Case5:15-cv-00618-HRL Document1 Filed02/09/15 Page1 of 19

1
2
3
4
5
6
7

William T. Payne (CSB 90988)

Joseph N. Kravec, Jr.
(to be admitted pro hac vice)
Wyatt A. Lison (to be admitted pro hac vice)
FEINSTEIN DOYLE
PAYNE & KRAVEC, LLC
Allegheny Building, 17th Floor
429 Forbes Avenue
Pittsburgh, PA 15219
Tel: (412) 281-8400
Fax: (412) 281-1007
Email: wpayne@fdpklaw.com
Email: jkravec@fdpklaw.com
Email: wlison@fdpklaw.com

8
9

ATTORNEYS FOR PLAINTIFF

AND THE PROPOSED CLASS AND SUBCLASS

10
11
12

IN THE UNITED STATES DISTRICT COURT

13

FOR THE NORTHERN DISTRICT OF CALIFORNIA

14

SAN JOSE DIVISION

15
16

Loralee Giotta,
Case No.:
Plaintiff,

17

CLASS ACTION COMPLAINT FOR:

18

vs.

24

(1) Negligence
(2) Breach of Contract
(3) Breach of Implied Contract
(4) Violation of Californias Data Breach Law
(Cal Civ. Code 1798 et seq.)
(5) Violation of Californias Unfair
Competition Law (Cal. Bus. & Prof. Code
17200, et seq.); and
(6) Restitution Based Upon Quasi Contract /
Unjust Enrichment

25

DEMAND FOR JURY TRIAL

19
20

Anthem, Inc., Blue Cross of California

(d/b/a Anthem Blue Cross), and Does 110.

21
Defendants.

22
23

26
27
28
Class Action Complaint;
Case No.:

Case5:15-cv-00618-HRL Document1 Filed02/09/15 Page2 of 19

Plaintiff Loralee Giotta (Plaintiff) by her attorneys, brings this class action on her own

behalf and on behalf of all others similarly situated against Defendant Anthem, Inc. and Blue Cross

of California, doing business as Anthem Blue Cross (collectively Anthem), and other unknown

DOE defendants (collectively all defendants are referred to as Defendants), and allege as follows

upon information and belief based on, inter alia, the investigation of their counsel:

I.

INTRODUCTION
1.

This is an action against Anthem, Inc. and its subsidiary Blue Cross of California, one

of the largest health insurers in the United States (collectively Anthem), for their failure to secure

and protect customers sensitive personally identifiable and financial information, including names,

10

birth dates, Social Security numbers, addresses, phone numbers, email addresses, health insurer

11

member identification numbers and possibly personal health care data (collectively customers

12

Personal Information).1

13

2.

On or about February 4, 2015, Anthem first publically disclosed that hackers had

14

breached its computer systems in which Anthem maintained the Personal Information of its

15

customers (i.e., the policy owners and insureds of the insurance policies it issues). As a result of this

16

security breach, these hackers stole and now possess Anthem customers Personal Information.

17

3.

Anthems failure to safeguard consumers Personal Information is particularly

18

egregious because Anthem failed to encrypt customers Personal Information. Encryption uses

19

mathematical formulas to scramble sensitive data so that, should hackers steal the data, the hackers

20

would be unable to decipher it. Encryption thus safeguards consumers Personal Information since,

21

even if stolen, encrypted data is much harder to use for identity theft or other nefarious purposes

22

detrimental to the consumer whos data is at issue. Anthems failure to encrypt Plaintiffs and other

23

consumers Personal Information thus means the data is easily readable by the hackers who stole it.

24

Because Anthem failed to protect customers Personal Information, including the failure to encrypt

25

customers sensitive information, hackers were able to obtain and read critical Personal Information

26
27
28

Plaintiff identifies these categories of Personal Information stolen from Anthem based on presently
available information. Plaintiff reserves the right to amend this complaint to add further detail to the
Personal Information stolen from Anthem.
1
Class Action Complaint;
Case No.:

Case5:15-cv-00618-HRL Document1 Filed02/09/15 Page3 of 19

of up to 80 million Anthems customers that would allow them to steal their identities or otherwise

use their credit without authorization.

4.

Consumers could face a lifelong battle to deal with the consequences of their

Personal Information being stolen by hackers, including fraudulent tax returns or medical identify

fraud.2 Anthems failure to adequately protect customers Personal Information has caused, and will

continue to cause, substantial customer harm and injuries to consumers across the United States. In

particular, Anthem failed to adequately and reasonably ensure that its data systems were protected,

including the use of encryption; failed to take available steps to prevent and stop the breach from

happening in the first instance; failed to disclose that it did not have adequate computer systems and

10

security to prevent customers personal, financial and health information from being stolen; failed to

11

destroy former customers personal, financial and health information when it was no longer

12

necessary to maintain; and failed to provide timely and adequate notice of the data breach to all

13

affected persons.

