CLASS ACTION COMPLAINT 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 ZIMMERMAN REED, PLLP BRADLEY C. BUHROW (CA Bar No. 283791) E-mail: [email protected]14646 N. Kierland Blvd., Suite 145 Scottsdale, Arizona 85254 (480) 348-6400 (480) 348-6415 Facsimile RIDOUT LYON + OTTOSON, LLP CHRISTOPHER P. RIDOUT (SBN: 143721) E-mail: [email protected]CALEB MARKER (SBN: 294155) E-mail: [email protected]555 E. Ocean Blvd., Suite 500 Long Beach, California 90802 (562) 216-7380 (562) 216-7385 Facsimile Attorneys for Plaintiffs (Additional Counsel Listed Below) UNITED STATES DISTRICT COURT CENTRAL DISTRICT OF CALIFORNIA John Doe, individually and on behalf of all others similarly situated, Plaintiff, v. ANTHEM, INC., d/b/a Anthem Health, Inc., an Indiana corporation, THE ANTHEM COMPANIES, INC., an Indiana corporation, THE ANTHEM COMPANIES OF CALIFORNIA, INC., a California corporation, ANTHEM BLUE CROSS LIFE AND HEALTH INSURANCE COMPANY, a California corporation, and DOES 1-25, Defendants. Case No. ___________ CLASS ACTION COMPLAINT FOR: 1. Negligence 2. Violations of Cal. Bus. & Prof. Code §17200, et seq. 3. Violation of Cal. Civ. Code §1798.80, et seq. 4. Violation of Cal. Civ. Code §56, et seq. DEMAND FOR JURY TRIAL Case 2:15-cv-00934-SVW-JPR Document 1 Filed 02/09/15 Page 1 of 21 Page ID #:1
Data Breach Class Action Central District of California.
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
CLASS ACTION COMPLAINT
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
ZIMMERMAN REED, PLLPBRADLEY C. BUHROW (CA Bar No. 283791)
E-mail: [email protected] N. Kierland Blvd., Suite 145Scottsdale, Arizona 85254(480) 348-6400(480) 348-6415 Facsimile
RIDOUT LYON + OTTOSON, LLPCHRISTOPHER P. RIDOUT (SBN: 143721)
E-mail: [email protected] E. Ocean Blvd., Suite 500Long Beach, California 90802(562) 216-7380(562) 216-7385 Facsimile
Attorneys for Plaintiffs
(Additional Counsel Listed Below)
UNITED STATES DISTRICT COURT
CENTRAL DISTRICT OF CALIFORNIA
John Doe, individually and on behalf ofall others similarly situated,
Plaintiff,v.
ANTHEM, INC., d/b/a Anthem Health,Inc., an Indiana corporation, THEANTHEM COMPANIES, INC., anIndiana corporation, THE ANTHEMCOMPANIES OF CALIFORNIA, INC.,a California corporation, ANTHEMBLUE CROSS LIFE AND HEALTHINSURANCE COMPANY, a Californiacorporation, and DOES 1-25,
Defendants.
Case No. ___________
CLASS ACTION COMPLAINT FOR:
1. Negligence2. Violations of Cal. Bus. & Prof.
Code §17200, et seq.3. Violation of Cal. Civ. Code
§1798.80, et seq.4. Violation of Cal. Civ. Code
§56, et seq.
DEMAND FOR JURY TRIAL
Case 2:15-cv-00934-SVW-JPR Document 1 Filed 02/09/15 Page 1 of 21 Page ID #:1
2
CLASS ACTION COMPLAINT
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
Plaintiff John Doe (“Plaintiff”), on behalf of himself and all others similarly
situated, brings this class action against Defendants Anthem, Inc., doing business as
Anthem Health, Inc., The Anthem Companies, Inc., The Anthem Companies of
California, Inc., Anthem Blue Cross Life and Health Insurance Company,
(collectively, “Anthem”), and Does 1-25 (collectively, “Defendants”). Plaintiff makes
the following allegations upon information and belief, except as to his own actions,
the investigation of his counsel, and the facts that are a matter of public record.
NATURE OF CLAIM
1. On February 4, 2015, Anthem announced that unauthorized persons had
accessed and obtained from Anthem’s IT Systems the personal information of current
and former Anthem members, including their names, birthdays, medical IDs, social
security numbers, street addresses, email addresses and employment information.
