Case 2:15-cv-00086-JAW Document 1 Filed 03/05/15 Page 1 of 24 PageID #: 1 Benjamin K. Grant (ME Bar # 4328) McTeague, Higbee, Case, Cohen, Whitney & Toker, P.A 4 Union Park P.O. Box 5000 Topsham, ME 04086 Phone: (800) 210-8740 Fax: (207) 725-1090 Email: bgrant@mcteaguehigbee.com ATTORNEYS FOR PLAINTIFF AND THE PROPOSED CLASS IN THE UNITED STATES DISTRICT COURT FOR THE DISTRICT OF MAINE PORTLAND DIVISION BRIAN MASON, and all others similarly situated, Plaintiff, vs. CIV NO. CLASS ACTION COMPLAINT DEMAND FOR JURY TRIAL ANTHEM, INC., ANTHEM HEALTH PLANS OF MAINE, INC., D/B/A BLUE CROSS AND BLUE SHIELD OF MAINE, AND DOES 1-10. Defendants. Plaintiff Brian Mason (“Plaintiff”), by his attorneys, brings this class action on his own behalf and on behalf of all others similarly situated against Defendants Anthem, Inc. (“Anthem, Inc.”), Anthem Health Plans of Maine, Inc., doing business as Blue Cross and Blue Shield of Maine (“Anthem ME”), and other unknown DOE defendants (collectively all defendants are referred to as “Defendants”), and alleges as follows upon information and belief based on, inter alia, the investigation of his counsel: Case 2:15-cv-00086-JAW Document 1 Filed 03/05/15 Page 2 of 24 PageID #: 2 INTRODUCTION 1. This is a consumer class action lawsuit brought by Plaintiff Brian Mason, individually and on behalf of a National Class and a Maine Subclass, whose sensitive personally identifiable information including names, birthdays, Social Security numbers, street addresses, email addresses, and employment information, including income data (collectively referred to as “PII”) was entrusted to Anthem, Inc. through its subsidiary Anthem ME and was stolen by hackers from the servers on which Anthem, Inc. maintained it in a data breach that Anthem, Inc. announced on February 4, 2015.1 2. As insurers to whom Plaintiff and National Class and Maine Subclass Members entrusted their most sensitive, confidential, and deeply personal information, including Social Security Numbers, medical and financial information, Anthem, Inc. and Anthem ME both had a duty to take reasonable measures to protect Plaintiff’s and National Class and Maine Subclass Members’ PII. However, Anthem, Inc. and Anthem ME breached this duty. 3. Anthem, Inc. breached this duty by failing to take the basic precautionary measure of encrypting consumers’ PII.2 Had Anthem, Inc. encrypted its customers’ PII, Plaintiff and National Class and Maine Subclass Members would not face the risks that they now face because encrypted data cannot be read unless a user has the decryption key and, thus, would be useless to the hackers who acquired it because encrypted data is not easily readable.3 In other words, had 1 See, e.g., Kurane and Finkle, At Least 300,000 Mainers at Risk in Anthem Cybersecurity Breach, Bangor Daily News, February 5, 2015, available at http://bangordailynews.com/2015/02/05/business/anthem-hit-by-massive-cybersecurity-breachpersonal-data-stolen/ (last visited February 10, 2015). 2 Yadron and Beck, Health Insurer Anthem Didn’t Encrypt Data in Theft, Wall Street Journal, February 5, 2015, available at http://www.wsj.com/articles/investigators-eye-china-in-anthemhack-1423167560 (last visited February 10, 2015). 3 Id. Case 2:15-cv-00086-JAW Document 1 Filed 03/05/15 Page 3 of 24 PageID #: 3 Anthem, Inc. encrypted the PII that it possessed, hackers would now possess electronic gibberish instead of Plaintiff’s and National Class and Maine Subclass Members Social Security numbers and other PII. Unfortunately, Anthem, Inc.’s failure to encrypt its customers’ PII means that these customers’ data is now freely readable by the hackers who acquired it and by whomever these hackers choose to sell the PII to. 4. In addition to failing to encrypt PII, Anthem, Inc. also failed to take other reasonable security measures to protect customers’ PII, including by: (i) failing to exercise reasonable care in safeguarding Plaintiff’s and National Class and Maine Subclass Members’ PII and maintaining it in a computer system inadequate to prevent the PII from being stolen or misused by unauthorized persons; (ii) failing to implement processes to detect a breach of its security systems containing Plaintiff’s and National Class and Maine Subclass Members’ PII in a timely manner, and to act upon any warnings or alerts that its security systems were breached; (iii) failing to timely disclose to Plaintiff and National Class and Maine Subclass Members the breach or breaches of its security systems; and (iv) failing to disclose that it could not adequately secure from theft, intrusion, or misuse Plaintiff’s and National Class and Maine Subclass Members’ PII. 5. Furthermore, Anthem ME breached its duty to secure and protect the PII with which it was entrusted by Plaintiff and Maine Subclass Members by providing this PII to Anthem, Inc. when it knew or should have known of the above inadequacies in Anthem, Inc.’s protection of the PII. 6. Anthem Inc.’s and Anthem ME’s collective failure to adequately protect customers’ PII has caused, and will continue to cause, substantial customer harm and injuries to persons in Maine and across the United States. As a result, the PII of Plaintiff and approximately Case 2:15-cv-00086-JAW Document 1 Filed 03/05/15 Page 4 of 24 PageID #: 4 80 million consumers is now at risk of whatever unlawful ends the hackers who stole it choose to put it. 7. Plaintiff and National Class and Maine Subclass Members now face a “lifelong battle” against identity theft.4 Social Security Numbers and other PII Anthem, Inc. and Anthem ME left vulnerable constitute “a treasure trove for cybercriminals” that can “easily be sold on underground markets within hours and used for a wide variety of identity fraud schemes.”5 For instance, this stolen PII is “exactly” what criminals need to file fraudulent tax returns and thereby steal refunds from taxpayers.6 Thus, Plaintiff and National Class and Maine Subclass Members are now at risk of further instances of identity theft and resulting losses, in at least one or more of the following ways: (i) having their personal and financial information stolen; (ii) the time and costs associated with detection and prevention of identity theft and unauthorized use of their financial accounts; (iii) the time and costs associated with preventing, mitigating, or dealing with changes to financial accounts; (iv) the time, costs, and future consequence of being the victim of fraudulent charges; and (v) damage to their credit. 8. Plaintiff brings this action seeking damages, restitution, injunctive relief, and any other appropriate relief on behalf of himself and millions of Anthem’s customers in Maine and 4 Shary Rudavsky, Anthem Data Breach Could Be “Lifelong Battle” for Customers, IndyStar (Feb. 7, 2015), http://www.indystar.com/story/news/2015/02/05/anthem-data-breach-lifelongbattle-customers/22953623/. 5 Kurane and Finkle, At Least 300,000 Mainers at Risk in Anthem Cybersecurity Breach, Bangor Daily News, February 5, 2015, available at http://bangordailynews.com/2015/02/05/business/anthem-hit-by-massive-cybersecurity-breachpersonal-data-stolen/ (last visited February 10, 2015). 6 Erb, Connecticut Taxpayers Warned to File Early After Anthem Data Breach, Forbes, February 10, 2015, available at http://www.forbes.com/sites/kellyphillipserb/2015/02/10/connecticuttaxpayers-warned-to-file-early-after-anthem-data-breach/ (last visited February 12, 2015). Case 2:15-cv-00086-JAW Document 1 Filed 03/05/15 Page 5 of 24 PageID #: 5 throughout the United States who had their PII stolen due to Anthem, Inc.’s and Anthem ME’s violation of their duty to adequately protect their PII. PARTIES 9. Plaintiff Brian Mason is a citizen of the State of Maine, residing in Brunswick, Cumberland County, Maine. Mr. Mason pays for health insurance through Anthem Health Plans of Maine, Inc., doing business as Blue Cross and Blue Shield of Maine. Mr. Mason’s PII was provided to or collected by Anthem ME and Anthem, Inc. prior to the data breach reported by Anthem on February 4, 2015. Mr. Mason’s PII was exposed to hackers as part of the data breach Anthem, Inc. reported on February 4, 2015. 10. Defendant Anthem, Inc., previously known as WellPoint, Inc., is incorporated and headquartered in Indianapolis, Indiana. Anthem, Inc. is the second-largest health insurer in the United States. Anthem, Inc. is licensed to conduct insurance operations in all 50 states, and conducts business in Maine through the business operations of its wholly owned subsidiary, Anthem ME. One in every nine Americans receives coverage through Anthem, Inc. or one of its affiliated plans.7 Anthem, Inc. maintains its Maine offices at 2 Gannett Drive, South Portland, ME 04106. 11. Defendant Anthem Health Plans Of Maine, Inc. is a Maine corporation and wholly owned subsidiary of Defendant Anthem, Inc. Anthem Health Plans of Maine, Inc. provides individual and group-based health insurance plans, and serves as a fiscal intermediary providing administrative services for the Medicare program, which generally provides coverage 7 Barbash and Phillip, Massive Data Hack of Health Insurer Anthem Potentially Exposes Millions, Washington Post, February 5, 2015, available at http://www.washingtonpost.com/news/morning-mix/wp/2015/02/05/massive-data-hack-ofhealth-insurer-anthem-exposes-millions/ (last visited February 9, 2015). Case 2:15-cv-00086-JAW Document 1 Filed 03/05/15 Page 6 of 24 PageID #: 6 for persons who are 65 or older. Anthem ME maintains its offices at 2 Gannett Drive, South Portland, ME 04106. 12. Defendants DOES 1-10 are as yet unknown officers, directors, employees, agents, or affiliated companies of Anthem Inc. or Anthem ME who participated in the conduct alleged in this Complaint and/or are otherwise responsible for the breach of Anthem, Inc.’s computer system and resulting theft of Plaintiff’s and National Class and Maine Subclass Members’ PII. JURISDICTION AND VENUE 13. Jurisdiction of this Court is proper under 28 U.S.C. § 1332(d)(2). The matter in controversy exceeds the sum or value of $5,000,000, exclusive of interest and costs, and is a class action in which members of the class of plaintiffs are citizens of states different from Defendants. 