14

5.

As a result of Anthems failure to protect customers Personal Information, up to 80

15

million consumers have had their Personal Information stolen, and have been harmed in one or more

16

of the following ways: (i) having their personal and financial information stolen; (ii) the costs

17

associated with detection and prevention of identity theft and unauthorized use of their financial

18

accounts; (iii) the time and costs associated with preventing, mitigating or dealing with changes to

19

financial accounts; (iv) the time, costs, expenses and future consequence from being the victim of

20

fraudulent charges; and (v) damage to their credit.

21

6.

Plaintiff brings this action seeking damages, restitution and injunctive relief on behalf

22

of herself and millions of Anthems customers throughout the United States who had their Personal

23

Information stolen due to Anthems failure to secure its computer systems.

24
25
26
27
28

Shary Rudavsky, Anthem Data Breach Could Be Lifelong Battle for Customers, IndyStar,
February 7, 2015, available at http://www.indystar.com/story/news/2015/02/05/anthem-data-breachlifelong-battle-customers/22953623/ (last visited February 9, 2015).
2
Class Action Complaint;
Case No.:

Case5:15-cv-00618-HRL Document1 Filed02/09/15 Page4 of 19

II.

PARTIES
7.

Plaintiff Loralee Giotta is a citizen of the State of California, residing in San Jose,

Santa Clara County, California. Ms. Giotta has Medicare Supplemental health insurance through

Anthem Blue Cross.

8.

Defendant Anthem, Inc., previously known as WellPoint, Inc., is the second-largest

health insurer in the United States, and is incorporated and headquartered in Indianapolis, Indiana.

Anthem Inc. is licensed to conduct insurance operations in all 50 states, and conducts business in

California through the business operations of its wholly owned subsidiary, Anthem Blue Cross. One

in every nine Americans receives coverage through Anthem or one of its affiliated plans.3 Anthem

10

provides health insurance coverage as Blue Cross and Blue Shield in Colorado, Connecticut,

11

Georgia, Indiana, Kentucky, Maine, Missouri, Nevada, New Hampshire, New York, Ohio, Virginia

12

and Wisconsin. Anthem offers health insurance through Americgroup, its wholly-owned subsidiary,

13

in Florida, Georgia, Kansas, Louisiana, Maryland, Nevada, New Jersey, New York, Tennessee,

14

Texas and Washington.4 Anthem, Inc. also provides health insurance to customers throughout the

15

country as HealthLink, UniCare and in certain Arizona, California, Nevada, New York and Virginia

16

markets through our CareMore Health Group, Inc., or CareMore, subsidiary.5

17

9.

Defendant Anthem Blue Cross is a California corporation, and wholly owned

18

subsidiary of Anthem, Inc. Anthem Blue Cross has more individual health insurance policyholders

19

in California than any other insurer.

20
21
22
23
3

24
25
26

Barbash and Phillip, Massive Data Hack of Health Insurer Anthem Potentially Exposes Millions,
Washington Post, February 5, 2015, available at http://www.washingtonpost.com/news/morningmix/wp/2015/02/05/massive-data-hack-of-health-insurer-anthem-exposes-millions/ (last visited
February 9, 2015).
4

27

SEC Form 10-k Annual Report for the Year Ending December 31, 2013, available at
http://www.sec.gov/Archives/edgar/data/1156039/000115603914000003/wlp-20131231x10k.htm.

28

Id.
3

Class Action Complaint;

Case No.:

Case5:15-cv-00618-HRL Document1 Filed02/09/15 Page5 of 19

III.

JURISDICTION AND VENUE

10.

Jurisdiction of this Court is proper under 28 U.S.C. 1332(d)(2). The matter in

controversy exceeds the sum or value of $5,000,000, exclusive of interest and costs, and is a class

action in which members of the class of plaintiffs are citizens of states different from Defendants.

11.

Venue is proper within this judicial district pursuant to 28 U.S.C. 1391(b) and (c).

Defendants transact business and are found within this District, and a substantial portion of the

underlying transactions and events complained of by the enterprise occurred in this district, and

affected persons, including Plaintiff, who reside or resided in this judicial district at the material

time. Defendants have received substantial compensation from such transactions and business

10

activity in this District, including as the result of premiums paid for Anthems insurance within this

11

District.

12

IV.

13

INTRA-DISTRICT ASSIGNMENT
12.

Consistent with Northern District of California Civil Local Rule 3-5(b), assignment to

14

the San Jose Division is appropriate under Civil Local Rule 3-2(c) and 3-2(e), because acts giving

15

rise to the claims at issue in this lawsuit occurred, among other places, in this District, in Santa Clara

16

County, California.

17

V.

18
19

FACTUAL ALLEGATIONS
13.

