1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
Loralee Giotta,
Case No.:
Plaintiff,
17
vs.
24
(1) Negligence
(2) Breach of Contract
(3) Breach of Implied Contract
(4) Violation of Californias Data Breach Law
(Cal Civ. Code 1798 et seq.)
(5) Violation of Californias Unfair
Competition Law (Cal. Bus. & Prof. Code
17200, et seq.); and
(6) Restitution Based Upon Quasi Contract /
Unjust Enrichment
25
19
20
21
Defendants.
22
23
26
27
28
Class Action Complaint;
Case No.:
Plaintiff Loralee Giotta (Plaintiff) by her attorneys, brings this class action on her own
behalf and on behalf of all others similarly situated against Defendant Anthem, Inc. and Blue Cross
of California, doing business as Anthem Blue Cross (collectively Anthem), and other unknown
DOE defendants (collectively all defendants are referred to as Defendants), and allege as follows
upon information and belief based on, inter alia, the investigation of their counsel:
I.
INTRODUCTION
1.
This is an action against Anthem, Inc. and its subsidiary Blue Cross of California, one
of the largest health insurers in the United States (collectively Anthem), for their failure to secure
and protect customers sensitive personally identifiable and financial information, including names,
10
birth dates, Social Security numbers, addresses, phone numbers, email addresses, health insurer
11
member identification numbers and possibly personal health care data (collectively customers
12
Personal Information).1
13
2.
On or about February 4, 2015, Anthem first publically disclosed that hackers had
14
breached its computer systems in which Anthem maintained the Personal Information of its
15
customers (i.e., the policy owners and insureds of the insurance policies it issues). As a result of this
16
security breach, these hackers stole and now possess Anthem customers Personal Information.
17
3.
18
egregious because Anthem failed to encrypt customers Personal Information. Encryption uses
19
mathematical formulas to scramble sensitive data so that, should hackers steal the data, the hackers
20
would be unable to decipher it. Encryption thus safeguards consumers Personal Information since,
21
even if stolen, encrypted data is much harder to use for identity theft or other nefarious purposes
22
detrimental to the consumer whos data is at issue. Anthems failure to encrypt Plaintiffs and other
23
consumers Personal Information thus means the data is easily readable by the hackers who stole it.
24
Because Anthem failed to protect customers Personal Information, including the failure to encrypt
25
customers sensitive information, hackers were able to obtain and read critical Personal Information
26
27
28
Plaintiff identifies these categories of Personal Information stolen from Anthem based on presently
available information. Plaintiff reserves the right to amend this complaint to add further detail to the
Personal Information stolen from Anthem.
1
Class Action Complaint;
Case No.:
of up to 80 million Anthems customers that would allow them to steal their identities or otherwise
4.
Consumers could face a lifelong battle to deal with the consequences of their
Personal Information being stolen by hackers, including fraudulent tax returns or medical identify
fraud.2 Anthems failure to adequately protect customers Personal Information has caused, and will
continue to cause, substantial customer harm and injuries to consumers across the United States. In
particular, Anthem failed to adequately and reasonably ensure that its data systems were protected,
including the use of encryption; failed to take available steps to prevent and stop the breach from
happening in the first instance; failed to disclose that it did not have adequate computer systems and
10
security to prevent customers personal, financial and health information from being stolen; failed to
11
destroy former customers personal, financial and health information when it was no longer
12
necessary to maintain; and failed to provide timely and adequate notice of the data breach to all
13
affected persons.
14
5.
15
million consumers have had their Personal Information stolen, and have been harmed in one or more
16
of the following ways: (i) having their personal and financial information stolen; (ii) the costs
17
associated with detection and prevention of identity theft and unauthorized use of their financial
18
accounts; (iii) the time and costs associated with preventing, mitigating or dealing with changes to
19
financial accounts; (iv) the time, costs, expenses and future consequence from being the victim of
20
21
6.
Plaintiff brings this action seeking damages, restitution and injunctive relief on behalf
22
of herself and millions of Anthems customers throughout the United States who had their Personal
23
24
25
26
27
28
Shary Rudavsky, Anthem Data Breach Could Be Lifelong Battle for Customers, IndyStar,
February 7, 2015, available at http://www.indystar.com/story/news/2015/02/05/anthem-data-breachlifelong-battle-customers/22953623/ (last visited February 9, 2015).
