In re Anthem, Inc. Data Breach Litig.

• Decision Date: 14 February 2016
• Docket Number: Case No. 15-MD-02617-LHK
• Citation: 162 F.Supp.3d 953
• Parties: In re Anthem, Inc. Data Breach Litigation
• Court: U.S. District Court — Northern District of California

162 F.Supp.3d 953

In re Anthem, Inc. Data Breach Litigation

Case No. 15-MD-02617-LHK

United States District Court, N.D. California, San Jose Division.

Signed February 14, 2016

ORDER GRANTING IN PART AND DENYING IN PART ANTHEM DEFENDANTS' MOTION TO DISMISS AND ORDER GRANTING IN PART AND DENYING IN PART NON-ANTHEM DEFENDANTS' MOTION TO DISMISS

Re: Dkt. No. 410, 413

LUCY H. KOH, United States District Judge

Plaintiffs¹ bring this putative class action against Anthem, Inc., 28 Anthem affiliates,² Blue Cross Blue Shield Association, and 17 non-Anthem Blue Cross Blue Shield Companies.³ The Court shall refer to Anthem, Inc. and the Anthem affiliates as the “Anthem Defendants,” and shall refer to Blue Cross Blue Shield Association and the non-Anthem Blue Cross Blue Shield Companies as the “Non-Anthem Defendants.” The Court shall refer to the Anthem and Non-Anthem Defendants collectively as “Defendants.”

Before the Court are separate motions to dismiss Plaintiffs' consolidated amended complaint (“CAC”) filed by the Anthem and Non-Anthem Defendants. See ECF No. 334-6 (“CAC”); ECF No. 410 (“Anthem Mot.”); ECF No. 413 (“Non-Anthem Mot.”). Having considered the parties' submissions, the relevant law, and the record in this case, the Court hereby GRANTS in part and DENIES in part the Anthem Defendants' motion to dismiss and GRANTS in part and DENIES in part the Non-Anthem Defendants' motion to dismiss.

I. BACKGROUND

A. Factual Background

Defendant Anthem, Inc. (“Anthem”) is one of the largest health benefits and health insurance companies in the United States. CAC ¶ 109. Anthem serves its members through various Blue Cross Blue Shield (“BCBS”) licensee affiliates and other non-BCBS affiliates. Id. ¶ 155. Anthem also cooperates with the Blue Cross Blue Shield Association (“BCBSA”) and several independent BCBS licensees via the BlueCard program. Id. ¶ 156. “Under the BlueCard program, members of one BCBS licensee may access another BCBS licensee's provider networks and discounts when the members are out of state.” Id.

In order to provide certain member services, the Anthem and Non-Anthem Defendants “collect, receive, and access their customers' and members' extensive individually identifiable health record information.” Id. ¶ 157. “These records include personal information (such as names, dates of birth, Social Security numbers, health care ID numbers, home addresses, email addresses, and employment information, including income data) and individually-identifiable health information (pertaining to the individual claims process, medical history, diagnosis codes, payment and billing records, test records, dates of service, and all other health information that an insurance company has or needs to have to process claims).” Id. The Court shall refer to members' personal and health information as Personal Identification Information, or “PII.”

Anthem maintains a common computer database which contains the PII of current and former members of Anthem, Anthem's affiliates, BCBSA, and independent BCBS licensees. Id. ¶ 158. In total, Anthem's database contains the PII of approximately 80 million individuals. Id. ¶ 204. According to Plaintiffs, both the Anthem and Non-Anthem Defendants promised their members that their PII would be protected. Blue Cross of California, for instance, mailed the following privacy notice to its members:

We keep your oral, written and electronic [PII] safe using physical, electronic, and procedural means. These safeguards follow federal and state laws. Some of the ways we keep your [PII] safe include securing offices that hold [PII], password-protecting computers, and locking storage areas and filing cabinets. We require our employees to protect [PII] through written policies and procedures.... Also, where required by law, our affiliates and nonaffiliates must protect the privacy of data we share in the normal course of business. They are not allowed to give [PII] to others without your written OK, except as allowed by law and outlined in this notice.

Id. ¶ 163 (emphasis removed). In February 2015, Anthem announced to the public that “cyberattackers had breached the Anthem Database, and [had] accessed [the PII of] individuals in the Anthem Database.” Id. ¶ 203. This was not the first time that Anthem had experienced problems with data security. In late 2009, approximately 600,000 customers of Wellpoint (Anthem's former trade name) “had their personal information and protected healthcare information compromised due to a data breach.” Id. ¶ 194. In addition, in 2013, the U.S. Department of Health and Human Services fined Anthem $1.7 million for various HIPAA violations related to data security. Id. ¶ 195. Finally, in 2014, the federal government informed Anthem and other healthcare companies of the possibility of future cyberattacks, and advised these companies to take appropriate measures, such as data encryption and enhanced password protection. Id. ¶¶ 200–01.