Health insurers, like Anthem, are obligated to keep customers personal, health and

financial information private and secured.

20

14.

Health insurers such as Anthem know or should know of the risks their customers

21

Personal Information is stolen and of the need to carefully safeguard this information, in part

22

because hackers breach the healthcare industry more frequently than any other segment of the

23

economy.6

24

15.

25

Anthems own Health Insurance Portability and Accountability Act of 1996 (HIPAA)

Notice of Privacy Protection tells its customers:

26
27
28

Greisiger, Cyber Liability & Data Breach Insurance Claims, NetDiligence 2013, at p. 2, available
at http://www.netdiligence.com/files/CyberClaimsStudy-2013.pdf (last visited February 9, 2015).
4

Class Action Complaint;

Case No.:

Case5:15-cv-00618-HRL Document1 Filed02/09/15 Page6 of 19

We are dedicated to protecting your [personal health information], and have set up a number
of policies and practices to help make sure your [personal health information] is kept secure

We keep your oral, written and electronic [personal health information] safe using physical,
electronic, and procedural means. These safeguards follow federal and state laws. Some of
the ways we keep your [personal health information] safe include securing offices that hold
[personal health information], password-protecting computers, and locking storage areas and
filing cabinets. We require our employees to protect [personal health information] through
written policies and procedures. These policies limit access to [personal health information]
to only those employees who need the data to do their job. Employees are also required to
wear ID badges to help keep people who do not belong out of areas where sensitive data is
kept. Also, where required by law, our affiliates and nonaffiliates must protect the privacy of
data we share in the normal course of business. They are not allowed to give [personal health
information] to others without your written OK, except as allowed by law and outlined in this
notice.7

16.

2
3
4
5
6
7

As with customers health information that Anthem says it proactively protects,

10

Anthem also promises to keep its customers Personal Information protected as explained on its

11

website: Anthem Blue Cross and Blue Shield maintains policies that protect the confidentiality of

12

personal information, including Social Security numbers, obtained from its members and associates

13

in the course of its regular business functions. Anthem Blue Cross and Blue Shield is committed to

14

protecting information about its customers and associates, especially the confidential nature of their

15

personal information.8

16
17

17.

maintain their sensitive health and Personal Information private and secure.

18
19

18.

Anthem claims to maintain state-of-the-art information security systems to protect its

customer personal health and financial data.9

20
21

Consumers such as Anthems customers rely on health insurers such as Anthem to

19.

Yet, despite its promises, on January 29, 2015, hackers were able to access millions

of Anthems customers Personal Information, including names, birthdays, medical IDs/social

22
23
24
25
26
27
28

Anthems HIPPA notice titled, Information thats important to you, located on its website at
https://www.anthem.com/health-insurance/nsecurepdf/english_common_11832ANMEN (last visited
February 9, 2015).
8

Anthems HIPPA Notice of Privacy Practices, located on its website at

https://www.anthem.com/health-insurance/about-us/privacy#hipaa (last visited February 9, 2015).
9

Brandeisky, Anthem Health Insurance Was Hacked, Heres What Customers Need to Know, Time,
February 5, 2015, available at http://time.com/money/3697026/anthem-data-breach-social-security/
(last visited February 9, 2015).
5
Class Action Complaint;
Case No.:

Case5:15-cv-00618-HRL Document1 Filed02/09/15 Page7 of 19

security numbers, street addresses, email addresses and employment information, including income

data.10

20.

Anthem confirmed that all of its product lines were impacted by the cyber attack,

including Anthem Blue Cross, Blue Cross of California, Anthem Blue Cross and Blue Shield, Blue

Cross and Blue Shield of Georgia, Empire Blue Cross and Blue Shield, Amerigroup, Caremore,

Unicare, Healthlink, and DeCare.

7
8

21.

The hackers who breached Anthems records were able to access a database

containing up to 80 million current and former customers, and employees records.11

22.

Anthem did not announce that its data systems maintaining personal, financial and

10

potentially health information of its customers and employees was compromised immediately.

11

Instead, Anthem waited to announce that its systems were compromised, and that up to 80 million

12

consumers records had been stolen, until February 4, 2015. Moreover, Anthem is still delaying

13

notifying individual consumers affected by the breach.12

14

23.

Before the breach, Anthem did not encrypt the data in this database, including Social

15

Security numbers and other Personal Information.13 Encryption is considered the most effective way

16

to secure data.14 Without encryption, the hackers who accessed the information will be able to easily

17

access all of the Personal Information accessed.

18
19
10

20
21
22
23

Anthem CEO Joseph R. Swedishs statement to Anthem consumers, available at <

http://www.anthemfacts.com/ (last visited February 9, 2015).