According to Anthem’s own public statements, all Anthem product lines across the
country were impacted by this data breach.
2. This massive breach of Anthem’s IT Systems (“Data Breach”) would
not have occurred, or would not have occurred with such severity, but for Anthem’s
failure to maintain adequate, reasonable and industry-standard data security, a failure
that represents gross disregard of the duties and obligations Anthem owed to Plaintiff
and the Class members.
3. Plaintiff brings this consumer class action against Defendants to recover
statutory and common law damages resulting from Defendants’ failure to safeguard
and secure the personally identifiable information “PII” and personal health related
information “PHI”) of Plaintiff and Class members that they provided to Defendants’
for safekeeping. In addition, Plaintiff seeks restitution and injunctive relief that will
ensure that Anthem protects Plaintiff’s and the Class members PII and PHI from any
future breaches.
4. As detailed below, Plaintiff brings this action on behalf of himself and all
similarly situated individuals in the United States, and a subclass of California
Case 2:15-cv-00934-SVW-JPR Document 1 Filed 02/09/15 Page 2 of 21 Page ID #:2
3
CLASS ACTION COMPLAINT
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
residents, whose PII and/or PHI was released to unauthorized persons as a result of
Anthem’s failure to safeguard that information while residing on Anthem’s IT
Systems.
PARTIES
5. Plaintiff is an individual who resides in Los Angeles, California.
6. At this time, Plaintiff brings this litigation under a pseudonym to prevent
public disclosure of his identity to protect information highly sensitive and personal to
him and to prevent further invasion of his privacy. Plaintiff will disclose his identity
to Defendants’ counsel and/or this Court upon demand.
7. Defendant Anthem, Inc., doing business as Anthem Health, Inc., is an
Indiana corporation, registered with the California Secretary of State to do business in
California, and headquartered in Indianapolis, Indiana.
8. Defendant The Anthem Companies, Inc. is an Indiana corporation,
registered with the California Secretary of State to do business in California, and
headquartered in Indianapolis, Indiana.
9. Defendant The Anthem Companies of California, Inc. is a California
corporation and headquartered in Indianapolis, Indiana.
10. Defendant Anthem Blue Cross Life and Health Insurance Company is a
California corporation and headquartered in Indianapolis, Indiana.
JURISDICTION AND VENUE
11. This Court has original jurisdiction pursuant to 28 U.S.C. §1332(d)(2).
In the aggregate, Plaintiff’s claims and the claims of the other members of the Class
exceed $5,000,000 exclusive of interest and costs, and there are numerous class
members who are citizens of states other than Defendants’ states of citizenship, which
are Indiana and California.
12. This Court has personal jurisdiction over Anthem because Anthem is
authorized to do and does business in the State of California.
13. Venue is proper in this Court pursuant to 28 U.S.C. §1391 because many
Case 2:15-cv-00934-SVW-JPR Document 1 Filed 02/09/15 Page 3 of 21 Page ID #:3
4
CLASS ACTION COMPLAINT
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
of the acts and transactions giving rise to this action occurred in this District and
because Anthem is subject to personal jurisdiction in this District.
GENERAL ALLEGATIONS
14. Anthem, Inc., previously known as WellPoint, Inc., is one of the largest
for-profit managed health care companies in the United States. According to its fourth
quarter 2014 earnings report, Anthem has over 37 million members enrolled in its
health insurance products nationwide, with a $2.6 billion net income for 2014.
15. Plaintiff is a member of an Anthem Blue Cross HMO Plan. As an
Anthem Plan Member, Plaintiff provided his PII and PHI to Anthem for safekeeping
on Anthem’s IT Systems.
16. On or about February 4, 2015, Anthem published a notice at
anthemfacts.com that Anthem’s members had fallen victim to a data breach stating
that “the personal information from our current and former members such as their
names, birthdays, medical IDs/Social Security numbers, street addresses, email
addresses and employment information, including income data.”
21. On the same day, Anthem amended its Answers to warn its members that
scam e-mail campaigns launched in the wake of the Data Breach were targeting
current and former Anthem members. According to Anthem, such “phishing”
activities “are designed to appear as if they are from Anthem and the emails include a
‘click here’ link for credit monitoring.” Id. Anthem cautions that the emails are not
from Anthem and instructs members not to click on any links provided in the emails
and not to provide any information to the senders of such “phishing” emails.
22. As amended, Anthem’s Answers do not provide any information as to
when its IT System was first compromised, how long unauthorized persons had access
to its IT System or what measures have been taken to prevent further breaches.
23. As Amended, Anthem’s Answers do not definitely state that its
members’ banking and medical information was not disclosed to third parties.
24. Given Anthem’s carefully worded and conclusory Answers, Plaintiff
believes and therefore alleges that his and the Class members’ medical information
was released and disclosed to third parties as a result of the Data Breach.
25. Given Anthem’s carefully worded and conclusory Answers, Plaintiff
believes and therefore alleges that his and the Class members’ banking and credit card
information was also released and disclosed to third parties as a result of the Data
Breach.
26. On information and belief, Plaintiff’s and the Class members’ PII and
PHI was disclosed to unauthorized persons as a result of the Data Breach, resulting in
the breach of confidentiality of that PII and PHI.
/ / /
/ / /
Case 2:15-cv-00934-SVW-JPR Document 1 Filed 02/09/15 Page 5 of 21 Page ID #:5
6
CLASS ACTION COMPLAINT
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
DEFENDANTS’ FAILURE TO IMPLEMENTADEQUATE SECURITY OF ITS IT SYSTEMS VIOLATED
FEDERAL AND CALIFORNIA LAWS
27. Under HIPAA and the HITECH Act, Defendants must implement
policies and procedures that limit physical access to their electronic information
systems and the facility or facilities in which they are housed, while ensuring that
properly authorized access is allowed. 45 C.F.R. §164.310.
28. Such policies and procedures must: (a) ensure the confidentiality,
integrity, and availability of all electronic protected health information the covered
entity or business associate creates, receives, maintains, or transmits; (b) protect
against any reasonably anticipated threats or hazards to the security or integrity of
such information; and, (c) protect against any reasonably anticipated uses or
disclosures of such information that are not permitted. Id. at §164.306
29. Further, Defendants must implement technical policies and procedures
for electronic information systems that maintain PII/PHI to allow access only to those
persons or software programs that have been granted access rights under applicable
HIPAA regulations. Id. at §164.312.
30. When Defendants permit business associates to create, receive, maintain,
or transmit electronic PII/PHI, they must ensure that those business associates comply
with HIPAA and the HITECH Act. Id. at §164.314.
31. Defendants must also conduct an accurate and thorough assessment of
the potential risks and vulnerabilities to the confidentiality, integrity and availability
of electronic protected information held by the covered entity or business associate;
implement procedures to regularly review records of information system activity, such
as audit logs, access reports, and security incident tracking reports; and implement
procedures for guarding against, detecting, and reporting malicious software. Id. at
§164.308.
32. Similarly, the California Confidentiality of Medical Information Act: (a)
requires health care service plans, including Defendants, to protect and secure the
Case 2:15-cv-00934-SVW-JPR Document 1 Filed 02/09/15 Page 6 of 21 Page ID #:6
7
CLASS ACTION COMPLAINT
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
PII/PHI of their members; (b) imposes penalties for violations of the Act; and, (c)
authorizes individuals to bring suit to recover actual and nominal damages for
violations of the Act.
33. On information and belief, Defendants, in violation of HIPAA and the
California Act, did not establish and implement adequate security measures to protect
the PII/PHI residing on Defendants’ IT Systems.
34. Defendants were on notice of the need re-visit and tighten the security of
their IT Systems but, upon information and belief, failed to do so.
35. In April 2011, the California Department of Managed Healthcare
published a letter “to emphasize to health care service plans (health plans) their
obligations to protect and secure the private medical information of their enrollees.”
In doing so, the Department cautioned that “[a]s the use of electronic protected health
information (PHI) becomes more widespread, the likelihood of unintentional breaches
and disclosures also increases. The foreseeable nature of these events requires that
preventative measures be taken to ensure that enrollee information is protected.”
36. In April 2014, the FBI issued two Private Industry Notifications (“PIN”)
to the healthcare industry warning that healthcare organizing systems, including
medical devices, could be vulnerable to cyber-attacks.
37. Specifically, on April 8, 2014, the FBI issued a PIN to the healthcare
industry warning that “[c]yber actors will likely increase cyber intrusions against
health care systems --- to include medical devices --- due to mandatory transition from
paper to electronic health records (HER), lax cyber security standards and a higher
financial payout for medical records in the black market.” The FBI Notice also
cautioned that the “health care industry is not as resilient to cyber intrusions compared
to the financial and retail sectors, therefore the possibility of increased cyber
intrusions is likely.”
38. Thereafter, on April 17, 2014, the FBI issued its second PIN, which,
upon information and belief, contained updates on information disclosed in the April
Case 2:15-cv-00934-SVW-JPR Document 1 Filed 02/09/15 Page 7 of 21 Page ID #:7
8
CLASS ACTION COMPLAINT
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
8, 2014 PIN.
39. Despite these warnings of foreseeable security breaches, Defendants
flagrantly disregarded their obligations to safeguard Plaintiff’s and the Class
members’ PII/PHI by intentionally, willfully, recklessly and/or negligently failing to
establish and implement adequate security of their IT Systems. Anthem improperly
handled and stored Plaintiff’s and the Class members’ PII/PHI, leaving it unsecured
and unencrypted on Defendants’ IT Systems and, as a result, failed to maintain the
PII/PHI in accordance with applicable, required, and appropriate cyber-security
protocols, policies and procedures.
40. As a direct result of Defendants’ common course of unlawful conduct,
Plaintiff’s and the Class members’ PII/PHI was released, accessed, breached and
disclosed to unauthorized persons.
DEFENDANTS’ FAILURE TO IMPLEMENTADEQUATE SECURITY OF ITS IT SYSTEMS
HARMED PLAINTIFF AND THE CLASS
41. In the words of the Federal Trade Commission (“FTC”), the information
Defendants released to unauthorized persons, including Plaintiff’s PII and PHI, is “as
good as gold” to identity thieves.3
42. Identity theft occurs when someone uses another’s PII and/or PHI, such
as that person’s name, address, credit card number, credit card expiration dates, and
other information, without permission, to commit fraud or other crimes. Id. The FTC
estimates that as many as 9 million Americans have their identities stolen each year.
Id.
43. Identity thieves can use identifying data to open new financial accounts
and incur charges in another person’s name, take out loans in another person’s name,
incur charges on existing accounts, or clone ATM, debit, or credit cards. Id.
44. Identity thieves can use PII and PHI such as that pertaining to Plaintiff
3 FTC, About Identity Theft, available at: <www.vanderbilt.edu/PersonalIdentityTheftProtection.pdf> (last visited Feb. 5, 2015).
Case 2:15-cv-00934-SVW-JPR Document 1 Filed 02/09/15 Page 8 of 21 Page ID #:8
9
CLASS ACTION COMPLAINT
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
and the Class, which Defendants failed to keep secure to perpetrate a variety of crimes
that do not cause financial loss, but nonetheless harm the victims. For instance,
identity thieves may commit various types of government fraud such as: immigration
fraud; obtaining a driver’s license or identification card in the victim’s name but with
another’s picture; using the victim’s information to obtain government benefits; or,
filing a fraudulent tax return using the victim’s information to obtain a fraudulent
refund.
45. In addition, identity thieves may get medical services using the Plaintiff’s
PII and PHI or commit any number of other frauds, such as obtaining a job, procuring
housing or even giving false information to police during an arrest.
46. Annual monetary losses from identity theft are in the billions of dollars.
According to a Presidential Report on identity theft produced in 2008:
In addition to the losses that result when identity thieves fraudulentlyopen accounts or misuse existing accounts,...individual victims oftensuffer indirect financial costs, including the costs incurred in both civillitigation initiated by creditors and in overcoming the many obstaclesthey face in obtaining or retaining credit. Victims of non-financialidentity theft, for example, health-related or criminal record fraud, faceother types of harm and frustration.
In addition to out-of-pocket expenses that can reach thousands of dollarsfor the victims of new account identity theft, and the emotional tollidentity theft can take, some victims have to spend what can be aconsiderable amount of time to repair the damage caused by the identitythieves. Victims of new account identity theft, for example, must correctfraudulent information in their credit reports and monitor their reports forfuture inaccuracies, close existing bank accounts and open new ones, anddispute charges with individual creditors.
The President’s Identity Theft Task Force, Combating Identity Theft: A Strategic
Plan, at p.11 (April 2007), available at <www.ftc.gov/sites/default/files/
47. According to the U.S. Government Accountability Office (“GAO”),
which conducted a study regarding data breaches:
[L]aw enforcement officials told us that in some cases, stolen data may
Case 2:15-cv-00934-SVW-JPR Document 1 Filed 02/09/15 Page 9 of 21 Page ID #:9
10
CLASS ACTION COMPLAINT
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
be held for up to a year or more before being used to commit identitytheft. Further, once stolen data have been sold or posted on the Web,fraudulent use of that information may continue for years. As a result,studies that attempt to measure the harm resulting from data breachescannot necessarily rule out all future harm.
GAO, Report to Congressional Requesters, at p.33 (June 2007), available at
48. “In addition to the financial harm associated with other types of identity
theft, victims of medical identity theft may have their health endangered by inaccurate
entries in their medical records. This inaccurate information can potentially cause
victims to receive improper medical care, have their insurance depleted, become
ineligible for health or life insurance, or become disqualified from some jobs.
Victims may not even be aware that a theft has occurred because medical identity
theft can be difficult to discover, as few consumers regularly review their medical
records, and victims may not realize that they have been victimized until they receive
collection notices, or they attempt to seek medical care themselves, only to discover
that they have reached their coverage limits.” Id. at 30.
49. “With the advent of the prescription drug benefit of Medicare Part D, the
Department of Health and Human Services’ Office of the Inspector General (HHS
OIG) has noted a growing incidence of health care frauds involving identity theft.”
Identity thieves can use such information “fraudulently to enroll unwilling
beneficiaries in alternate Part D plans in order to increase...sales commissions” or
commit other types of fraud. “The types of fraud that can be perpetrated by an identity
thief are limited only by the ingenuity and resources of the criminal.” Id. at 31.
50. The unauthorized disclosure of Social Security Numbers can be
particularly damaging, because Social Security Numbers cannot easily be replaced. In
order to obtain a new number, a person must prove, among other things, which he or
she continues to be disadvantaged by the misuse. Thus, no new number can be
obtained until the damage has been done. Furthermore, as the Social Security
Administration (“SSA”) warns:
Case 2:15-cv-00934-SVW-JPR Document 1 Filed 02/09/15 Page 10 of 21 Page ID #:10
11
CLASS ACTION COMPLAINT
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
a new number probably will not solve all your problems. This is becauseother governmental agencies (such as the Internal Revenue Service andstate motor vehicle agencies) and private businesses (such as banks andcredit reporting companies) likely will have records under your oldnumber. Also, because credit reporting companies use the number, alongwith other personal information, to identify your credit record, using anew number will not guarantee you a fresh start. This is especially true ifyour other personal information, such as your name and address, remainsthe same.
If you receive a new Social Security Number, you will not be able to usethe old number anymore.
For some victims of identity theft, a new number actually creates newproblems. If the old credit information is not associated with the newnumber, the absence of any credit history under the new number maymake it more difficult for you to get credit.
SSA, Identity Theft and Your Social Security Number, SSA Publication No. 05-10064
(Aug. 2009), available at <www.ssa.gov/pubs/10064.html> (last visited Feb. 5, 2015).
51. Anthem’s wrongful actions and inaction directly and proximately caused
the release and disclosure into the public domain of Plaintiff’s and Class members’
unencrypted PII/PHI without their authorization, knowledge or consent.
52. As a further and direct and proximate result of Anthem’s wrongful
actions and inaction and the resulting Data Breach, Plaintiff and Class members have
suffered and will continue to suffer, economic damages and other actual harm
including, without limitation: (i) the untimely and inadequate notification of the Data
Breach; (ii) improper release and disclosure of their PII/PHI; (iii) loss of privacy; (iv)
out-of-pocket expenses incurred to mitigate the increased risk of identity theft and
identity fraud pressed upon them by the Data Breach; (v) the value of their time spent
mitigating identity theft and/or identity fraud and/or the increased risk of identity theft
and/or identity fraud; (vi) deprivation of the value of their PII/PHI, for which there is
a well-established national and international market; (vii) anxiety and emotional
distress; and, (viii) violation of rights they possess under the California statutes as
detailed below.
53. Plaintiff and the Class he seeks to represent now face years of constant
surveillance of their financial and medical records, monitoring, loss of rights, and
Case 2:15-cv-00934-SVW-JPR Document 1 Filed 02/09/15 Page 11 of 21 Page ID #:11
12
CLASS ACTION COMPLAINT
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
potential medical problems.
54. Indeed, according to one identity theft expert quoted in a recent news
article, the Data Breach represents a “mass victimization of the worst kind:”
“This is absolutely the worst kind of data breach, because thieves havestolen the information that’s the most valuable, the most dangerous andimpossible to change or cancel,” said Neal O’Farrell, Credit Sesame’s(http://www.creditsesame.com) security and identity theft expert in anemail. “This is mass victimization of the worst kind.”
Anthem Data Breach Could be “Lifelong” Battle for Customers, Shari Rudavsky
55. Plaintiff brings this action on his own behalf, and on behalf of all other
persons similarly situated in the United States (the “Nationwide Class”). The
Nationwide Class that Plaintiff seeks to represent is:
All persons who reside in the United States and have purchased healthinsurance from Anthem, Inc. d/b/a Anthem Health, Inc., The AnthemCompanies, Inc., The Anthem Companies Of California, Inc., and/orAnthem Blue Cross Life And Health Insurance Company, and whosepersonally identifiable information, personal health information, and/orfinancial information was breached as a result of the data breachannounced on or about February 4, 2015.
56. Further, Plaintiff brings this action on his own behalf, and on behalf of
all other persons similarly situated who reside in the State of California (the
“California Class”). The California Class that Plaintiff seeks to represent is:
All persons who reside in the California and have purchased healthinsurance from Anthem, Inc. d/b/a Anthem Health, Inc., The AnthemCompanies, Inc., The Anthem Companies Of California, Inc., and/orAnthem Blue Cross Life And Health Insurance Company, and whosepersonally identifiable information, personal health information, and/orfinancial information was breached as a result of the data breachannounced on or about February 4, 2015.
57. Specifically excluded from the Nationwide Class and the California
Class are: (a) Defendants; any officers, directors, or employees of Defendants; any
entity in which Defendants have a controlling interest; any affiliates, legal
representatives, attorneys, heirs, and assigns of Defendants; (b) the Court, Court
Case 2:15-cv-00934-SVW-JPR Document 1 Filed 02/09/15 Page 12 of 21 Page ID #:12
13
CLASS ACTION COMPLAINT
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
Personnel and members of their immediate families; and, (c) Plaintiff’s counsel and
their staff and members of their immediate families.
58. All requirements for class certification in Fed. R. Civ. P. 23(a) and
23(b)(3) are satisfied with respect to the Nationwide Class and the California Class.
59. Numerosity of the Class. The members of the Nationwide Class and the
California Class are so numerous that the joinder of all members is impractical.
While the exact number of the members of each Class is unknown to Plaintiff at this
time, based upon information and belief, each Class has in excess of one million
members.
60. Ascertainable Class. The community of interest among the Class
members in the litigation is well-defined and the proposed class is ascertainable from
objective criteria. If necessary to preserve the case as a class action, the court itself
can redefine the Classes and/or create sub-classes.
61. Common Questions of Fact and Law Exist and Predominate over
Individual Issues. There is a well-defined community of interest in the questions of
law and fact involved affecting the parties to be represented. These common
questions of law and fact exist as to all members of the Class and predominate over
any questions affecting only individual members, including, but not limited to:
a. Whether Defendants unlawfully used, maintained, lost or disclosed
Class members’ PII and PHI;
b. Whether Anthem unreasonably delayed in notifying affected
customers of the data breach;
c. Whether Defendants failed to implement and maintain reasonable
security procedures and practices appropriate to the nature and
scope of the information compromised in the data breach;
d. Whether Defendants violated the requirements of HIPAA and the
HITECH Act;
e. Whether Defendants violated the requirements of California Civil
Case 2:15-cv-00934-SVW-JPR Document 1 Filed 02/09/15 Page 13 of 21 Page ID #:13
14
CLASS ACTION COMPLAINT
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
Code §1798.80, et seq.(California Class);
f. Whether Defendants’ conduct violated the California Business &
Professions Code §17200, et seq.(California Class);
g. Whether Defendants’ conduct was negligent;
h. Whether Defendants acted willfully and/or with oppression, fraud,
or malice;
i. Whether Defendants unlawfully used, maintained, lost or disclosed
Class members’ PII and PHI;
j. Whether Defendants’ conduct violated the California
Confidentiality of Medical Information Act, California Civil Code
§56, et seq. (California Class); and
k. Whether Plaintiff and the Class are entitled to damages, civil