In re Anthem, Inc.

IN RE ANTHEM, INC. DATA BREACH LITIGATION

Case No. 15-MD-02617-LHK

UNITED STATES DISTRICT COURT NORTHERN DISTRICT OF CALIFORNIA SAN JOSE DIVISION

May 27, 2016

ORDER GRANTING IN PART AND DENYING IN PART ANTHEM DEFENDANTS' SECOND MOTION TO DISMISS, GRANTING IN PART AND DENYING IN PART NON-ANTHEM DEFENDANTS' SECOND MOTION TO DISMISS, AND DENYING MOTION FOR CLARIFICATION [PUBLIC VERSION]

Re: Dkt. No. 483, 490, 496

Plaintiffs¹ bring this putative class action against Anthem, Inc., 27 Anthem affiliates,² Blue Cross Blue Shield Association, and 14 non-Anthem Blue Cross Blue Shield Companies.³ The Court refers to Anthem, Inc. and the Anthem affiliates as the "Anthem Defendants," and Blue Cross Blue Shield Association and the non-Anthem Blue Cross Blue Shield Companies as the "Non-Anthem Defendants." The Court refers to the Anthem and Non-Anthem Defendants collectively as "Defendants." The Court refers to Plaintiffs generally as "Plaintiffs," unless referring to Plaintiffs from a specific jurisdiction, such as California Plaintiffs or New York Plaintiffs.

The Anthem Defendants filed one consolidated motion to dismiss the second consolidated amended complaint ("SAC"). See ECF No. 473-3 ("SAC"); ECF No. 496 ("Anthem Mot."). The Non-Anthem Defendants also filed one consolidated motion to dismiss the SAC. ECF No. 490 ("Non-Anthem Mot."). The Non-Anthem Defendants have also filed a motion for clarification of the Court's First Motion to Dismiss Order. ECF No. 483. Having considered the parties' submissions, the relevant law, and the record in this case, the Court GRANTS in part and DENIES in part the Anthem Defendants' motion to dismiss; GRANTS in part and DENIES in part the Non-Anthem Defendants' motion to dismiss; and DENIES the Non-Anthem Defendants' motion for clarification.

I. BACKGROUND

A. Factual Background

Anthem, Inc. ("Anthem") is one of the largest health benefits and health insurance companies in the United States. SAC ¶ 158. Anthem serves its members through various Blue Cross Blue Shield ("BCBS") licensee affiliates and other non-BCBS affiliates. Id. Anthem also cooperates with the Blue Cross Blue Shield Association ("BCBSA") and independent BCBS licensees via the BlueCard program. Id. ¶ 159. "Under the BlueCard program, members of one BCBS licensee may access another BCBS licensee's provider networks and discounts when the members are out of state." Id.

In order to provide certain member services, the Anthem and Non-Anthem Defendants "collect, receive, and access their customers' and members' extensive individually identifiable health record information." Id. ¶ 160. "These records include personal information (such as names, dates of birth, Social Security numbers, health care ID numbers, home addresses, email addresses, and employment information, including income data) and individually-identifiable health information (pertaining to the individual claims process, medical history, diagnosis codes, payment and billing records, test records, dates of service, and all other health information that an insurance company has or needs to have to process claims)." Id. The Court shall refer to members' personal and health information as Personal Identification Information, or "PII."

Anthem maintains a common computer database which contains the PII of current and former members of Anthem, Anthem's affiliates, BCBSA, and independent BCBS licensees. Id. ¶ 161. This database contains "information from former customers or members going back to 2004." Id. ¶ 162. In total, Anthem's database contains the PII of approximately 80 million individuals. Id. ¶ 338. According to Plaintiffs, both the Anthem and Non-Anthem Defendants promised their members that their PII would be protected through privacy notices, online website representations, and other advertising. Plaintiffs aver, for instance, that all Defendants were subject to Anthem's privacy policy, which states the following:

Anthem Blue Cross and Blue Shield maintains policies that protect the confidentiality of personal information, including Social Security numbers, obtained from its members and associates in the course of its regular business functions. Anthem Blue Cross and Blue Shield is committed to protecting information about its customers and associates, especially the confidential nature of their personal information.

* * *

Anthem Blue Cross and Blue Shield has in place a minimum necessary policy which states that associates may only access, use or disclose Social Security numbers or personal information to complete a specific task and as allowed by law.

Anthem Blue Cross and Blue Shield safeguards Social Security numbers and other personal information by having physical, technical, and administrative safeguards in place.