11

Brandeisky, Anthem Health Insurance Was Hacked, Heres What Customers Need to Know, Time,
February 5, 2015, available at http://time.com/money/3697026/anthem-data-breach-social-security/
(last visited February 9, 2015).
12

24
25

Tracer, After Hack, Anthem to Notify Affected Customers Within Two Weeks, Bloomberg,
February 5, 2015, available at < http://www.bloomberg.com/news/articles/2015-02-05/anthem-totell-hacked-customers-in-two-weeks-no-earnings-impact> (last visited February 9, 2015).
13

27

Jaspen, Hackers Stole Data on 80 Million Anthem Customers. Why Wasnt It Encrypted?, Forbes,
February 6, 2015, available at < http://www.forbes.com/sites/brucejapsen/2015/02/06/anthem-didntencrypt-personal-data-and-privacy-laws-dont-require-it/> (last visited February 9, 2015).

28

14

26

Id.
6

Class Action Complaint;

Case No.:

Case5:15-cv-00618-HRL Document1 Filed02/09/15 Page8 of 19

24.

Only as a result of the cyber attack, Anthem retained Mandiant, a leading

cybersecurity firm, to evaluate Anthems systems and identify solutions to Anthems systems

vulnerabilities.15

25.

Anthem could have retained Mandiant prior to the cyber attack to analyze and

identify solutions for its systems vulnerabilities, and this could have prevented the cyber attack

from occurring, or at the least minimized the amount of information stolen from Anthems systems.

26.

Indeed, Anthem and other health insurers routinely maintain consumers health and

financial information, and have been on notice of potential cyber attacks seeking to get consumers

Personal Information.

10

27.

In 2014, the Federal Bureau of Investigations cyber division warned health care

11

systems that cyber attacks were likely to occur after January 2015, when healthcare companies were

12

required to transfer from paper medical records over to electronic records.

13

that healthcare companies were more susceptible to cyber attacks, making future attacks likely. The

14

FBIs report was highly publicized, being reported by such news agencies as Reuters.17

15

28.

16

The FBI pointed out

Indeed, even before the full transition over to electronic medical records, other

16

healthcare companies were the targets of major cyber attacks. According to a SANS Analyst

17

Whitepaper from February 2014 titled, Health Care Cyberthreat Report: Widespread Compromises

18

Detected, Compliance Nightmare on Horizon, healthcare providers, including insurance companies,

19

were regular targets of cyber attacks, and particularly vulnerable to them. 18

20
21
22

15

Anthem CEO Joseph R. Swedishs statement to Anthem consumers, available at <

http://www.anthemfacts.com/ (last visited February 9, 2015).

16

23
24
25
26
27
28

FBI Cyber Division Private Industry Notification, April 8, 2014, available at

https://info.publicintelligence.net/FBI-HealthCareCyberIntrusions.pdf (last visited February 9,
2015).
17

Finkle, Exclusive: FBI Warns Healthcare Sector Vulnerable to Cyber Attacks, Reuters, April 23,
2014, available at
http://www.reuters.com/article/2014/04/23/us-cybersecurity-healthcare-fbiexclusiv-idUSBREA3M1Q920140423 (last visited February 9, 2014).
18

Filkins, Health Care Cyberthreat Report, SANS, February 2014, available at http://pages.norsecorp.com/rs/norse/images/Norse-SANS-Healthcare-Cyberthreat-Report2014.pdf
(last
visited
February 9, 2015).
7
Class Action Complaint;
Case No.:

Case5:15-cv-00618-HRL Document1 Filed02/09/15 Page9 of 19

29.

Anthem was aware that it needed to maintain the security of its customers Private

Information. In its SEC Form 10-K filings dated February 20, 2014, Anthem acknowledged that it

must maintain and upgrade its data systems to protect its customers data.19

30.

Yet, despite the many warnings, Anthems own promises to maintain data security,

and the critical nature of maintaining the security of consumers financial information, Anthem did

not even take steps to encrypt the sensitive Personal Information of its customers and employees that

it maintained.

8
9
10

31.

Anthem also did not disclose to anyone that it did not have adequate security systems

in place to keep Plaintiff and other customers personal, financial and health information that
Anthem maintained on its computer systems private and secure.

11

32.

Due to Anthems failure to maintain the privacy and security of Plaintiffs and Class

12

Members private personal, financial and health information, Anthem has violated the law and

13

breached its duties to its customers.

14

VI.

15

CLASS ACTION ALLEGATIONS

33.

This action asserts claims on behalf of a nationwide class, and a California subclass

16

pursuant to Federal Rules of Civil Procedure 23(a), (b)(1), (b)(2), (b)(3), and (c)(4), which class and

17

subclasses consist of persons who had their data stolen from Anthems systems as follows:

18

All persons in the United States whose personal, health or financial information was
compromised by the data breach disclosed by Anthem on February 4, 2015 (the National
Class).

19
20

All persons in California whose personal, health or financial information was compromised
by the data breach disclosed by Anthem on February 4, 2015 (the California Subclass).