2
Class Action Complaint;
Case No.:
II.
PARTIES
7.
Plaintiff Loralee Giotta is a citizen of the State of California, residing in San Jose,
Santa Clara County, California. Ms. Giotta has Medicare Supplemental health insurance through
8.
health insurer in the United States, and is incorporated and headquartered in Indianapolis, Indiana.
Anthem Inc. is licensed to conduct insurance operations in all 50 states, and conducts business in
California through the business operations of its wholly owned subsidiary, Anthem Blue Cross. One
in every nine Americans receives coverage through Anthem or one of its affiliated plans.3 Anthem
10
provides health insurance coverage as Blue Cross and Blue Shield in Colorado, Connecticut,
11
Georgia, Indiana, Kentucky, Maine, Missouri, Nevada, New Hampshire, New York, Ohio, Virginia
12
and Wisconsin. Anthem offers health insurance through Americgroup, its wholly-owned subsidiary,
13
in Florida, Georgia, Kansas, Louisiana, Maryland, Nevada, New Jersey, New York, Tennessee,
14
Texas and Washington.4 Anthem, Inc. also provides health insurance to customers throughout the
15
country as HealthLink, UniCare and in certain Arizona, California, Nevada, New York and Virginia
16
17
9.
18
subsidiary of Anthem, Inc. Anthem Blue Cross has more individual health insurance policyholders
19
20
21
22
23
3
24
25
26
Barbash and Phillip, Massive Data Hack of Health Insurer Anthem Potentially Exposes Millions,
Washington Post, February 5, 2015, available at http://www.washingtonpost.com/news/morningmix/wp/2015/02/05/massive-data-hack-of-health-insurer-anthem-exposes-millions/ (last visited
February 9, 2015).
4
27
SEC Form 10-k Annual Report for the Year Ending December 31, 2013, available at
http://www.sec.gov/Archives/edgar/data/1156039/000115603914000003/wlp-20131231x10k.htm.
28
Id.
3
III.
controversy exceeds the sum or value of $5,000,000, exclusive of interest and costs, and is a class
action in which members of the class of plaintiffs are citizens of states different from Defendants.
11.
Venue is proper within this judicial district pursuant to 28 U.S.C. 1391(b) and (c).
Defendants transact business and are found within this District, and a substantial portion of the
underlying transactions and events complained of by the enterprise occurred in this district, and
affected persons, including Plaintiff, who reside or resided in this judicial district at the material
time. Defendants have received substantial compensation from such transactions and business
10
activity in this District, including as the result of premiums paid for Anthems insurance within this
11
District.
12
IV.
13
INTRA-DISTRICT ASSIGNMENT
12.
Consistent with Northern District of California Civil Local Rule 3-5(b), assignment to
14
the San Jose Division is appropriate under Civil Local Rule 3-2(c) and 3-2(e), because acts giving
15
rise to the claims at issue in this lawsuit occurred, among other places, in this District, in Santa Clara
16
County, California.
17
V.
18
19
FACTUAL ALLEGATIONS
13.
Health insurers, like Anthem, are obligated to keep customers personal, health and
20
14.
Health insurers such as Anthem know or should know of the risks their customers
21
Personal Information is stolen and of the need to carefully safeguard this information, in part
22
because hackers breach the healthcare industry more frequently than any other segment of the
23
economy.6
24
15.
25
Anthems own Health Insurance Portability and Accountability Act of 1996 (HIPAA)
26
27
28
Greisiger, Cyber Liability & Data Breach Insurance Claims, NetDiligence 2013, at p. 2, available
at http://www.netdiligence.com/files/CyberClaimsStudy-2013.pdf (last visited February 9, 2015).