Id. ¶ 165 (emphasis removed). Many Anthem-affiliated websites further refer to Defendants' privacy obligations under the Health Insurance Portability and Accountability Act ("HIPAA") as well as other federal and state privacy laws. Id.

In February 2015, Anthem publicly announced that "cyberattackers had breached the Anthem Database, and [had] accessed [the PII of] individuals in the Anthem Database." Id. ¶ 337. This was not the first time that Anthem had experienced problems with data security. In late 2009, approximately 600,000 customers of Wellpoint (Anthem's former trade name) "had their personal information and protected healthcare information compromised due to a data breach." Id. ¶ 328. In addition, in 2013, the U.S. Department of Health and Human Services fined Anthem $1.7 million for various HIPAA violations relating to data security. Id. ¶ 329. Finally, in 2014, the federal government informed Anthem and other healthcare companies of the possibility of cyberattacks, and advised these companies to take appropriate measures, such as data encryption and enhanced password protection. Id. ¶¶ 334-35.

Plaintiffs allege that Defendants did not sufficiently heed these warnings, which allowed cyberattackers to extract massive amounts of data from Anthem's database between December 2014 and January 2015. Id. ¶ 360. After Anthem discovered the extent of this data breach, it proceeded to implement various containment measures. Id. ¶ 365-66 . The cyberattacks ceased by January 31, 2015. Id. In addition, after learning of the cyberattacks, Anthem retained Mandiant, a cybersecurity company, "to assist in assessing and responding to the Anthem Data Breach and to assist in developing security protocols for Anthem." Id. ¶ 341. Mandiant's work culminated in the production of an Intrusion Investigation Report ("Mandiant Report"), which Mandiant provided to Anthem in July 2015. Id.

According to Plaintiffs, the Mandiant Report found that "Anthem and [its] Affiliates [had] failed to implement basic industry-accepted data security tools to prevent cyberattackers from accessing the Anthem Database." Id. ¶ 343. Moreover, "[e]ven if the cyberattackers gained access to the Anthem Database, Anthem could have and should have, but failed to, discover the data breach before any data was exfiltrated." Id. ¶ 345.

Additionally, "BCBSA and [the] non-Anthem BCBS [companies] allowed the [PII] that their current and former customers and members had entrusted with them to be placed into the Anthem Database even though there were multiple public indications and warnings that the Anthem and Anthem Affiliates' computer systems and data security practices were inadequate." Id. ¶ 377. Plaintiffs further aver that although Anthem publicly disclosed the data breach in February 2015, many affected customers were not personally informed until March 2015. Finally, Plaintiffs contend that Anthem still has not disclosed whether it has made any changes to its security practices to prevent a future cyberattack.

B. Procedural History

A number of lawsuits were filed against Defendants in the wake of the Anthem data breach. In general, these lawsuits bring putative class action claims alleging (1) failure to adequately protect Anthem's data systems, (2) failure to disclose to customers that Anthem did not have adequate security practices, and (3) failure to timely notify customers of the data breach.

In spring 2015, Plaintiffs in several lawsuits moved to centralize pretrial proceedings in a single judicial district. See 28 U.S.C. § 1407(a) ("When civil actions involving one or more common questions of fact are pending in different districts, such actions may be transferred to any district for coordinated or consolidated pretrial proceedings."). On June 12, 2015, the Judicial Panel on Multidistrict Litigation ("JPML") issued a transfer order selecting the undersigned judge as the transferee court for "coordinated or consolidated pretrial proceedings" in the multidistrict litigation ("MDL") arising out of the Anthem data breach. See ECF No. 1 at 1-3.⁴

On September 10, 2015, the Court held a hearing to appoint Lead Plaintiffs counsel. Following this hearing, the Court issued an order appointing Co-Lead Plaintiffs counsel and requesting that counsel file a single consolidated amended complaint by October 19, 2015. ECF No. 284 at 2. On October 19, 2015, Plaintiffs filed their consolidated amended complaint, which organized Plaintiffs' causes of action into thirteen different counts, with claims asserted pursuant to various state and federal laws under each count. ECF No. 334-6 ("CAC").

At the October 25, 2015 case management conference, the Court determined that the Anthem and Non-Anthem Defendants would file separate motions to dismiss. Both motions would be "limited to a combined total of 10 claims, with 5 claims selected by Plaintiffs, 3 claims selected by the Anthem Defendants, and 2 claims selected by the [Non-Anthem Defendants]." ECF No. 326 at 2-3. At the November 10, 2015 case management conference, the parties identified the 10 claims that would be addressed in Defendants' motions to dismiss.

On November 23, 2015, the Anthem Defendants and Non-Anthem Defendants filed their first round ...