21
22

34.

Excluded from each of the class and subclasses are: (i) Anthem Inc., and its

23

employees, principals, affiliated entities, legal representatives, successors and assigns; (ii) Blue

24

Cross of California, and its employees, principals, affiliated entities, legal representatives, successors

25
26
27
28

19

SEC Form 10-k Annual Report for the Year Ending December 31, 2013, available at
http://www.sec.gov/Archives/edgar/data/1156039/000115603914000003/wlp-20131231x10k.htm.
8

Class Action Complaint;

Case No.:

Case5:15-cv-00618-HRL Document1 Filed02/09/15 Page10 of 19

and assigns; (iii) the judges to whom this action is assigned and any members of their immediate

families.

35.

There are thousands of members in each of the National Class and California

Subclass who are geographically dispersed throughout California and the United States. Therefore,

individual joinder of the members of any of the classes defined above would be impracticable.

6
7

36.

Common questions of law or fact exist as to all members of the National Class and

California Subclass. These common legal or factual questions include:

a. Whether Anthem engaged in the wrongful conduct alleged herein;

b. Whether Anthems conduct was deceptive, unfair, unconscionable and/or

10
11
12
13
14

unlawful;
c. Whether Anthem owed a duty to Plaintiff and members of the National Class
and/or California Subclass to protect their Personal Information;
d. Whether Anthem breached its duty owed to Plaintiff and members of the National
Class and/or California Subclass to protect their Personal Information;

15

e. Whether Anthem owed a duty to Plaintiff and members of the National Class

16

and/or California Subclass to timely and accurately provide notice of Anthems

17

data breach;

18

f. Whether Anthem breached its duty owed to Plaintiff and members of the National

19

Class and/or California Subclass to timely or accurately provide notice of

20

Anthems data breach;

21
22
23
24
25
26
27
28

g. Whether Anthem knew or should have known that its computer systems were
vulnerable to attack;
h. Whether Anthem had a duty to encrypt Plaintiffs and members of the National
Class and/or California Subclass Personal Information;
i. Whether Anthem breached its duty to encrypt Plaintiffs and members of the
National Class and/or California Subclass Personal Information;
j. Whether Plaintiff and members of the National Class and California Subclass
suffered injury as a result of Anthems conduct or failure to act; and
9
Class Action Complaint;
Case No.:

Case5:15-cv-00618-HRL Document1 Filed02/09/15 Page11 of 19

k. Whether Plaintiff and members of the National Class and California Subclass are

2
3

entitled to damages, restitution and/or equitable relief.

37.

Plaintiffs claims are typical of the claims of the National Class and California

Subclass. Plaintiff is an Anthem customer whose Personal Information was compromised by the

data breach announced by Anthem on February 4, 2015. Therefore, Plaintiff is no different in any

material respect from any other members of the National Class or California Subclass, and the relief

sought by Plaintiff is common to the relief sought by the class and subclass.

38.

Plaintiff is an adequate representative of the National Class and California Subclass

because her interests do not conflict with the interests of the class or subclass members she seeks to

10

represent, and she has retained counsel competent and experienced in conducting complex class

11

action litigation. Plaintiff and her counsel will adequately protect the interests of the class and

12

subclass.

13

39.

A class action is superior to other available means for the fair and efficient

14

adjudication of this dispute. The damages suffered by each individual member of the National Class

15

and California Subclass are relatively small, while the burden and monetary expense needed to

16

individually prosecute this case against Defendants is substantial. Thus, it would be virtually

17

impossible for class and subclass members individually to redress effectively the wrongs done to

18

them. Moreover, even if members of the class and subclass defined herein could afford individual

19

actions, a multitude of such individual actions still would not be preferable to class wide litigation.

20

Individual actions also present the potential for inconsistent or contradictory judgments, which

21

would be dispositive of at least some of the issues and hence interests of the other members not party

22

to the individual actions, would substantially impair or impede their ability to protect their interests,

23

and would establish incompatible standards of conduct for the party opposing the class.

24

40.

By contrast, a class action presents far fewer litigation management difficulties, and

25

provides the benefits of single adjudication, economies of scale, and comprehensive supervision by a

26

single court. Also, or in the alternative, the National Class and California Subclass may be certified

27

because Defendants have acted or refused to act on grounds generally applicable to each of the

28

respective class and subclass, thereby making preliminary and final declaratory relief appropriate.
10
Class Action Complaint;
Case No.:

Case5:15-cv-00618-HRL Document1 Filed02/09/15 Page12 of 19

Also in the alternative, the National Class and California Subclass may be certified with respect to

particular issues pursuant to Fed.R.Civ.P. 23(c)(4).

41.

All records concerning Anthems data breach, including records sufficient to identify

members of the National Class and California Subclass, are in the possession and control of Anthem

and its agents and are available through discovery.

VII.

7
8
9
10
11

CLAIMS FOR RELIEF

FIRST CAUSE OF ACTION
Negligence (on Behalf of Plaintiff and the National Class against all Defendants)
42.

Plaintiff hereby incorporates the foregoing paragraphs of this Complaint and restates

them as if they were fully written herein.

43.

Anthem owed a duty to Plaintiff and National Class members to exercise reasonable

12

care in retaining, maintaining, securing and safeguarding the Personal Information of customers in

13

Anthems possession from being compromised, stolen, accessed or misused by unauthorized

14

persons.

15

databases containing customers personal, financial and health information to ensure that Plaintiffs

16

and National Class members personal, financial and health information was secured from cyber

17

attack. This duty also included, at the minimum, that Plaintiffs and National Class members

18

personal, financial and health information be maintained in encrypted form.

19

44.

This duty included, inter alia, creating, maintaining, testing and securing Anthems

Anthem owed a duty to Plaintiff and National Class members to implement processes

20

to detect a breach of its security systems in a timely manner, and to act upon any warnings or alerts

21

that Anthems security systems were breached.

22
23
24
25
26

45.

Anthem owed a duty to Plaintiff and National Class members to timely disclose any

breach of its security systems.

46.

Anthem owed a duty to disclose to Plaintiff and National Class members to disclose

that it could not adequately keep private the Personal Information of its customers.
47.

Anthem breached these duties owed to Plaintiff and National Class members by its

27

conduct alleged herein by, inter alia, (i) failing to exercise reasonable care in retaining, maintaining,

28

securing and safeguarding the Personal Information of customers in Anthems possession from being
11
Class Action Complaint;
Case No.:

Case5:15-cv-00618-HRL Document1 Filed02/09/15 Page13 of 19

compromised, stolen, accessed or misused by unauthorized persons, including failing to encrypt

customers Personal Information; (ii) failing to implement processes to detect a breach of its security

systems in a timely manner, and to act upon any warnings or alerts that Anthems security systems

were breached; (iii) failing to timely disclose to Plaintiff and members of the National Class any

breach of its security systems; (iv) failing to timely disclose any breach of its security systems; and

(v) failing to disclose that it could not adequately keep private the personal, financial and health

information of its customers.

8
9

48.

As a result of Anthems conduct described throughout this Complaint, Plaintiff and

National Class members have been harmed.

Such harm includes the theft of their identities,

10

personal, financial and health information; costs associated with detecting and preventing identity

11

theft and unauthorized use of their personal, financial and health information; costs associated with

12

the loss of work or productivity addressing, ameliorating, mitigating and otherwise dealing with

13

actual and future consequences of the data breach, including finding unauthorized charges on credit

14

cards, cancelling credit cards, purchasing credit monitoring and identity theft protection services,

15

and stress, nuisance and annoyance with the issues resulting from Anthems data breach; actual and

16

certain future injuries from fraud and identity theft due to Plaintiffs and National Class members

17

personal, financial and health information being stolen by hackers; damages to Plaintiffs and

18

National Class members credit; premiums Plaintiff and National Class members paid to Anthem for

19

health insurance where, had Plaintiff and National Class members known Anthem would not protect

20

their personal, financial and/or health information private, they would have paid to another health

21

insurance provider; and the overpayment of premium to Anthem for the cost of Anthem providing

22

reasonable and adequate safeguards for Plaintiffs and National Class members personal, private

23

and health information.

24

SECOND CAUSE OF ACTION

Breach of Contract (on behalf of Plaintiff and National Class against all Defendants)

25
26
27

49.

Plaintiff hereby incorporates the foregoing paragraphs of this Complaint and restates

them as if they were fully written herein.

28
12
Class Action Complaint;
Case No.:

Case5:15-cv-00618-HRL Document1 Filed02/09/15 Page14 of 19

50.

Anthem had a contractual obligation to maintain the security of Plaintiffs and

National Class members personal, financial and health information. Specifically, Anthem promises

to keep Plaintiffs and National Class members oral, written and electronic Personal Information

safe using physical, electronic, and procedural means, and to protect Plaintiffs and National Class

members confidentiality of their personal and financial information, including Social Security

numbers.

51.

Plaintiff and National Class members bargained and performed their obligations when

they paid (or when others paid on their behalf) for Anthems promise to maintain the security and

privacy of the personal, financial and health information given to it when Plaintiff and National

10
11

Class members paid for health insurance from Anthem.

52.

Plaintiff and National Class members paid for (or others paying on their behalf paid

12

for), the security of their personal, financial and health information promised by Anthem, the price

13

of which was part of the premiums paid to Anthem, but Plaintiff and the National Class did not

14

receive this security.

15

53.

Anthem breached its contractual obligations to Plaintiff and National Class members

16

by failing to safeguard and protect the Personal Information of Plaintiff and National Class

17

members.