4
We are dedicated to protecting your [personal health information], and have set up a number
of policies and practices to help make sure your [personal health information] is kept secure
We keep your oral, written and electronic [personal health information] safe using physical,
electronic, and procedural means. These safeguards follow federal and state laws. Some of
the ways we keep your [personal health information] safe include securing offices that hold
[personal health information], password-protecting computers, and locking storage areas and
filing cabinets. We require our employees to protect [personal health information] through
written policies and procedures. These policies limit access to [personal health information]
to only those employees who need the data to do their job. Employees are also required to
wear ID badges to help keep people who do not belong out of areas where sensitive data is
kept. Also, where required by law, our affiliates and nonaffiliates must protect the privacy of
data we share in the normal course of business. They are not allowed to give [personal health
information] to others without your written OK, except as allowed by law and outlined in this
notice.7
16.
2
3
4
5
6
7
10
Anthem also promises to keep its customers Personal Information protected as explained on its
11
website: Anthem Blue Cross and Blue Shield maintains policies that protect the confidentiality of
12
personal information, including Social Security numbers, obtained from its members and associates
13
in the course of its regular business functions. Anthem Blue Cross and Blue Shield is committed to
14
protecting information about its customers and associates, especially the confidential nature of their
15
personal information.8
16
17
17.
maintain their sensitive health and Personal Information private and secure.
18
19
18.
20
21
19.
Yet, despite its promises, on January 29, 2015, hackers were able to access millions
22
23
24
25
26
27
28
Anthems HIPPA notice titled, Information thats important to you, located on its website at
https://www.anthem.com/health-insurance/nsecurepdf/english_common_11832ANMEN (last visited
February 9, 2015).
8
Brandeisky, Anthem Health Insurance Was Hacked, Heres What Customers Need to Know, Time,
February 5, 2015, available at http://time.com/money/3697026/anthem-data-breach-social-security/
(last visited February 9, 2015).
5
Class Action Complaint;
Case No.:
security numbers, street addresses, email addresses and employment information, including income
data.10
20.
Anthem confirmed that all of its product lines were impacted by the cyber attack,
including Anthem Blue Cross, Blue Cross of California, Anthem Blue Cross and Blue Shield, Blue
Cross and Blue Shield of Georgia, Empire Blue Cross and Blue Shield, Amerigroup, Caremore,
7
8
21.
The hackers who breached Anthems records were able to access a database
22.
Anthem did not announce that its data systems maintaining personal, financial and
10
potentially health information of its customers and employees was compromised immediately.
11
Instead, Anthem waited to announce that its systems were compromised, and that up to 80 million
12
consumers records had been stolen, until February 4, 2015. Moreover, Anthem is still delaying
13
14
23.
Before the breach, Anthem did not encrypt the data in this database, including Social
15
Security numbers and other Personal Information.13 Encryption is considered the most effective way
16
to secure data.14 Without encryption, the hackers who accessed the information will be able to easily
17
18
19
10
20
21
22
23
11
Brandeisky, Anthem Health Insurance Was Hacked, Heres What Customers Need to Know, Time,
February 5, 2015, available at http://time.com/money/3697026/anthem-data-breach-social-security/
(last visited February 9, 2015).
12
24
25
Tracer, After Hack, Anthem to Notify Affected Customers Within Two Weeks, Bloomberg,
February 5, 2015, available at < http://www.bloomberg.com/news/articles/2015-02-05/anthem-totell-hacked-customers-in-two-weeks-no-earnings-impact> (last visited February 9, 2015).
13
27
Jaspen, Hackers Stole Data on 80 Million Anthem Customers. Why Wasnt It Encrypted?, Forbes,
February 6, 2015, available at < http://www.forbes.com/sites/brucejapsen/2015/02/06/anthem-didntencrypt-personal-data-and-privacy-laws-dont-require-it/> (last visited February 9, 2015).
28
14
26
Id.
6
24.
cybersecurity firm, to evaluate Anthems systems and identify solutions to Anthems systems
vulnerabilities.15
25.
Anthem could have retained Mandiant prior to the cyber attack to analyze and
identify solutions for its systems vulnerabilities, and this could have prevented the cyber attack
from occurring, or at the least minimized the amount of information stolen from Anthems systems.
26.
Indeed, Anthem and other health insurers routinely maintain consumers health and
financial information, and have been on notice of potential cyber attacks seeking to get consumers
Personal Information.
10
27.