14. Venue is proper within this judicial district pursuant to 28 U.S.C. §1391(b) and (c). Anthem, Inc. and Anthem ME transact business and are found within this District, a substantial portion of the underlying transactions and events complained of herein occurred in this district and affected persons, including Plaintiff, reside or resided in this judicial district at the material times. Defendants have received substantial compensation from such transactions and business activity in this District, including as the result of premiums paid for Anthem’s insurance within this District. FACTUAL ALLEGATIONS 15. Plaintiff Brian Mason is an Anthem customer who provided payment to Anthem for health insurance and related services, part of which payments were attributable to Anthem’s administrative costs to secure his PII. Case 2:15-cv-00086-JAW Document 1 Filed 03/05/15 Page 7 of 24 16. PageID #: 7 Plaintiff and National Class and Maine Subclass Members contracted for Anthem’s services including a promise by Anthem to safeguard, protect, and not disclose their PII beyond any applicable permissions—and most certainly not to unauthorized hackers. Instead, Plaintiff and National Class and Maine Subclass Members received services from Anthem devoid of these important protections. 17. As a direct and proximate result of Anthem’s conduct, Plaintiff and National Class and Maine Subclass Members have suffered injury, harm, and damages, including, but not limited to, loss of monies paid to Anthem, Inc. and Anthem ME for services to protect and not disclose PII, and expenditure of significant time and money to protect themselves through measures such as: responding to the data breach, conducting a damages assessment, obtaining credit reports, obtaining credit monitoring, obtaining insurance and/or indemnification against future misuse of their identities, rehabilitating their PII, and other losses. 18. Anthem, Inc. and Anthem ME, like other health insurers, are obligated to keep customers’ PII private and secured. In particular, Anthem, Inc. and Anthem ME are subject to the Gramm-Leach-Biley Act, 15 U.S.C. §§ 6801 et seq., which obligates Anthem, Inc. and Anthem ME to maintain and protect their customers’ PII. 19. Anthem, Inc. and Anthem ME knew or should have known of the risks that their customers’ PII would be stolen and of the need to carefully safeguard this information, in part because the health care industry is more often attacked by hackers than any other sector of the economy.8 In 2014, the Federal Bureau of Investigation’s (“FBI”) cyber division warned that 8 Greisiger, Cyber Liability & Data Breach Insurance Claims, NetDiligence 2013, at p. 2, available at http://www.netdiligence.com/files/CyberClaimsStudy-2013.pdf (last visited February 9, 2015). Case 2:15-cv-00086-JAW Document 1 Filed 03/05/15 Page 8 of 24 healthcare companies were susceptible to cyber attacks. 9 PageID #: 8 The FBI’s report was also highly publicized.10 It was also publicized that other entities in the health care field, including other insurance companies, had been attacked by hackers and/or were vulnerable to future attacks.11 20. Anthem, Inc. admitted they were on notice of these risks in Securities and Exchange Commission (“SEC”) Form 10-K filings dated February 20, 2014, where Anthem, Inc. acknowledged the need to maintain adequate systems to protect their customers’ data. 12 21. Consumers such as Plaintiff and Class and Subclass Members’ rely on health insurers such as Anthem, Inc. and Anthem ME to maintain their PII private and secure. Indeed, Anthem, Inc. itself represents to consumers: Anthem Blue Cross and Blue Shield maintains policies that protect the confidentiality of personal information, including Social Security numbers, obtained from its members and associates in the course of its regular business functions. Anthem Blue Cross and Blue Shield is committed to protecting information about its customers and associates, especially the confidential nature of their personal information. 13 9 FBI Cyber Division Private Industry Notification, April 8, 2014, available at https://info.publicintelligence.net/FBI-HealthCareCyberIntrusions.pdf (last visited February 9, 2015). 10 Finkle, Exclusive: FBI Warns Healthcare Sector Vulnerable to Cyber Attacks, Reuters, April 23, 2014, available at http://www.reuters.com/article/2014/04/23/us-cybersecurity-healthcarefbi-exclusiv-idUSBREA3M1Q920140423 (last visited February 9, 2014). 11 Filkins, Health Care Cyberthreat Report, SANS, February 2014, available at http://pages.norse-corp.com/rs/norse/images/Norse-SANS-Healthcare-CyberthreatReport2014.pdf (last visited February 9, 2015). 12 SEC Form 10-k Annual Report for the Year Ending December 31, 2013, available at http://www.sec.gov/Archives/edgar/data/1156039/000115603914000003/wlp20131231x10k.htm. 13 Anthem’s HIPPA Notice of Privacy Practices, available at https://www.anthem.com/healthinsurance/about-us/privacy#hipaa (last visited February 9, 2015). Case 2:15-cv-00086-JAW Document 1 Filed 03/05/15 Page 9 of 24 22. PageID #: 9 Anthem, Inc. also claims to maintain “state-of-the-art” information security systems to protect their customers’ personal health and financial data. 14 23. Furthermore, Anthem, Inc. knew the need for it to implement stronger measures to ensure the confidentiality of consumers’ PII, including Social Security numbers, because its wholly owned subsidiaries have been involved in litigation over data breaches in the past. For instance, Blue Cross of California doing business as Anthem Blue Cross reached a settlement with the California Attorney General in 2012 involving the improper disclosure of the Social Security numbers of 33,000 of its Medicare Supplement and Medicare Part D subscribers.15 24. Anthem, Inc. and Anthem ME knew or should have known of the need to safeguard consumers’ PII because they were on notice of the risks described above. Anthem ME knew or should have known that Plaintiff and National Class and Maine Subclass Members entrusted their PII to Anthem ME with the understanding Anthem ME would secure and protect it. Similarly, Anthem, Inc. knew or should have known that Anthem ME provided it Plaintiff’s and National Class and Maine Subclass Members’ PII with which Anthem ME had been entrusted to Anthem, Inc. subject to this understanding. 