18
19

54.

As a direct and proximate result of Anthems breach, Plaintiff and National Class

members suffered the damages and injuries described herein.

20
21
22
23
24
25

THIRD CAUSE OF ACTION

Breach of Implied Contract (on Behalf of Plaintiff and the National Class against all
Defendants)
55.

Plaintiff hereby incorporates the foregoing paragraphs of this Complaint and restates

them as if they were fully written herein.

56.

Anthem provided an implied contract to Plaintiff and National Class members to

26

safeguard and protect the Personal Information provided to it by Plaintiff and National Class

27

members when Plaintiff and National Class members provided their Personal Information to Anthem

28
13
Class Action Complaint;
Case No.:

Case5:15-cv-00618-HRL Document1 Filed02/09/15 Page15 of 19

when they purchased health insurance from Anthem (or when health insurances was purchased from

Anthem on their behalf).

57.

Plaintiff and National Class members would not have provided their Personal

Information to Anthem absent Anthems implied promise to safeguard and protect consumers

Personal Information.

6
7
8
9
10
11
12

58.

Plaintiff and National Class members performed all the obligations required by them

under the implied contract when they purchased health insurance from Anthem.
59.

Anthem breached its implied contracts with Plaintiff and National Class members by

failing to safeguard and protect the personal, financial and health information provided to it by
Plaintiff and National Class members.
60.

As a direct and proximate result of Anthems breach of its implied contracts, Plaintiff

and National Class members suffered the damages and injuries described herein.

13
14

FOURTH CAUSE OF ACTION

Violations of the California Data Breach Act, California Civil Code 1798.80, et seq. (on
behalf of Plaintiff and the California Subclass against all Defendants)

15
16
17
18

61.

Plaintiff hereby incorporates the foregoing paragraphs of this Complaint and restates

them as if they were fully written herein.

62.

The Personal Information maintained by Anthem, and that was taken in the data

19

breach revealed on February 4, 2015, constitutes protected personal information under Californias

20

Data Breach Act.

21

63.

Anthem was required to implement and maintain reasonable security procedures and

22

practices to protect Plaintiffs and California Subclass members personal information from

23

unauthorized access, destruction, use, modification, or disclosure. Cal. Civ. Code. 1798.81.5.

24

64.

Anthem was required to take all reasonable steps to dispose, or arrange for the

25

disposal, of customer records within its custody or control containing personal information when the

26

records are no longer to be retained by the business by (a) shredding, (b) erasing, or (c) otherwise

27

modifying the personal information in those records to make it unreadable or undecipherable

28

through any means. Cal. Civ. Code 1798.81.

14
Class Action Complaint;
Case No.:

Case5:15-cv-00618-HRL Document1 Filed02/09/15 Page16 of 19

65.

Anthem was also required to disclose a breach of the security of the system following

discovery or notification of the breach in the security of the data to a resident of California whose

unencrypted personal information was, or is reasonably believed to have been, acquired by an

unauthorized person. The disclosure shall be made in the most expedient time possible and without

unreasonable delay. Cal Civ. Code 1798.82.

66.

Anthem has violated Californias Data Breach Act by (i) failing to implement and

maintain reasonable security procedures and practices to protect Plaintiffs and California Subclass

members personal information from unauthorized access, destruction, use, modification, or

disclosure; (ii) failing to take all reasonable steps to dispose, or arrange for the disposal, of customer

10

records within its custody or control containing personal information when the records are no longer

11

to be retained by the business by (a) shredding, (b) erasing, or (c) otherwise modifying the personal

12

information in those records to make it unreadable or undecipherable through any means; and (iii)

13

failing to disclose in the most expedient time possible without delay that California residents

14

unencrypted personal information was, or was reasonably believed to have been, acquired by an

15

unauthorized person.

16

67.

As a result of Anthems violation of Californias Data Breach Act, Plaintiff and

17

California Subclass members are entitled to recover damages sustained as a result of Anthems

18

violation of the Data Breach Act, as well as attorneys fees, costs, and expenses incurred in bringing

19

this action.

20
21

FIFTH CAUSE OF ACTION

Violation of The Unlawful prong of the Unfair Competition Law, Bus. & Prof. Code
17200, et seq. (on behalf of Plaintiff and the California Default-Related Service Fee Subclass
against all Defendants)

22
23
24
25
26

68.

Plaintiff hereby incorporates the foregoing paragraphs of this Complaint and restates

them as if they were fully written herein.

69.

Plaintiff brings this cause of action on behalf of herself and the members of the

California Subclass.

27
28
15
Class Action Complaint;
Case No.:

Case5:15-cv-00618-HRL Document1 Filed02/09/15 Page17 of 19

70.

The Unfair Competition Law (UCL), California Business and Professions Code

17200, et seq., defines unfair business competition to include any unlawful, unfair or fraudulent

act or practice.