In 2014, the Federal Bureau of Investigations cyber division warned health care
11
systems that cyber attacks were likely to occur after January 2015, when healthcare companies were
12
13
that healthcare companies were more susceptible to cyber attacks, making future attacks likely. The
14
FBIs report was highly publicized, being reported by such news agencies as Reuters.17
15
28.
16
Indeed, even before the full transition over to electronic medical records, other
16
healthcare companies were the targets of major cyber attacks. According to a SANS Analyst
17
Whitepaper from February 2014 titled, Health Care Cyberthreat Report: Widespread Compromises
18
19
20
21
22
15
16
23
24
25
26
27
28
Finkle, Exclusive: FBI Warns Healthcare Sector Vulnerable to Cyber Attacks, Reuters, April 23,
2014, available at
http://www.reuters.com/article/2014/04/23/us-cybersecurity-healthcare-fbiexclusiv-idUSBREA3M1Q920140423 (last visited February 9, 2014).
18
Filkins, Health Care Cyberthreat Report, SANS, February 2014, available at http://pages.norsecorp.com/rs/norse/images/Norse-SANS-Healthcare-Cyberthreat-Report2014.pdf
(last
visited
February 9, 2015).
7
Class Action Complaint;
Case No.:
29.
Anthem was aware that it needed to maintain the security of its customers Private
Information. In its SEC Form 10-K filings dated February 20, 2014, Anthem acknowledged that it
must maintain and upgrade its data systems to protect its customers data.19
30.
Yet, despite the many warnings, Anthems own promises to maintain data security,
and the critical nature of maintaining the security of consumers financial information, Anthem did
not even take steps to encrypt the sensitive Personal Information of its customers and employees that
it maintained.
8
9
10
31.
Anthem also did not disclose to anyone that it did not have adequate security systems
in place to keep Plaintiff and other customers personal, financial and health information that
Anthem maintained on its computer systems private and secure.
11
32.
Due to Anthems failure to maintain the privacy and security of Plaintiffs and Class
12
Members private personal, financial and health information, Anthem has violated the law and
13
14
VI.
15
This action asserts claims on behalf of a nationwide class, and a California subclass
16
pursuant to Federal Rules of Civil Procedure 23(a), (b)(1), (b)(2), (b)(3), and (c)(4), which class and
17
subclasses consist of persons who had their data stolen from Anthems systems as follows:
18
All persons in the United States whose personal, health or financial information was
compromised by the data breach disclosed by Anthem on February 4, 2015 (the National
Class).
19
20
All persons in California whose personal, health or financial information was compromised
by the data breach disclosed by Anthem on February 4, 2015 (the California Subclass).
21
22
34.
Excluded from each of the class and subclasses are: (i) Anthem Inc., and its
23
employees, principals, affiliated entities, legal representatives, successors and assigns; (ii) Blue
24
Cross of California, and its employees, principals, affiliated entities, legal representatives, successors
25
26
27
28
19
SEC Form 10-k Annual Report for the Year Ending December 31, 2013, available at
http://www.sec.gov/Archives/edgar/data/1156039/000115603914000003/wlp-20131231x10k.htm.
8
and assigns; (iii) the judges to whom this action is assigned and any members of their immediate
families.
35.
There are thousands of members in each of the National Class and California
Subclass who are geographically dispersed throughout California and the United States. Therefore,
individual joinder of the members of any of the classes defined above would be impracticable.
6
7
36.
Common questions of law or fact exist as to all members of the National Class and
10
11
12
13
14
unlawful;
c. Whether Anthem owed a duty to Plaintiff and members of the National Class
and/or California Subclass to protect their Personal Information;
d. Whether Anthem breached its duty owed to Plaintiff and members of the National
Class and/or California Subclass to protect their Personal Information;
15
e. Whether Anthem owed a duty to Plaintiff and members of the National Class
16
17
data breach;
18
f. Whether Anthem breached its duty owed to Plaintiff and members of the National
19
20
21
22
23
24
25
26
27
28
g. Whether Anthem knew or should have known that its computer systems were
vulnerable to attack;
h. Whether Anthem had a duty to encrypt Plaintiffs and members of the National
Class and/or California Subclass Personal Information;
i. Whether Anthem breached its duty to encrypt Plaintiffs and members of the
National Class and/or California Subclass Personal Information;
j. Whether Plaintiff and members of the National Class and California Subclass
suffered injury as a result of Anthems conduct or failure to act; and
9
Class Action Complaint;
Case No.:
k. Whether Plaintiff and members of the National Class and California Subclass are
2
3
Plaintiffs claims are typical of the claims of the National Class and California
Subclass. Plaintiff is an Anthem customer whose Personal Information was compromised by the
data breach announced by Anthem on February 4, 2015. Therefore, Plaintiff is no different in any
material respect from any other members of the National Class or California Subclass, and the relief
sought by Plaintiff is common to the relief sought by the class and subclass.
38.
because her interests do not conflict with the interests of the class or subclass members she seeks to
10
represent, and she has retained counsel competent and experienced in conducting complex class
11
action litigation. Plaintiff and her counsel will adequately protect the interests of the class and
12
subclass.
13
39.
A class action is superior to other available means for the fair and efficient
14
adjudication of this dispute. The damages suffered by each individual member of the National Class
15
and California Subclass are relatively small, while the burden and monetary expense needed to
16
individually prosecute this case against Defendants is substantial. Thus, it would be virtually
17
impossible for class and subclass members individually to redress effectively the wrongs done to
18
them. Moreover, even if members of the class and subclass defined herein could afford individual
19
actions, a multitude of such individual actions still would not be preferable to class wide litigation.
20
Individual actions also present the potential for inconsistent or contradictory judgments, which
21
would be dispositive of at least some of the issues and hence interests of the other members not party
22
to the individual actions, would substantially impair or impede their ability to protect their interests,
23
and would establish incompatible standards of conduct for the party opposing the class.
24
40.
By contrast, a class action presents far fewer litigation management difficulties, and
25
provides the benefits of single adjudication, economies of scale, and comprehensive supervision by a
26
single court. Also, or in the alternative, the National Class and California Subclass may be certified
27
because Defendants have acted or refused to act on grounds generally applicable to each of the
28
respective class and subclass, thereby making preliminary and final declaratory relief appropriate.
10
Class Action Complaint;
Case No.:
Also in the alternative, the National Class and California Subclass may be certified with respect to
41.
All records concerning Anthems data breach, including records sufficient to identify
members of the National Class and California Subclass, are in the possession and control of Anthem
VII.
7
8
9
10
11
Plaintiff hereby incorporates the foregoing paragraphs of this Complaint and restates
Anthem owed a duty to Plaintiff and National Class members to exercise reasonable
12
care in retaining, maintaining, securing and safeguarding the Personal Information of customers in
13
14
persons.
15
databases containing customers personal, financial and health information to ensure that Plaintiffs
16
and National Class members personal, financial and health information was secured from cyber
17
attack. This duty also included, at the minimum, that Plaintiffs and National Class members
18
19
44.
This duty included, inter alia, creating, maintaining, testing and securing Anthems
Anthem owed a duty to Plaintiff and National Class members to implement processes
20
to detect a breach of its security systems in a timely manner, and to act upon any warnings or alerts
21
22
23
24
25
26
45.
Anthem owed a duty to Plaintiff and National Class members to timely disclose any
Anthem owed a duty to disclose to Plaintiff and National Class members to disclose
that it could not adequately keep private the Personal Information of its customers.
47.
Anthem breached these duties owed to Plaintiff and National Class members by its
27
conduct alleged herein by, inter alia, (i) failing to exercise reasonable care in retaining, maintaining,
28
securing and safeguarding the Personal Information of customers in Anthems possession from being
11
Class Action Complaint;
Case No.:
customers Personal Information; (ii) failing to implement processes to detect a breach of its security
systems in a timely manner, and to act upon any warnings or alerts that Anthems security systems
were breached; (iii) failing to timely disclose to Plaintiff and members of the National Class any
breach of its security systems; (iv) failing to timely disclose any breach of its security systems; and
(v) failing to disclose that it could not adequately keep private the personal, financial and health
8
9
48.
10
personal, financial and health information; costs associated with detecting and preventing identity
11
theft and unauthorized use of their personal, financial and health information; costs associated with
12
the loss of work or productivity addressing, ameliorating, mitigating and otherwise dealing with
13
actual and future consequences of the data breach, including finding unauthorized charges on credit
14
cards, cancelling credit cards, purchasing credit monitoring and identity theft protection services,
15
and stress, nuisance and annoyance with the issues resulting from Anthems data breach; actual and
16
certain future injuries from fraud and identity theft due to Plaintiffs and National Class members
17
personal, financial and health information being stolen by hackers; damages to Plaintiffs and
18
National Class members credit; premiums Plaintiff and National Class members paid to Anthem for
19
health insurance where, had Plaintiff and National Class members known Anthem would not protect
20
their personal, financial and/or health information private, they would have paid to another health
21
insurance provider; and the overpayment of premium to Anthem for the cost of Anthem providing
22
reasonable and adequate safeguards for Plaintiffs and National Class members personal, private
23
24
25
26
27
49.
Plaintiff hereby incorporates the foregoing paragraphs of this Complaint and restates
28
12
Class Action Complaint;
Case No.:
50.
National Class members personal, financial and health information. Specifically, Anthem promises
to keep Plaintiffs and National Class members oral, written and electronic Personal Information
safe using physical, electronic, and procedural means, and to protect Plaintiffs and National Class
members confidentiality of their personal and financial information, including Social Security
numbers.
51.
Plaintiff and National Class members bargained and performed their obligations when
they paid (or when others paid on their behalf) for Anthems promise to maintain the security and
privacy of the personal, financial and health information given to it when Plaintiff and National
10
11
Plaintiff and National Class members paid for (or others paying on their behalf paid
12
for), the security of their personal, financial and health information promised by Anthem, the price
13
of which was part of the premiums paid to Anthem, but Plaintiff and the National Class did not
14
15
53.
Anthem breached its contractual obligations to Plaintiff and National Class members
16
by failing to safeguard and protect the Personal Information of Plaintiff and National Class
17
members.
18
19
54.
As a direct and proximate result of Anthems breach, Plaintiff and National Class
20
21
22
23
24
25
Plaintiff hereby incorporates the foregoing paragraphs of this Complaint and restates
26
safeguard and protect the Personal Information provided to it by Plaintiff and National Class
27
members when Plaintiff and National Class members provided their Personal Information to Anthem
28
13
Class Action Complaint;
Case No.:
when they purchased health insurance from Anthem (or when health insurances was purchased from
57.
Plaintiff and National Class members would not have provided their Personal
Information to Anthem absent Anthems implied promise to safeguard and protect consumers
Personal Information.
6
7
8
9
10
11
12
58.
Plaintiff and National Class members performed all the obligations required by them
under the implied contract when they purchased health insurance from Anthem.
59.
Anthem breached its implied contracts with Plaintiff and National Class members by
failing to safeguard and protect the personal, financial and health information provided to it by
Plaintiff and National Class members.
60.
As a direct and proximate result of Anthems breach of its implied contracts, Plaintiff
and National Class members suffered the damages and injuries described herein.
13
14
15
16
17
18
61.
Plaintiff hereby incorporates the foregoing paragraphs of this Complaint and restates
The Personal Information maintained by Anthem, and that was taken in the data
19
breach revealed on February 4, 2015, constitutes protected personal information under Californias
20
21
63.
Anthem was required to implement and maintain reasonable security procedures and
22
practices to protect Plaintiffs and California Subclass members personal information from
23
unauthorized access, destruction, use, modification, or disclosure. Cal. Civ. Code. 1798.81.5.
24
64.
Anthem was required to take all reasonable steps to dispose, or arrange for the
25
disposal, of customer records within its custody or control containing personal information when the
26
records are no longer to be retained by the business by (a) shredding, (b) erasing, or (c) otherwise
27
28
65.
Anthem was also required to disclose a breach of the security of the system following
discovery or notification of the breach in the security of the data to a resident of California whose
unauthorized person. The disclosure shall be made in the most expedient time possible and without
66.
Anthem has violated Californias Data Breach Act by (i) failing to implement and
maintain reasonable security procedures and practices to protect Plaintiffs and California Subclass
disclosure; (ii) failing to take all reasonable steps to dispose, or arrange for the disposal, of customer
10
records within its custody or control containing personal information when the records are no longer
11
to be retained by the business by (a) shredding, (b) erasing, or (c) otherwise modifying the personal
12
information in those records to make it unreadable or undecipherable through any means; and (iii)
13
failing to disclose in the most expedient time possible without delay that California residents
14
unencrypted personal information was, or was reasonably believed to have been, acquired by an
15
unauthorized person.
16
67.
17
California Subclass members are entitled to recover damages sustained as a result of Anthems
18
violation of the Data Breach Act, as well as attorneys fees, costs, and expenses incurred in bringing
19
this action.
20
21
22
23
24
25
26
68.
Plaintiff hereby incorporates the foregoing paragraphs of this Complaint and restates
Plaintiff brings this cause of action on behalf of herself and the members of the
California Subclass.
27
28
15
Class Action Complaint;
Case No.:
70.
The Unfair Competition Law (UCL), California Business and Professions Code
17200, et seq., defines unfair business competition to include any unlawful, unfair or fraudulent
act or practice.
4
5
6
71.
72.
Defendants have and continue to violate the unlawful prong of the UCL by failing
law.
to securely maintain Plaintiffs and California Subclass members Personal Information, failing to
destroy Plaintiffs and California Subclass members Personal Information when it was not needed,
and failing to timely notify Plaintiff and California Subclass members of the data breach as
10
11
described herein in violation of Californias Data Breach Act, Cal. Civ. Code 1798, et seq.
73.
Through their unlawful acts and practices, Defendants have obtained, and continue to
12
unfairly obtain, money from Plaintiff and members of the California Subclass. As such, Plaintiff
13
requests on behalf of herself and all California Subclass members the relief set forth in the Prayer,
14
including that this Court enjoin Defendants from continuing to violate the Unfair Competition Law
15
as discussed herein. Otherwise, the California Subclass may be irreparably harmed and/or denied an
16
17
18
19
20
21
Plaintiff hereby incorporates the foregoing paragraphs of this Complaint and restates
them as if they were fully written herein. Plaintiff pleads this Cause of Action in the alternative.
75.
22
Information, failure to destroy said information when it was no longer necessary to maintain, and
23
failure to timely notify Plaintiff and National Class members of the data breach was unlawful as
24
described herein. Defendants took money from (or on behalf of) Plaintiff and National Class
25
members based upon assurances that it would maintain the security of the Personal Information
26
provided to it. By failing to maintain the security and privacy of Plaintiff and National Class
27
members personal, financial and health information, Defendants have been unjustly enriched at the
28
16
Class Action Complaint;
Case No.:
expense of Plaintiff and National Class members, thereby creating a quasi-contractual obligation on
Defendants to restore these ill-gotten gains to Plaintiff and the National Class.
76.
As a direct and proximate result of Defendants unjust enrichment, Plaintiff and the
trial.
VIII. PRAYER
7
8
9
WHEREFORE, Plaintiff, on behalf of herself all members of the National Class and
California Subclass requests award and relief as follows:
A.
An order certifying that this action is properly brought and may be maintained as a
10
class action, that Plaintiff Loralee Giotta be appointed a Class Representatives for the National Class
11
and California Subclass, and that Plaintiffs counsel be appointed Counsel for the National Class and
12
California Subclass.
13
14
15
16
17
B.
An order enjoining Defendants from continuing the unlawful practices as set forth
18
herein, and directing Defendants to identify, with Court supervision, victims of their conduct and
19
20
21
22
23
24
E.
Awarding interest on the monies wrongfully obtained from the date of collection
An order awarding Plaintiff her costs of suit, including reasonable attorneys fees and
Such other and further relief as may be available as part of the statutory claims
25
asserted herein, or otherwise as may be deemed necessary or appropriate for any of the claims
26
asserted.
27
28
17
Class Action Complaint;
Case No.:
1
2
3
IX.
Respectfully Submitted,
4
5
/s/William T. Payne
William T. Payne (CSB 90988)
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
18
Class Action Complaint;
Case No.: