Lawsuits are piling up over the data breach at Anthem, the second-largest U.S. health insurer, that exposed personal data about 80 million individuals. The latest was filed on Wednesday (Feb. 18) in Denver, the Denver Post reported.
The class-action lawsuit names Mary Mellon, a Denver County resident, as the plaintiff, and argues that Anthem should have discovered the Dec. 10 breach earlier than Jan. 27, and should have told affected customers about it before Feb. 5, when the company put a notification of the breach on its website.
The lawsuit also says Anthem failed to prevent phishing emails in the wake of the breach, and has failed to tell each of the 80 million affected customers precisely which information about that customer was stolen. The complaint specifically accuses Anthem of negligence, breach of contract and failing to report the breach in a timely manner.
Another Denver class-action lawsuit, this one naming Colorado resident Dana Hills as plaintiff, accuses Anthem of charging its customers “enhanced membership fees and insurance premiums in exchange for Anthem’s repeated promises of data security and protection,” which Anthem failed to deliver. “Defendant was able to charge higher premiums, as consumers are willing to pay more for the security of their data, and would obviously pay less if they knew the truth that such data was not actually going to be protected,” the complaint says.
Patrick Peluso, the attorney who filed the Hills lawsuit, estimated that “there are probably about 40 cases that have been filed, and there probably will be more.” Peluso also said it’s likely that the cases will be consolidated, as has been the case with payment-card data breach cases involving Target, Home Depot and other retailers.
While all of the proposed class actions share virtually identical factual allegations, part of the reason for the endless stream of filings is the opportunity to present new theories as to how Anthem customers were harmed by the breach. In the Hills lawsuit, the theory is that customers wouldn’t have paid high premiums if they knew Anthem would be breached; in the Mellon complaint, it’s that Anthem didn’t notify and protect customers after the breach.
Many of those theories will fall by the wayside when the cases are consolidated. One that already appears to have fallen is the argument that Anthem was required to encrypt customer data under the Health Insurance Portability and Accountability Act. But HIPAA encourages but does not require insurers to use data encryption.
In the Anthem breach, encryption would not have been effective anyway, because the cyberattackers used stolen credentials that would have let them decrypt the data.