25. Despite being on notice of the need to have adequate security over customers’ PII, and acknowledging its responsibility to adequately protect customers’ PII, Anthem, Inc. did not 14 Brandeisky, Anthem Health Insurance Was Hacked, Here’s What Customers Need to Know, Time, February 5, 2015, available at http://time.com/money/3697026/anthem-data-breachsocial-security/ (last visited February 9, 2015). 15 Office of the Attorney General, Cal. Dep’t of Justice, “Attorney General Kamala D. Harris Announces Settlement with Anthem Blue Cross over Data Breach” (Oct. 1, 2012), available at http://oag.ca.gov/news/press-releases/attorney-general-kamala-d-harris-announces-settlementanthem-blue-cross-over. Case 2:15-cv-00086-JAW Document 1 Filed 03/05/15 Page 10 of 24 PageID #: 10 maintain adequate security and failed to take even the basic step of encrypting customers’ PII, even though encryption is widely regarded as a safe and prudent way to secure PII. 16 26. Similarly, despite being on notice of the need to have adequate security over customers’ PII, Anthem ME transferred Plaintiff’s and National Class and Maine Subclass Members’ PII to Anthem, Inc. despite the fact it knew or should have known that Anthem, Inc.’s security was inadequate. 27. Nor did Anthem, Inc. or Anthem ME ever disclose to Plaintiff or National Class and Maine Subclass Members that Anthem, Inc.’s security was inadequate as described herein. 28. Unfortunately, despite Anthem, Inc.’s promises and despite being on notice of the threat hackers would seek to obtain customers’ PII, between December 10, 2014 and January 27, 2015, hackers were able to access Anthem, Inc.’s customers’ PII, including Social Security Numbers, names, dates of birth, medical IDs, street addresses, email addresses and employment information, including income data.17 The hackers who breached Anthem, Inc.’s records were able to access a database containing approximately 80 million current and former customers’ PII.18 Although Anthem detected the initial attack on December 10, 2014, Anthem’s security 16 Jaspen, Hackers Stole Data on 80 Million Anthem Customers. Why Wasn’t It Encrypted?, Forbes, February 6, 2015, available at < http://www.forbes.com/sites/brucejapsen/2015/02/06/anthem-didnt-encrypt-personal-data-andprivacy-laws-dont-require-it/> (last visited February 9, 2015). 17 Anthem CEO Joseph R. Swedish’s statement to Anthem consumers, available at http://www.anthemfacts.com/ (last visited February 9, 2015). 18 Brandeisky, Anthem Health Insurance Was Hacked, Here’s What Customers Need to Know, Time, February 5, 2015, available at http://time.com/money/3697026/anthem-data-breachsocial-security/ (last visited February 9, 2015). Case 2:15-cv-00086-JAW Document 1 Filed 03/05/15 Page 11 of 24 PageID #: 11 was unable to prevent the further intrusions that lead up to the full disclosure of its customers’ PII.19 29. Despite detecting the initial attack on December 10, 2014, Anthem, Inc. and Anthem ME waited to announce the breach until February 4, 2015. Moreover, Anthem, Inc. and Anthem ME are still delaying notifying individual consumers affected by the breach.20 The Maine Attorney General has joined attorneys general from other affected states in criticizing Anthem, Inc.’s delay in notifying affected customers.21 30. Since Anthem, Inc. failed to take the basic protective measure of encrypting its customers’ PII, Plaintiff’s and National Class and Maine Subclass Members’ PII is now freely accessible to the hackers who stole it from Anthem, Inc., and anyone the hackers sell or give the information to, and can be easily used for a variety of illegal identity fraud schemes. 31. Anthem, Inc. could have encrypted customers’ PII and implemented other security measures prior to the cyber attack to analyze and identify solutions for their systems’ vulnerabilities, and this could have prevented the cyber attack from occurring, or at least minimized the risk to consumers since encrypted PII is far more difficult to use to carry out identity fraud and other criminal schemes. 19 Bailey, Anthem: Hackers Tried to Breach System as Early as Dec. 10, Associated Press, Available at http://abcnews.go.com/Technology/wireStory/anthem-hacker-breach-system-earlydec-10-28789740 (last visited February 10, 2015) 20 Tracer, After Hack, Anthem to Notify Affected Customers Within Two Weeks, Bloomberg, February 5, 2015, available at http://www.bloomberg.com/news/articles/2015-02-05/anthem-totell-hacked-customers-in-two-weeks-no-earnings-impact> (last visited February 9, 2015). 21 Ahmed, US States Say Anthem Too Slow to Inform Customers of Breach, Business Recorder, February 11, 2015, available at http://www.brecorder.com/business-a-finance/industries-asectors/223748-us-states-say-anthem-too-slow-to-inform-customers-of-breach.html (last visited February 12, 2015). Case 2:15-cv-00086-JAW Document 1 Filed 03/05/15 Page 12 of 24 32. PageID #: 12 Anthem, Inc. violated the law and breached its duties to Plaintiff and National Class and Maine Subclass Members by failing to maintain the privacy and security of Plaintiff’s and National Class and Maine Subclass Members’ PII. Similarly, Anthem ME violated the law and breached its duties to Plaintiff and National Class and Maine Subclass Members by providing Plaintiff’s and National Class and Maine Subclass Members’ PII with which it had been entrusted to Anthem, Inc. without ensuring Anthem, Inc’s security was adequate to protect the PII. CLASS ACTION ALLEGATIONS 33. This action asserts claims on behalf of a nationwide Class and a Maine Subclass pursuant to Federal Rules of Civil Procedure 23(a), (b)(1), (b)(2), (b)(3), and (c)(4), defined as follows: The National Class: All persons in the United States whose personal or financial information was compromised by the data breach disclosed by Anthem, Inc. on February 4, 2015 (the “National Class”). The Maine Subclass: All persons residing in Maine who acquired health insurance through Anthem Health Plans of Maine, Inc., d/b/a Blue Cross and Blue Shield of Maine, and whose personal or financial information was compromised by the data breach disclosed by Anthem, Inc. on February 4, 2015 (the “Maine Subclass”).22 34. Excluded from the National Class and Maine Subclass are: (i) Anthem Inc., and its employees, principals, affiliated entities, legal representatives, successors, and assigns; (ii) Anthem Health Plans of Maine, Inc., and its employees, principals, affiliated entities, legal 22 Plaintiff reserves the right to amend or modify the National Class and Maine Subclass definitions, including adding one or more multistate classes or subclasses. Case 2:15-cv-00086-JAW Document 1 Filed 03/05/15 Page 13 of 24 PageID #: 13 representatives, successors and assigns; (iii) the DOE Defendants; and (iv) the judges to whom this action is assigned and any members of their immediate families. 35. There are millions of individual National Class Members who are geographically dispersed throughout the United States. Furthermore, there are thousands of individual Maine Subclass Members who are geographically dispersed throughout the State of Maine. Therefore, individual joinder of the members of the National Class and Maine Subclass defined above would be impracticable. 36. Common questions of law or fact exist as to all National Class and Maine Subclass Members. These common legal or factual questions include: a. Whether Anthem Inc. and/or Anthem ME engaged in the conduct alleged herein; b. Whether Anthem Inc. and/or Anthem ME owed a duty to Plaintiff and National Class and Maine Subclass Members to protect their PII; c. Whether Anthem Inc. and/or Anthem ME breached their duty owed to Plaintiff and National Class and Maine Subclass Members to protect their PII; d. Whether Anthem Inc. and/or Anthem ME owed a duty to Plaintiff and National Class and Maine Subclass Members to timely and accurately provide notice of Anthem’s data breach; e. Whether Anthem Inc. and/or Anthem ME breached their duty owed to Plaintiff and National Class and Maine Subclass Members to timely or accurately provide notice of Anthem’s data breach; f. Whether Anthem Inc. and/or Anthem ME knew or should have known that their computer systems were vulnerable to attack; g. Whether Anthem Inc. and/or Anthem ME had a duty to encrypt Plaintiff’s and National Class and Maine Subclass Members’ PII; h. Whether Anthem Inc. and/or Anthem ME breached their duties to encrypt Plaintiff’s and Class Members’ PII; i. Whether Plaintiff and National Class and Maine Subclass Members were injured as a result of Defendants’ conduct or failure to act; and Case 2:15-cv-00086-JAW Document 1 Filed 03/05/15 Page 14 of 24 PageID #: 14 j. Whether Plaintiff and National Class and Maine Subclass Members are entitled to damages, restitution, and/or equitable relief. 37. Plaintiff’s claims are typical of the claims of the National Class and Maine Subclass. Plaintiff is an Anthem, Inc. customer who acquired health insurance through Anthem ME whose PII was compromised by the data breach announced by Anthem, Inc. on February 4, 2015. Therefore, Plaintiff is no different in any material respect from any other members of the National Class and Maine Subclass. The relief sought by Plaintiff is common to the relief sought by the National Class and Maine Subclass. 38. Plaintiff is an adequate representative of the National Class and Maine Subclass because his interests do not conflict with the interests of National Class and Maine Subclass Members that he seeks to represent, and he has retained counsel competent and experienced in conducting complex class action litigation. Plaintiff and his counsel will adequately protect the interests of the National Class and Maine Subclass. 39. A class action is superior to other available means for the fair and efficient adjudication of this dispute. The damages suffered by each individual member of the National Class and Maine Subclass are relatively small, while the burden and monetary expense needed to individually prosecute this case against Defendants is substantial. Thus, it would be virtually impossible for National Class and Maine Subclass Members individually to redress effectively the wrongs done to them. Moreover, even if National Class and Maine Subclass Members could afford individual actions, a multitude of such individual actions still would not be preferable to class wide litigation. Individual actions also present the potential for inconsistent or contradictory judgments, which would be dispositive of at least some of the issues and hence interests of the other members not party to the individual actions, would substantially impair or Case 2:15-cv-00086-JAW Document 1 Filed 03/05/15 Page 15 of 24 PageID #: 15 impede their ability to protect their interests, and would establish incompatible standards of conduct for the party opposing the National Class and Maine Subclass. 40. By contrast, a class action presents far fewer litigation management difficulties, and provides the benefits of single adjudication, economies of scale, and comprehensive supervision by a single court. Also, or in the alternative, the National Class and Maine Subclass may be certified because Defendants have acted or refused to act on grounds generally applicable to National Class and Maine Subclass Members, thereby making preliminary and final declaratory relief appropriate; and the National Class and Maine Subclass may alternatively be certified with respect to particular issues pursuant to Fed. R. Civ. P. 23(c)(4). 41. All records concerning Anthem, Inc.’s data breach, including records sufficient to identify members of the National Class and Maine Subclass, are in the possession and control of Anthem, Inc., Anthem ME, and their agents and are available through discovery. CLAIMS FOR RELIEF FIRST CAUSE OF ACTION Negligence (on Behalf of Plaintiff and the National Class Against Anthem, Inc. and the DOE Defendants and on Behalf of Plaintiff and the Maine Subclass Against Anthem ME and the DOE Defendants) 42. Plaintiff incorporates by reference all preceding paragraphs as if fully set forth 43. Defendants owed a duty to Plaintiff and National Class and Maine Subclass herein. Members to exercise reasonable care in protecting and securing the Anthem consumers’ PII in their possession from being accessed or compromised in any way by unauthorized persons, including by implementing adequate computer security systems and using encryption methods. Case 2:15-cv-00086-JAW Document 1 Filed 03/05/15 Page 16 of 24 44. PageID #: 16 Defendants owed a duty to Plaintiff and National Class and Maine Subclass Members to exercise reasonable care in implementing safeguard to recognize a breach of their cyber security systems in a timely manner. 45. Defendants owed a duty to Plaintiff and National Class and Maine Subclass Members to exercise reasonable care in acting in a timely manner upon any warnings or alerts that their cyber security systems had been breached. 46. 6801 et seq. In addition, Defendants are subject to the Gramm-Leach-Bliley Act, 15 U.S.C. §§ Under the Gramm-Leach-Bliley Act, Defendants have an affirmative and continuing obligation to respect the privacy of its customers and to protect the security and confidentiality of those customers’ nonpublic personal information. 47. Thus, Defendants owed an additional duty to Plaintiff and National Class and Maine Subclass Members to protect the security and confidentiality of their PII as required by the Gramm-Leach-Bliley Act. Defendants breached this duty as described throughout this Complaint. 48. Defendants owed a duty to Plaintiff and National Class and Maine Subclass Members to exercise reasonable care in timely disclosing any breach of their cyber security systems. 49. In the case that they did had not implemented adequate data security measures, Defendants owed a duty to Plaintiff and National Class and Maine Subclass Members to exercise reasonable care in disclosing that they could not adequately maintain the security and privacy of Plaintiff’s and National Class and Maine Subclass Members’ PII. 50. Defendants breached these duties owed to Plaintiff and National Class and Maine Subclass Members by their conduct alleged herein. Case 2:15-cv-00086-JAW Document 1 Filed 03/05/15 Page 17 of 24 51. PageID #: 17 As a direct and proximate result of Defendants’ breach of these duties, Plaintiff and National Class and Maine Subclass Members have been or will be harmed. Such reasonably foreseeable harm includes, at least, (i) actual and certain future injuries from fraud and/or identity theft due to hackers’ theft of Plaintiff’s and National Class and Maine Subclass Members’ PII, including credit freeze, credit monitoring and identity theft insurance; and (ii) other consequential damages. SECOND CAUSE OF ACTION Breach of Fiduciary Duty/Constructive Fraud (on Behalf of Plaintiff and the National Class Against Anthem, Inc. and on Behalf of Plaintiff and the Maine Subclass Against Anthem ME) 52. Plaintiff incorporates by reference all preceding paragraphs as if fully set forth 53. Plaintiff and National Class Members shared their PII with Anthem, Inc., and herein. Plaintiff and Maine Subclass Members shared their PII with Anthem ME, to obtain health insurance. 54. Anthem ME and Anthem, Inc.’s other subsidiary insurance companies had a confidential and/or fiduciary relationship with their customer-insureds for the purpose of maintaining the security, protection and confidentiality of their customers’ PII. 55. Anthem, Inc. acted as Anthem ME and Anthem, Inc.’s other subsidiary insurance companies’ agent for the purpose of maintaining the security, protection and confidentiality of their customers’ PII. Anthem, Inc. therefore stands in the same fiduciary and/or confidential relation to Plaintiff and National Class Members, and as Anthem ME for Plaintiff and Maine Subclass Members. Case 2:15-cv-00086-JAW Document 1 Filed 03/05/15 Page 18 of 24 56. PageID #: 18 Plaintiff and National Class and Maine Subclass Members placed their trust in Anthem, Inc. and Anthem ME. Specifically, Plaintiff and National Class and Maine Subclass Members entrusted their PII to Anthem, Inc. and Anthem ME. Except for disclosures that they have authorized, including to Anthem, Inc. and Anthem ME for the purpose of obtaining health insurance, Plaintiff and National Class and Maine Subclass Members want to keep their otherwise private PII private. 