4
5
6

71.

A business act or practice is unlawful if it violates any established state or federal

72.

Defendants have and continue to violate the unlawful prong of the UCL by failing

law.

to securely maintain Plaintiffs and California Subclass members Personal Information, failing to

destroy Plaintiffs and California Subclass members Personal Information when it was not needed,

and failing to timely notify Plaintiff and California Subclass members of the data breach as

10
11

described herein in violation of Californias Data Breach Act, Cal. Civ. Code 1798, et seq.
73.

Through their unlawful acts and practices, Defendants have obtained, and continue to

12

unfairly obtain, money from Plaintiff and members of the California Subclass. As such, Plaintiff

13

requests on behalf of herself and all California Subclass members the relief set forth in the Prayer,

14

including that this Court enjoin Defendants from continuing to violate the Unfair Competition Law

15

as discussed herein. Otherwise, the California Subclass may be irreparably harmed and/or denied an

16

effective and complete remedy if such an order is not granted.

17
18
19
20
21

SIXTH CAUSE OF ACTION

Restitution Based On Unjust Enrichment /Quasi-Contract (on behalf of Plaintiff and the
National Class against All Defendants)
74.

Plaintiff hereby incorporates the foregoing paragraphs of this Complaint and restates

them as if they were fully written herein. Plaintiff pleads this Cause of Action in the alternative.
75.

Defendants failure to secure Plaintiffs and National Class members Personal

22

Information, failure to destroy said information when it was no longer necessary to maintain, and

23

failure to timely notify Plaintiff and National Class members of the data breach was unlawful as

24

described herein. Defendants took money from (or on behalf of) Plaintiff and National Class

25

members based upon assurances that it would maintain the security of the Personal Information

26

provided to it. By failing to maintain the security and privacy of Plaintiff and National Class

27

members personal, financial and health information, Defendants have been unjustly enriched at the

28
16
Class Action Complaint;
Case No.:

Case5:15-cv-00618-HRL Document1 Filed02/09/15 Page18 of 19

expense of Plaintiff and National Class members, thereby creating a quasi-contractual obligation on

Defendants to restore these ill-gotten gains to Plaintiff and the National Class.

76.

As a direct and proximate result of Defendants unjust enrichment, Plaintiff and the

National Class are entitled to restitution or restitutionary disgorgement in an amount to be proved at

trial.

VIII. PRAYER

7
8
9

WHEREFORE, Plaintiff, on behalf of herself all members of the National Class and
California Subclass requests award and relief as follows:
A.

An order certifying that this action is properly brought and may be maintained as a

10

class action, that Plaintiff Loralee Giotta be appointed a Class Representatives for the National Class

11

and California Subclass, and that Plaintiffs counsel be appointed Counsel for the National Class and

12

California Subclass.

13
14
15
16
17

B.

Awarding compensatory damages in an amount determined at trial for each Cause of

Action asserted herein for which these damages are available.

C.

Awarding restitution in an amount determined at trial for each Cause of Action

asserted herein for which this relief is available.

D.

An order enjoining Defendants from continuing the unlawful practices as set forth

18

herein, and directing Defendants to identify, with Court supervision, victims of their conduct and

19

pay them restitution.

20
21
22
23
24

E.

Awarding interest on the monies wrongfully obtained from the date of collection

through the date of entry of judgment in this action.

F.

An order awarding Plaintiff her costs of suit, including reasonable attorneys fees and

pre and post-judgment interest, as provided by law, or equity, or as otherwise available.

G.

Such other and further relief as may be available as part of the statutory claims

25

asserted herein, or otherwise as may be deemed necessary or appropriate for any of the claims

26

asserted.

27
28
17
Class Action Complaint;
Case No.:

Case5:15-cv-00618-HRL Document1 Filed02/09/15 Page19 of 19

1
2
3

IX.

DEMAND FOR JURY TRIAL

Plaintiff hereby demands a trial by jury on all claims and/or issues so triable.

DATED: February 9, 2015

Respectfully Submitted,

4
5

/s/William T. Payne
William T. Payne (CSB 90988)

Joseph N. Kravec, Jr.

Wyatt A. Lison
FEINSTEIN DOYLE
PAYNE & KRAVEC, LLC
Allegheny Building, 17th Floor
429 Forbes Avenue
Pittsburgh, PA 15219
Tel: (412) 281-8400
Fax: (412) 281-1007
Email: wpayne@fdpklaw.com
Email: jkravec@fdpklaw.com
Email: wlison@fdpklaw.com

7
8
9
10
11
12
13

ATTORNEYS FOR PLAINTIFF

AND THE PROPOSED CLASS AND
SUBCLASS

14
15
16
17
18
19
20
21
22
23
24
25
26
27
28

18
Class Action Complaint;
Case No.: