconduct included, but was not limited to, its failure to take
the steps and opportunities to prevent and stop the Data Breach as set forth herein. Anthem’s
misconduct also included its decision not to comply with industry standards for the safekeeping
and maintenance of the PII of Plaintiff and members of the Class.
61. Through its acts and omissions described herein, Anthem unlawfully breached its
duty to use reasonable care to protect and secure Plaintiff’s and the Class’ PII within its
possession or control. More specifically, Defendant failed to maintain a number of reasonable
security procedures and practices designed to protect the PII of Plaintiff and the Class, including,
but not limited to, establishing and maintaining industry-standard systems to safeguard its
Case 1:15-cv-00209-SEB-DML Document 1 Filed 02/11/15 Page 16 of 22 PageID #: 16
17
consumers and employees’ PII. Given the risk involved and the amount of data at issue,
Anthem’s breach of its duties was entirely unreasonable.
62. Anthem breached its duties to timely and accurately disclose that Plaintiff’s and
Class members’ PII in Anthem’s possession had been or was reasonably believed to have been,
stolen or compromised.
63. As a direct and proximate result of Defendant’s breach of its duties, Plaintiff and
members of the Class have been harmed by the release of their PII, causing them to expend
personal income on credit monitoring services and putting them at an increased risk of identity
theft. Plaintiff and members of the Class have spent time and money to protect themselves as a
result of Defendant’s conduct, and will continue to be required to spend time and money
protecting themselves, their identities, their credit, and their reputations.
SECOND CAUSE OF ACTION NEGLIGENCE PER SE
64. Plaintiff and the Class reallege and incorporate by reference the allegations
contained in the preceding paragraphs.
65. Pursuant to the Gramm-Leach-Bliley Act, 15 U.S.C. § 6801, Anthem had a duty
to keep and protect the personal information of its customers.
66. Anthem violated the Gramm-Leach-Bliley Act by failing to keep and protect
Plaintiff’s and Class members’ personal and financial information, failing to monitor, and/or
failing to ensure that Defendant complied with PCI data security standards, card association
standards, statutes and/or other regulations to protect such personal and financial information.
67. Anthem’s failure to comply with the Gramm-Leach-Bliley Act, and/or other
industry standards and regulations, constitutes negligence per se.
Case 1:15-cv-00209-SEB-DML Document 1 Filed 02/11/15 Page 17 of 22 PageID #: 17
18
68. Pursuant to HIPAA, Anthem had a duty to keep and protect the personal
information of its customers.
69. Anthem violated HIPAA by failing to keep and protect Plaintiff’s and Class
members’ personal and financial information, failing to monitor, and/or failing to ensure that
Defendant complied with PCI data security standards, statutes and/or other regulations to protect
such personal and financial information.
70. Anthem’s failure to comply with HIPAA, and/or other industry standards and
regulations, constitutes negligence per se.
THIRD CAUSE OF ACTION BREACH OF IMPLIED CONTRACT
71. Plaintiff and the Class reallege and incorporate by reference the allegations
contained in the preceding paragraphs.
72. Anthem provided an implied contract to Plaintiff and Class members to safeguard
and protect the PII provided to it by Plaintiff and Class members when Plaintiff and Class
members provided their PII to Anthem when they purchased health insurance from Anthem (or
when health insurances was purchased from Anthem on their behalf).
73. Plaintiff and Class members would not have provided their PII to Anthem absent
Anthem’s implied promise to safeguard and protect consumer and employees’ PII.
74. Plaintiff and Class members performed all the obligations required by them under
the implied contract when they purchased health insurance from Anthem.
75. Anthem breached its implied contracts with Plaintiff and Class members by
failing to safeguard and protect the personal, financial and health information provided to it by
Plaintiff and Class members.
Case 1:15-cv-00209-SEB-DML Document 1 Filed 02/11/15 Page 18 of 22 PageID #: 18
19
76. As a direct and proximate result of Anthem’s breach of its implied contracts,
Plaintiff and Class members suffered the damages and injuries described herein.
FOURTH CAUSE OF ACTION VIOLATION OF INDIANA DECEPTIVE CONSUMER SALES ACT
77. Plaintiff and the Class reallege and incorporate by reference the allegations
contained in the preceding paragraphs.
78. Anthem’s conduct as alleged in this Complaint violated Ind. Code § 24-5-0.5-
3(b)(1), (2), including without limitation that (a) Anthem represented that it protected its
consumers and employees’ personal, financial and medical information, but Anthem failed to
protect that sensitive information; (b) Anthem’s failure to maintain adequate computer systems
and data security practices to safeguard consumer and employees’ personal, medical, and
financial information; (c) Anthem’s failure to disclose the material fact that Anthem’s computer
systems and data security practices were inadequate to safeguard consumer and employees’
personal and financial data from theft; and (d) Anthem’s failure to disclose in a timely and
accurate manner to Plaintiff and members of the Class the material fact of the Anthem data
breach.