Plaintiffs allege that Defendants did not sufficiently heed these warnings, which allowed cyberattackers to extract massive amounts of data from Anthem's database between December 2014 and January 2015. Id. ¶ 226. After Anthem discovered the extent of this data breach, it proceeded to implement various containment measures. Id. ¶ 232. The cyberattacks ceased by January 31, 2015. Id. In addition, after learning of the cyberattacks, Anthem proceeded to retain Mandiant, a cybersecurity company, “to assist in assessing and responding to the Anthem Data Breach and to assist in developing security protocols for Anthem.” Id. ¶ 207. Mandiant's work culminated in the production of an Intrusion Investigation Report (“Mandiant Report”), which Mandiant provided to Anthem in July 2015. Id.

According to Plaintiffs, the Mandiant Report found that “Anthem and [its] Affiliates [had] failed to take reasonable measures to secure the [PII] in their possession.” Id. ¶ 236. Likewise, Plaintiffs allege that “Anthem and Anthem Affiliates [ ] lacked reasonable encryption policies.” Id. ¶ 237. Additionally, “BCBSA and non-Anthem BCBS allowed the [PII] that their current and former customers and members had entrusted with them to be placed into the Anthem Database even though there were multiple public indications and warnings that the Anthem and Anthem Affiliates' computer systems and data security practices were inadequate.” Id. ¶ 243. Plaintiffs further aver that although Anthem publicly disclosed the data breach in February 2015, many affected customers were not personally informed until March 2015, if at all. Id. ¶ 250. Finally, Plaintiffs contend that Anthem still has not disclosed whether it has made any changes to its security practices to prevent a future cyberattack.

B. Procedural History

A number of lawsuits were filed against the Anthem and Non-Anthem Defendants in the wake of the Anthem data breach. In general, these lawsuits bring putative class action claims alleging (1) failure to adequately protect Anthem's data systems, (2) failure to disclose to customers that Anthem did not have adequate security practices, and (3) failure to timely notify customers of the data breach.

In spring 2015, Plaintiffs in several lawsuits moved to centralize pretrial proceedings in a single judicial district. See 28 U.S.C. § 1407(a) (“When civil actions involving one or more common questions of fact are pending in different districts, such actions may be transferred to any district for coordinated or consolidated pretrial proceedings.”). On June 12, 2015, the Judicial Panel on Multidistrict Litigation (“JPML”) issued a transfer order selecting the undersigned judge as the transferee court for “coordinated or consolidated pretrial proceedings” in the multidistrict litigation (“MDL”) arising out of the Anthem data breach. See ECF No. 1 at 1–3.⁴

On September 10, 2015, the Court held a hearing to appoint Lead Plaintiffs' counsel. Following this hearing, the Court issued an order appointing Co-Lead Plaintiffs' counsel and requesting that counsel file a single consolidated amended complaint by October 19, 2015. ECF No. 284 at 2. On October 19, 2015, Plaintiffs filed their consolidated amended complaint, which organized Plaintiffs' causes of action into thirteen different counts, with claims pursuant to various state and federal laws asserted under each count. The complaint's prayer for relief included requests for class certification, injunctive relief, and damages.

On this final form of relief, Plaintiffs seek damages arising from four separate economic losses. First, Plaintiffs allege that they “paid Anthem money for services that should have included protecting their [PII] from unauthorized disclosure”; Plaintiffs refer to these losses as “Benefit of the Bargain” losses. ECF No. 424 at 3. Second, Plaintiffs seek recovery for “the theft of Plaintiffs' [PII],” which Plaintiffs refer to as the “Loss of Value of PII.” Id. Third, Plaintiffs allege that many class members “incurred out-of-pocket losses, including delayed tax returns, and the time and costs of credit monitoring.” Plaintiffs refer to these losses as “Out of Pocket” costs. Id. Finally, Plaintiffs allege that all class members “are at significant risk of imminent identity theft...as a result of the exfiltration of their [PII],” which Plaintiffs refer to as the “Imminent Risk of Further Costs.” Id.

At the October 25, 2015 case management conference, the Court determined that the Anthem Defendants and Non-Anthem Defendants would file separate motions to dismiss. Both motions would be “limited to a combined total of 10 claims, with 5 claims selected by Plaintiffs, 3 claims selected by the Anthem Defendants, and 2 claims selected by the [Non-Anthem Defendants].” ECF No. 326 at 2–3. At the November 10, 2015 case management conference, the parties informed the Court of the 10 claims that would be addressed in Defendants' motions to dismiss. ECF No. 366 at 2.

On November 23, 2015, the Anthem Defendants and Non-Anthem Defendants filed their...