57. Plaintiff and National Class and Maine Subclass Members entrusted their PII to Anthem, Inc. and Anthem ME partly based on Anthem, Inc.’s and Anthem ME’s promises to keep their PII private. Based on these representations, Plaintiff and National Class and Maine Subclass Members justifiably believed that Anthem, Inc. and Anthem ME would protect the privacy of their PII. 58. There is a great disparity of position and influence between Anthem, Inc. and Anthem ME, and Plaintiff and National Class and Maine Subclass Members. Anthem, Inc. and Anthem ME are large insurance companies whose economic power greatly outweighs any held by Plaintiff and National Class and Maine Subclass Members. Further, Anthem, Inc. and Anthem ME are in superior positions to protect the security and privacy of Plaintiff’s and National Class and Maine Subclass Members’ PII, and to chose the means of doing so, because Plaintiff and National Class and Maine Subclass Members were not able to bargain over such terms when they obtained their insurance policies, which are take-it-or-leave-it form contracts. Indeed, Anthem, Inc. and Anthem ME have superior knowledge of the security measures necessary to protect PII because Plaintiff and National Class and Maine Subclass Members, as typical consumers not involved in the IT industry, do not have specific knowledge of this subject. Case 2:15-cv-00086-JAW Document 1 Filed 03/05/15 Page 19 of 24 59. PageID #: 19 As a result of the great disparity of position and influence, Plaintiff and National Class and Maine Subclass Members let down all guards and bars to Anthem, Inc. and Anthem ME regarding the security of their PII. Plaintiff and National Class and Maine Subclass Members held no power to require Anthem, Inc. and Anthem ME to implement any additional security measures. Plaintiff and National Class and Maine Subclass Members therefore had to rely entirely upon the means that Anthem, Inc. and Anthem ME promised they would take to safeguard their PII. 60. Anthem, Inc. and Anthem ME abused Plaintiff’s and National Class and Maine Subclass Members’ trust by failing to fulfill their duty to keep Plaintiff’s and National Class and Maine Subclass Members’ private. 61. Anthem, Inc. and Anthem ME obtained an advantage Plaintiff’s and National Class and Maine Subclass Members’ trust because Anthem, Inc. and Anthem ME profited from insurance policies sold to Plaintiff and National Class and Maine Subclass Members, who purchased them, in part, based on Anthem, Inc.’s and Anthem ME’s promises to protect the privacy of their PII. 62. Based on Plaintiff’s and National Class and Maine Subclass Members’ trust placed in Anthem, Inc. and Anthem ME and the great disparity of position and influence between the parties, a fiduciary and/or confidential relationship existed between Anthem, Inc. and Anthem ME, and Plaintiff and National Class and Maine Subclass Members. 63. Anthem, Inc. and Anthem ME breached their fiduciary duty to Plaintiff and National Class and Maine Subclass Members by their conduct described herein. Case 2:15-cv-00086-JAW Document 1 Filed 03/05/15 Page 20 of 24 64. PageID #: 20 As a direct and proximate result of Anthem, Inc’s and Anthem ME’s breach, Plaintiff and National Class and Maine Subclass Members suffered the damages and injuries described herein. THIRD CAUSE OF ACTION Breach of Contract (on Behalf of Plaintiff and the National Class Against Anthem, Inc. and on Behalf of Plaintiff and the Maine Subclass Against Anthem ME) 65. Plaintiff incorporates by reference all preceding paragraphs as if fully set forth 66. Anthem Inc. had contractual obligations to maintain the security of Plaintiff’s and herein. National Class Members’ PII. 67. Anthem ME had contractual obligations to maintain the security of Plaintiff’s and Maine Subclass Members’ PII. 68. Specifically, Anthem Inc. and Anthem ME promised to keep Plaintiff’s and National Class and Maine Subclass Members’ PII safe using physical, electronic, and procedural means, and to protect the confidentiality of Plaintiff’s and Anthem’s customers’ PII. 69. Plaintiff and National Class and Maine Subclass Members bargained and performed their obligations when they paid (or when others paid on their behalf) for Anthem Inc.’s and Anthem ME’s promises to protect the privacy of the PII given to it when Plaintiff and National Class and Maine Subclass Members’ (or others acting on their behalf) paid for health insurance from Anthem. 70. Plaintiff and National Class and Maine Subclass Members (or others acting on their behalf) paid for the security of their PII promised by Anthem Inc. and Anthem ME, the price of which was part of the premiums paid, but Plaintiff and National Class and Maine Subclass Members did not receive this security. Case 2:15-cv-00086-JAW Document 1 Filed 03/05/15 Page 21 of 24 71. PageID #: 21 Anthem Inc. and Anthem ME breached their contractual obligations to Plaintiff and National Class and Maine Subclass Members by failing to safeguard and protect their PII. 72. As a direct and proximate result of Anthem, Inc’s and Anthem ME’s breach, Plaintiff and National Class and Maine Subclass Members suffered the damages and injuries described herein. FOURTH CAUSE OF ACTION Breach of Implied Contract/Quantum Meruit (on Behalf of Plaintiff and the National Class Against Anthem Inc. and on Behalf of Plaintiff and the Maine Subclass Against Anthem ME) 73. Plaintiff incorporates by reference all preceding paragraphs as if fully set forth 74. Anthem Inc. provided an implied contract to Plaintiff and National Class herein. Members to protect their PII when they (or others on their behalf) purchased health insurance from Anthem. 75. Anthem ME provided an implied contract to Plaintiff and Maine Subclass Members to protect their PII when they (or others on their behalf) purchased health insurance from Anthem. 76. Plaintiff and National Class and Maine Subclass Members would not have provided their PII to Anthem Inc. or Anthem ME absent their implied promise to protect consumers’ PII. 77. Plaintiff, National Class and Maine Subclass Members, and Anthem Inc. and Anthem ME had a contemporaneous understanding that Anthem would safeguard and protect Plaintiff’s and Anthem Inc. or Anthem ME Members’ PII in exchange for premium payments. Case 2:15-cv-00086-JAW Document 1 Filed 03/05/15 Page 22 of 24 78. PageID #: 22 Plaintiff and Anthem Inc. or Anthem ME Members performed all the obligations required by them under the implied contract when they purchased health insurance from Anthem Inc. and Anthem ME. 79. Anthem Inc. and Anthem ME breached the implied contracts with Plaintiff and Anthem Inc. or Anthem ME Members by failing to safeguard and protect their PII. 80. As a direct and proximate result of Anthem, Inc’s and Anthem ME’s breach of their implied contracts, Plaintiff and National Class and Maine Subclass Members suffered the damages and injuries described herein. FIFTH CAUSE OF ACTION Unjust Enrichment (on Behalf of Plaintiff and the National Class Against Anthem, Inc. and DOE Defendants and on Behalf of Plaintiff and the Maine Subclass Against Anthem ME and DOE Defendants) 81. Plaintiff incorporates by reference all preceding paragraphs as if fully set forth 82. Defendants took money from (or on behalf of) Plaintiff and National Class and herein. Maine Subclass Members based upon assurances that it would maintain the security of the PII provided to it as described here. 83. Defendants appreciated or knew that Plaintiff and National Class and Maine Subclass Members paid premiums (or premiums were paid on their behalf) subject to the understanding Defendants would adequately safeguard Plaintiff’s and National Class and Maine Subclass Members’ PII as described herein. 84. As described herein, Defendants failed to adequately safeguard Plaintiff’s and National Class and Maine Subclass Members’ PII by failing: (i) to exercise reasonable care in safeguarding Plaintiff’s and National Class and Maine Subclass Members’ PII; (ii) to encrypt Case 2:15-cv-00086-JAW Document 1 Filed 03/05/15 Page 23 of 24 PageID #: 23 Plaintiff’s and National Class and Maine Subclass Members’ PII; and (iii) to implement processes to detect a breach of its security systems containing Plaintiff’s and National Class and Maine Subclass Members’ PII in a timely manner, including acting upon any warnings or alerts that Anthem, Inc.’s or Anthem ME’s security systems were breached. 85. On the grounds of justice and fairness, Plaintiff and National Class and Maine Subclass Members are entitled to recover from Defendants the portion of the premiums they paid attributable to Defendants’ promise to safeguard their PII. VII. PRAYER WHEREFORE, Plaintiff, on behalf of himself all National Class and Maine Subclass Members requests award and relief as follows: A. An order certifying that this action is properly brought and may be maintained as a class action, that Plaintiff Brian Mason be appointed Class Representative for the National Class and Maine Subclass, and that Plaintiff’s counsel be appointed Class Counsel. B. Awarding compensatory damages in an amount determined at trial for each Cause of Action asserted herein for which these damages are available. C. Awarding equitable restitution in an amount determined at trial for each Cause of Action asserted herein for which this relief is available. D. An order enjoining Defendants from continuing the unlawful practices as set forth herein, and directing Defendants to identify, with Court supervision, victims of their conduct and pay them restitution. E. An order awarding Plaintiff his costs of suit, including reasonable attorneys’ fees and pre and post-judgment interest, as provided by law, or equity, or as otherwise available. Case 2:15-cv-00086-JAW Document 1 Filed 03/05/15 Page 24 of 24 H. PageID #: 24 Such other and further relief as may be deemed necessary or appropriate for any of the claims asserted. VIII. DEMAND FOR JURY TRIAL Plaintiff hereby demands a trial by jury on all claims and/or issues so triable. DATED: March 5, 2015 Respectfully Submitted, /s/ Benjamin K. Grant (ME Bar # 4328) McTeague, Higbee, Case, Cohen, Whitney & Toker, P.A 4 Union Park P.O. Box 5000 Topsham, ME 04086 Phone: (800) 210-8740 Fax: (207) 725-1090 Email: bgrant@mcteaguehigbee.com ATTORNEYS FOR PLAINTIFF AND THE PROPOSED CLASS