Vous êtes sur la page 1sur 11


Case No. 1:15-cv-00096
Margaret McKinley and Nicholas Bowes,
individually and on behalf of all others similarly
ANTHEM, INC., d.b.a Anthem Health, Inc., an
Indiana Corporation, COMMUNITY
INSURANCE COMPANY, d.b.a. Anthem Blue
Cross and Blue Shield,

Plaintiffs Margaret McKinley and Nicholas Bowes (“Plaintiffs”) bring this class action
against Defendants ANTHEM, INC., d.b.a Anthem Health, Inc., an Indiana Corporation and
COMMUNITY INSURANCE COMPANY, d.b.a. Blue Cross Blue Shield (collectively,
“ANTHEM” or DEFENDANTS), as a result of the massive data breach suffered by as many as
80 million ANTHEM customers, on behalf of Plaintiffs and all others similarly situated to obtain
damages, restitution and injunctive relief for the Class, as defined below, from Defendants.
Plaintiffs make the following allegations upon information and belief, except as to their own
actions, the investigation of her counsel, and the facts that are a matter of public record:

This is a consumer class action lawsuit brought on behalf of Plaintiffs,

individually, and on behalf of all other individuals, against Defendants for their failure to
safeguard and secure the medical records, and other personally identifiable information,

2015. Defendant ANTHEM. Ohio. Defendants failed to keep safe their customers’ sensitive private. JURISDICTION AND VENUE 7. 6.. §1332(d)(2). 2. In the aggregate. Plaintiff Margaret McKinley is an individual who resides in this District. and headquartered in Indianapolis. Indiana. that is headquartered in Mason. ANTHEM HEALTH. is an Indiana Corporation. INC. billing information. D. Defendants announced to the public this massive lost of information on or about February 4. social security numbers. medical and personal information. This Court has original jurisdiction pursuant to 28 U. and highly confidential health and other types of information (collectively “Personally Identifiable Information” or “PII”) and personal health related information (collectively “Personal Health Information” or “PHI”) of Plaintiffs and Class Members. This Court has personal jurisdiction over ANTHEM because ANTHEM is authorized to do and does business in the State of Ohio. Plaintiff Nicholas Bowes is an individual who resides in this District. 2 .000 exclusive of interest and costs. and there are numerous class members who are citizens of states other than Defendants’ states of citizenship. 4.S. dates of birth.C.including names. Plaintiffs’ claims and the claims of the other members of the Class exceed $5. Defendant COMMUNITY INSURANCE COMPANY is an Ohio Corporation. registered with the California Secretary of State to do business in California. PHI and PII shall also be referred to collectively as Personal Information.B. financial.A. 8. 5.000. INC. PARTIES 3. which are Indiana and California.

11. patient credit card. telephone numbers and social security numbers and. Clayton.C. patient names. 12. birthdays. medical or clinical information)(hereinafter “PII/PHI”) – which is considered protected under the Health Insurance Portability and Accountability Act (“HIPAA”)—was entrusted to Defendants and was stolen. that they had fallen victim to a data breach stating that “the personal information from our current and former members such as their names. birthdates. Defendants have a significant presence in the State of Ohio. member ID/Social Security numbers. As a result of Defendant’s failure to implement and follow basic security procedures. GENERAL ALLEGATIONS 10. 2015).9. whose personally personally identifiable information (e. 3 . the PII/PHI of over 80 million patients (including Plaintiffs and the class they seek to represent) is now in the hands of thieves. including income data. This is a consumer class action brought by Plaintiffs.com> (last visited February 8. 13. On or about February 4. disclosed. §1391 because many of the acts and transactions giving rise to this action occurred in this District and because ANTHEM is subject to personal jurisdiction in this District. Engelwood.g. and/or made accessible to hackers and identity thieves. including Dayton. ANTHEM published a website notifying its insureds. email addresses and employment information.S. 2015. including many Ohio municipalities. addresses. including its Ohio insureds. and several counties including Butler. Defendants have acknowledged that they insure over three million Ohio residents.anthemfacts. Venue is proper in this Court pursuant to 28 U.” Available at <www. street addresses. individually and on behalf of all other similarly situated persons. possibly including.

to completely and absolutely misuse Plaintiffs’ and class members’ identity to their detriment. Plaintiffs and class members have received a diminished value of the 4 . 5. Gokavi. Aug. costs to rehabilitate PII/PHI. including: the cost of responding to the data breach. 14. available at <http://www.pdf> . Ohio’s Health Insuring Corporations Performance Report.daytondailynews. 15. In addition. Dayton Daily News (Feb. As a result. Defendant Community Insurance Company was Ohio’s largest health insurer by premium revenue in 2013 with more than $5 billion in revenue. and transferred from Defendants has all of the information wrongdoers need. Plaintiffs and class members are imminently in danger of sustaining direct injury as a result of the identify theft they suffered when Defendants failed to protect and secure his PII/PHI and disclosed his PII/PHI to hackers.-com/news/news/crime-law/hackers-steal-millions-of-anthemhealth-insurance-/nj5f4/>. The PII/PHI access. if not additional acts of identity theft and resulting losses. copied. and Simon D. M. 2014 available at <http://ohiohospitals. mitigation costs.. 17. Plaintiffs and class members now face a substantially increased risk of additional instances of identity theft and resulting losses. 16. cost of assessing damages. 2015). Hackers Steal Millions of Anthem Health Insurance Customers’ Data. and the American government and financial system requires.org/OHA/media/Images/News%20and%20Publications/Reports/Ohio-Health-Insuring-Corporations-Report-August-2014. These further instances of identity theft are certainly impending and imminent. Plaintiffs and class members have and will continue to spend significant time and money to protect themselves. Ohio Hospital Association. In addition. and costs to reimburse from losses proximately caused by the breach.Clark and Champaign.

19. based on information and belief. Plaintiffs have health insurance issued by ANTHEM. On information and belief. Inc. and as a result. Plaintiffs’ claims are typical of the members of the Class. 2015. attorneys. and on behalf of all other persons similarly situated (“the Class”). heirs. as a direct and proximate result of Defendant’s failure to follow contractually agreed upon. officers. any entity in which Defendants have a controlling interest. Excluded from the Class are Defendants.services they paid Defendants to provide.b. Plaintiffs’ PHI and PII was disclosed in the data breach. and Plaintiffs can fairly and adequately represent the interests of the Class. d. and assigns of the Defendants. There is a well-defined community of interest among the members of the Class because common questions of law and fact predominate.a Anthem Health. This action satisfies the requirements of Federal Rule of Civil Procedure 23(b)(3) 5 . Inc. it is in the millions. While the exact number of Class members is unknown to Plaintiffs at this time. 18. The members of the Class are so numerous that the joinder of all members is impractical. 21. CLASS ACTION ALLEGATIONS 20. and industry standard security procedures. or Community Insurance Company and whose personal and/or financial information was breached as a result of the data breach announced on or about February 4. 22. Anthem has required that Plaintiffs provide their PII/PHI to Anthem. 23. federally mandated. Plaintiffs bring this action on their own behalf. The Class that Plaintiffs seek to represent is: All persons who reside in Ohio and have purchased health insurance from Anthem. the affiliates. legal representatives. and employees of Defendants. directors.

Whether Defendants unlawfully used. members’ PHI and PII. 25. punitive damages. was misused and/or disclosed by Defendants. Whether Defendants’ conduct constituted Public Disclosure of Private e. lost or disclosed Class Facts. f. g. c. class treatment is 6 . d. like that of every other class member. Whether Defendants unlawfully used. b. Whether Defendants failed to implement and maintain reasonable security procedures and practices appropriate to the nature and scope of the information compromised in the data breach. but not limited to: a. Whether Plaintiffs and the Class are entitled to damages. 24. maintained. including. Accordingly.because it involves questions of law and fact common to the member of the Class that predominate over any questions affecting only individual members. 26. Plaintiffs’ claims are typical of those of other Class members because Plaintiffs’ PHI and PII. Whether Defendants’ conduct constituted Bailment. and/or injunctive relief. lost or disclosed Class members’ PHI and PII. which would establish incompatible standards of conduct for Defendants and would lead to repetitive adjudication of common questions of law and fact. The prosecution of separate actions by individual members of the Class would create a risk of inconsistent or varying adjudications with respect to individual members of the Class. maintained. civil penalties. Plaintiffs will fairly and accurately represent the interests of the Class. Whether ANTHEM unreasonably delayed in notifying affected customers of the data breach.

secured. and not disclose their PII/PHI.superior to any other method for adjudicating the controversy. 30. Defendants have acted or refused to act on grounds that apply generally to the class. keep private. as alleged above. Plaintiffs knows of no difficulty that will be encountered in the management of this litigation that would preclude its maintenance as a class action under Rule 23(b)(3). These documents were provided in a manner and during a time where they became part of the agreement for services. so that in the absence of class treatment. In documents that memorialize the obligations of the parties. kept private. and certification is proper under Rule 23(b)(2). 32. protect. keep private. Plaintiffs and Class Members paid money to Defendants in exchange for services. 27. Defendants promised Plaintiffs and Class Members that it would protect. FIRST COUNT Breach of Contract 29. and not disclose Plaintiffs’ and Class Members’ PII/PHI. Defendants’ violations of law inflicting substantial damages in the aggregate would go un-remedied without certification of the Class. secure. 33. Plaintiffs incorporate the substantive allegations contained in all previous paragraphs as if fully set forth herein. 28. which included promises to secure. Damages for any individual class member are likely insufficient to justify the cost of individual litigation. Defendants promised to comply with all HIPAA standards and to make sure that Plaintiffs’ PII/PHI was protected. and not disclosed. safeguard. 7 . 31.

therefore. and not disclose to third-parties Plaintiffs’ and Class Members’ PII/PHI. to the extent it was not expressed or. Defendants agreed to protect. but an implied contract existed between the parties whereby. and transferred by or disclosed to third parties.34. in exchange for monies from Plaintiffs and Class Members. keep private. 40. protected. 35. an express contract did not exist. 41. safeguard. Defendant’s failure to satisfy their confidentiality and privacy obligations resulted in Defendants providing services to Plaintiffs and Class Members that were of a diminished value. safeguarded. kept private. Plaintiffs and Class Members have been harmed. breached its contract with Plaintiffs and Class Members. safeguard. an implied contract existed in the absence of an express contract whereby. Defendants promised to comply with all HIPAA standards and regulations and to ensure that Plaintiffs’ and Class Members’ PII/PHI was secured. 36. 38. 39. Defendants failed to secure. To the extent that it was not expressed. Plaintiffs seek an award of compensatory damages from Defendants on behalf of 8 . copied. damaged. Alternatively. again alternatively. and/or injured. Under the implied contract. Defendants were further obligated to provide Plaintiffs and Class Members with prompt and sufficient notice of any and all unauthorized access and/or theft of their PII/PHI. 37. and not disclosed to third parties. Alternatively. Furthermore. secure. an implied contract was created whereby Defendants promised to safeguard Plaintiffs’ and Class Members’ health information and PII/PHI from being accessed. protect. and/or keep private Plaintiffs’ and Class Members’ health information and PII/PHI and. As a result.

Plaintiffs incorporate the substantive allegations contained in all previous paragraphs as if fully set forth herein. 45. Plaintiffs and the Class members have suffered harm. Plaintiffs seek actual damages on behalf of the Class.themselves and the class. to pay for the administrative costs of data management and security. 43. 49. The monthly insurance premiums paid by Plaintiffs and Class Members to Defendants comprise the benefits conferred. 46. Plaintiffs and the Class members delivered and entrusted their Private Information to Defendants for the sole purpose of receiving services from Defendants. Defendants owed Plaintiffs and the Class members a duty to safeguard this information properly and maintain reasonable security procedures and practices to protect such information. THIRD COUNT Unjust Enrichment 47. During the time of bailment. in part. SECOND COUNT Bailment 42. Defendants have knowledge of the benefits conferred by Plaintiffs and Class 9 . Plaintiffs incorporate the substantive allegations contained in all previous paragraphs as if fully set forth herein. As a result of these breaches of duty. 44. Defendants used these premiums. Defendants breached this duty by failing to maintain Plaintiffs’ and Class Members’ PII/PHI in a reasonably secure manner. 48. Plaintiffs and Class Members have conferred benefits on Defendant.

For equitable relief enjoining Defendants from engaging in the wrongful conduct complained of herein pertaining to the misuse and/or disclosure of Plaintiffs’ and Class members’ Private Information. and G. F. Since Defendants failed to implement the data management and security protocols and procedures required by law and by industry standards. and statutory penalties. complete and accurate disclosures to the Plaintiffs and Class members. compensatory damages. DEMAND FOR JURY TRIAL Plaintiffs hereby demand a jury trial of his claims to the extent authorized by law. in an amount to be determined. B. For an award of punitive damages. it should not be permitted to retain the premiums paid by Plaintiffs and Class Members. as allowable by law. The circumstances are such that it would be inequitable for Defendants to retain the benefits conferred without paying fair value for it. For an award of actual damages. and from refusing to issue prompt. Such other and further relief as this court may deem just and proper.Members and has retained these benefits. For an Order certifying this action as a class action and appointing Plaintiffs and their Counsel to represent the Class. D. statutory damages. 10 . 50. E. For an award of costs of suit and attorneys’ fees. For equitable relief requiring restitution and disgorgement of the revenues wrongfully retained as a result of Defendants’ wrongful conduct. C. PRAYER FOR RELIEF WHEREFORE Plaintiffs pray for judgment as follows: A.

Jaffe________________________ Steven R. 425 North Andrews Avenue. Ohio 44124 Telephone: (440) 442-6622 Facsimile: (440) 442-7999 /s/ Steven R. Jaffe (Fla.com Seth M.com FARMER. 6105 Parkland Boulevard Cleveland. Lehrman (Fla. Kuri (Ohio Bar No. Suite 2 Fort Lauderdale. 909191)* Email: mark@pathtojustice. P..L.com ELK AND ELK CO. Kuri________________________ Phillip A.com Kimberly C. 0085794) Email: kyoung@elkandelk. Bar No.com Mark S. LTD. Young (Ohio Bar No. EDWARDS. FL 33301 Telephone: (954) 524-2820 Facsimile: (954) 524-2822 *Seeking Pro Hac Vice Admission 11 . JAFFE.Dated: February 9. 2015 /s/ Phillip A. FISTOS & LEHRMAN. Bar No. 132896)* Email: seth@pathtojustice. Bar No. Fistos (Fla. WEISSING. 0061910) Email: pkuri@elkandelk. 390770)* Email: steve@pathtojustice.