In re Anthem, Inc. Data Breach Litigation
162 F. Supp. 3d 953
| N.D. Cal. | 2016Background
- Anthem operated a centralized database holding PII/PHI for ~80 million current/former members of Anthem affiliates and other BCBS licensees; a cyberattack in Dec. 2014–Jan. 2015 exposed that data.
- Plaintiffs filed a consolidated amended complaint in MDL alleging nationwide class claims for inadequate data security, delayed/insufficient notice, and failure to disclose security deficiencies; they seek benefit-of-the-bargain, loss of PII value, out-of-pocket mitigation costs, and imminent-risk damages.
- Defendants split into Anthem Defendants (Anthem, Inc. and affiliates) and Non‑Anthem Defendants (BCBSA and 17 non‑Anthem BCBS companies); separate motions to dismiss addressed 10 selected claims and jurisdiction/standing issues for specific defendants.
- The court applied Twombly/Iqbal pleading standards and the Ninth Circuit MDL principles, and exercised discretion whether to resolve standing before class certification (citing Amchem/Ortiz and In re Carrier IQ guidance).
- The court dismissed several claims with prejudice (Indiana negligence, Kentucky CPA, Kentucky Data Breach Act, and one named plaintiff’s California breach claim) but otherwise granted leave to amend for multiple contract, privacy‑statute, and fraud/consumer‑protection claims; it also dismissed certain defendants or claims for lack of specific factual allegations as to those defendants.
Issues
| Issue | Plaintiff's Argument | Defendant's Argument | Held |
|---|---|---|---|
| Standing of certain Non‑Anthem defendants (no named‑plaintiff connection) | Nationwide MDL; standing questions can be deferred until class certification (Amchem/Ortiz) | Where no named plaintiff alleges any connection, defendants should be dismissed now to avoid burdensome discovery | Court dismissed three Non‑Anthem entities entirely and dismissed ten Non‑Anthem defendants from the selected claims (with leave to amend); exercised discretion to decide standing now given breadth/cost of MDL |
| Indiana common‑law negligence (data‑breach injuries) | Plaintiffs assert duty to secure PII and compensable injury from exposure/costs | Defendants: Indiana law provides no private tort remedy for data‑breach exposure; statutes limit enforcement to Attorney General; economic‑loss doctrine/proximate causation fail | Court found Pisciotta controlling and dismissed Indiana negligence claim with prejudice (futility of amendment) |
| California / New Jersey breach of contract (failure to identify contract terms / incorporation) | Plaintiffs point to privacy notices/website statements and allege implied/express contracts to protect PII | Defendants: CAC fails to identify contract provisions or show incorporation; some claims preempted by ERISA | Court dismissed breach claims for failure to plead specific contractual provisions; granted leave to amend for California and New Jersey claims (but denied amendment where preemption conceded) |
| Consumer‑protection and statutory claims (UCL, NY GBL § 349, KCPA, state privacy statutes) – standing, injury, causation, scope | Plaintiffs allege economic injuries: benefit‑of‑the‑bargain, loss of PII value, out‑of‑pocket, imminent risk; point to deceptive/unlawful/unfair conduct and misrepresentations in notices/websites | Defendants challenge standing/injury (credit‑monitoring costs, risk not cognizable), causation, and preemption (ERISA/FEHBA); argue some statutes (e.g., GA IIPA) prohibit disclosure only, not theft; KCPA disallows class actions per state precedent | Court: UCL claim survives for unlawful and unfair prongs and plaintiffs have standing based on benefit‑of‑the‑bargain; UCL fraud prong dismissed for lack of particularity but with leave to amend; NY § 349 survives as to benefit‑of‑the‑bargain and loss‑of‑value theories but not for some mitigation costs; KCPA and Kentucky data breach claims dismissed with prejudice; GA IIPA dismissed but with leave to amend (court reads “disclose” narrowly) |
| Third‑party‑beneficiary claims under Federal BCBSA contract (FEHBA context) | Federal employee plaintiffs claim they are intended third‑party beneficiaries entitled to enforce contract privacy/data‑security terms; relief need not be exhausted through OPM because this is not a benefits claim | Defendants: plaintiffs’ claims are ‘‘health benefits’’/administrative claims that must exhaust OPM review and/or are preempted by FEHBA; OPM has exclusive enforcement authority | Court held plaintiffs are intended third‑party beneficiaries and may assert breach of federal contract; their claims are not health‑benefits claims requiring administrative exhaustion; some state claims (California breach) conceded/preempted, but UCL claim not preempted |
Key Cases Cited
- Bell Atlantic Corp. v. Twombly, 550 U.S. 544 (plausibility standard for Rule 12(b)(6))
- Ashcroft v. Iqbal, 556 U.S. 662 (application of Twombly plausibility and limits on conclusory pleading)
- Amchem Prods., Inc. v. Windsor, 521 U.S. 591 (when class‑certification issues may be considered before Article III standing)
- Ortiz v. Fibreboard Corp., 527 U.S. 815 (same; "logically antecedent" inquiry)
- Pisciotta v. Old Nat’l Bancorp, 499 F.3d 629 (7th Cir. 2007) (Indiana law: no private tort remedy for data‑exposure; statutory enforcement by AG)
- Kwikset Corp. v. Superior Court, 51 Cal.4th 310 (Cal. 2011) (UCL standing: economic injury and loss of money/property definitions)
- Roach v. Mail Handlers Benefit Plan, 298 F.3d 847 (9th Cir. 2002) (narrow construction of FEHBA/ERISA preemption re: benefits vs. malpractice)
- Astra USA, Inc. v. Santa Clara County, 563 U.S. 110 (interpretation of government contracts and private enforcement limits)
- Botsford v. Blue Cross & Blue Shield of Mont., 314 F.3d 390 (9th Cir. 2002) (FEHBA preemption principles; disputes over benefits preempted)