79. Plaintiff and Class members relied on Anthem’s misrepresentations.
80. Anthem’s deceptive acts were done as part of a scheme, artifice, or device with
intent to defraud or mislead and constitute incurable deceptive acts under Ind. Code § 24-5-0.5-1
et seq.
81. Plaintiff and Class members are entitled to the greater of damages actually
suffered or statutory damages, as well as treble damages, reasonable attorneys’ fees, costs of suit,
an ordering enjoining Anthem’s unlawful practices, and any other relief which the Court deems
proper.
Case 1:15-cv-00209-SEB-DML Document 1 Filed 02/11/15 Page 19 of 22 PageID #: 19
20
FIFTH CAUSE OF ACTION UNJUST ENRICHMENT
82. Plaintiff and the Class reallege and incorporate by reference the allegations
contained in the preceding paragraphs.
83. Plaintiff and Class members conferred a monetary benefit on Anthem in the form
of monies paid for the purchase of health insurance from Anthem during the period of the
Anthem data breach.
84. The monies paid by the Plaintiff and Class were supposed to be used by Anthem,
in part, to pay for the administrative and other costs of providing reasonable data security and
protection to Plaintiff and Class members.
85. Anthem failed to provide reasonable security, safeguards, and protections to the
personal, medical, and financial information of Plaintiff and Class members, and as a result the
Plaintiff and Class overpaid Anthem for the health insurance they purchased.
86. Under principles of equity and good conscience, Anthem should not be permitted
to retain the money belonging to Plaintiff and Class members because Anthem failed to provide
adequate safeguards and security measures to protect Plaintiff’s and Class members’ personal,
medical, and financial information that they paid for but did not receive.
87. Anthem wrongfully accepted and retained these benefits to the detriment of
Plaintiff and Class members.
88. Anthem’s enrichment at the expense of Plaintiff and Class members is and was
unjust.
89. As a result of Anthem’s wrongful conduct, as alleged above, Plaintiff and the
Class are entitled to restitution and disgorgement of profits, benefits, and other compensation
obtained by Anthem, plus attorneys’ fees, costs, and interest thereon.
Case 1:15-cv-00209-SEB-DML Document 1 Filed 02/11/15 Page 20 of 22 PageID #: 20
21
PRAYER FOR RELIEF
WHEREFORE, Plaintiff, on behalf of himself and all members of the Class and request
the following relief:
A. An order certifying that this action is properly brought and may be maintained as
a class action, that Plaintiff David Ifversen be appointed a Class Representatives for the National
Class and Nevada Subclass, and that Plaintiff’s counsel be appointed Counsel for the National
Class and Nevada Subclass.
B. Awarding compensatory damages in an amount determined at trial for each Cause
of Action asserted herein for which these damages are available.
C. Awarding restitution in an amount determined at trial for each Cause of Action
asserted herein for which this relief is available.
D. An order enjoining Defendants from continuing the unlawful practices as set forth
herein, and directing Defendants to identify, with Court supervision, victims of their conduct and
pay them restitution.
E. Awarding interest on the monies wrongfully obtained from the date of collection
through the date of entry of judgment in this action.
F. An order awarding Plaintiff his costs of suit, including reasonable attorneys’ fees
and pre and post-judgment interest, as provided by law, or equity, or as otherwise available.
G. Such other and further relief as may be available as part of the statutory claims
asserted herein, or otherwise as may be deemed necessary or appropriate for any of the claims
asserted.
JURY DEMAND
Plaintiff requests a trial by jury of all claims that can so be tried.
Case 1:15-cv-00209-SEB-DML Document 1 Filed 02/11/15 Page 21 of 22 PageID #: 21
22
RESPECTFULLY SUBMITTED this 11th day of February, 2015. MATTINGLY BURKE COHEN BIDERMAN LLP By: /s/ Hamish S. Cohen Hamish Cohen, #22931-53 Sean P. Burke, #26995-49 3646 N. Washington Blvd. Indianapolis, IN 46205 Tel: (317) 614-7320 [email protected] [email protected] KELLER ROHRBACK L.L.P. Gretchen Freeman Cappio, pro hac vice forthcoming Cari Campen Laufenberg, pro hac vice forthcoming Amy N. L. Hanson, pro hac vice forthcoming 1201 Third Avenue, Suite 3200 Seattle, Washington 98101-3052 Tel: (206) 623-1900 Fax: (206) 623-3384 [email protected] [email protected] [email protected] Attorneys for Plaintiff
Case 1:15-cv-00209-SEB-DML Document 1 Filed 02/11/15 Page 22 of 22 PageID #: 22