Incident & Breach Response , Managed Detection & Response (MDR) , Security Operations
Anthem Breach Lawsuit Proceeds; CareFirst Suit DismissedJudge Rules Anthem Case Will Continue to Discovery Phase
A consolidated federal class action lawsuit against Anthem Inc. filed in the wake of a breach affecting nearly 80 million individuals appears to be one step closer to going to trial. But a similar suit filed against CareFirst Blue Cross Blue Shield has been dismissed.
A judge ruled May 25 that the lawsuit against Anthem, which consolidated about 100 lawsuits against the health insurer, should move on to the discovery phase, according to a report by Courthouse News Service.
U.S. District Judge Lucy Koh indicated that six of the seven claims in the case are likely to survive Anthem's motion to dismiss, according to the news report. And she asked attorneys for both sides to consider reducing the claims to four due to the complexity of the consolidated case.
Koh reportedly said the case's complexity and lack of precedents in data breach class actions made the Anthem case difficult. "We are going to have to address a lot of novel issues," she said, according to the news report.
An attorney representing Anthem declined to comment on the case, and an attorney for the plaintiffs did not immediately respond to an Information Security Media Group's request for comment.
The case against Anthem alleges negligence and claims that the health insurer failed to meet its contractual obligations to protect personal information of its health plan members, resulting in alleged harm or in risk for harm to affected individuals.
At the center of the lawsuit is a hacker attack the insurer revealed in early 2015 that exposed the data of nearly 80 million current and former health plan members.
Attorney Steven Teppler of the law firm Abbott Law Group, who is not involved in the case, says Koh's decision to move the Anthem consolidated case into the discovery phase is significant. "Given the standing and injury requirements, if this case is moving past the motion to dismiss, there's more substance to the allegations and to findings in favor of the plaintiffs," he says.
Because of the complexity of the Anthem case, Teppler expects the discovery phase to last six months to one year. "There will be discovery of Anthem's policies and practices, a huge amount of cyber forensics analysis - reports that will have to be requested and analyzed - and there will be fights about that because they will contain fairly sensitive documents," he says.
In April, another federal judge rejected a motion by Anthem seeking permission to scrutinize plaintiffs' computers for security flaws that could potentially lead to identity theft or fraud. Anthem had filed a motion seeking permission "to access plaintiffs' computers, smartphones and tablets to image and copy them to determine whether the data breach or embedded malware was responsible for the potential harm that could include identity theft and tax problems." (See Unusual Ploy in Anthem Breach Case Fails.)
The case against Baltimore-based health insurer CareFirst, which was recently dismissed, was filed after a breach disclosed in May 2015. CareFirst said that an "unauthorized intrusion" into a database dating back to June 2014 resulted in a breach affecting 1.1 million individuals.
A Maryland federal court judge ruled on May 27 that the plaintiffs had not shown incidents of harm or data misuse resulting from the security breach, "even though a significant amount of time has passed" since the data breach.
Also, the judge dismissed plaintiffs' claims of increased risk of future harm as too speculative. "Key to the speculative nature of this theory of harm is its dependence on a chain of assumptions that must occur before the harm materializes," the judge noted.
Teppler notes that the dismissal of the lawsuit against CareFirst "follows in line with a trend where courts do not find standing without concrete, identifiable injury."
The recent rulings in the Anthem and CareFirst cases shine a light on the complex nature of data breach cases, says privacy attorney David Holtzman, vice president of compliance at the security consulting firm CynergisTek.
"It remains extremely challenging for individuals whose information was disclosed in a breach to bring a legal action seeking damages that will survive a motion to dismiss," he says. "Most courts have adopted a standard that the individual must show that they have suffered actual harm in order to bring the case to trial."
Holtzman notes, however, that the Anthem case is being brought, in part, under California law, "which is much more sympathetic to a consumers' right to privacy. It remains to be seen how the court will sort through the ... causes of action offered by the lawyers for the consumers and decide which of the claims brought by the consumers will survive."