Skip to content Skip to navigation

First Lawsuits Filed in Response to Anthem Data Breach Disclosure

February 9, 2015
by Mark Hagland
| Reprints
On Feb. 9, USA Today reported that the first lawsuits have already been filed as a result of the data breach experienced by the Indianapolis-based Anthem Health, and which Anthem had disclosed on Feb. 4.

On Feb. 9, USA Today reported that the first lawsuits have already been filed as a result of the data breach experienced by the Indianapolis-based Anthem Health, and which Anthem had disclosed on Feb. 4. According to the USA Today report, at least four had been filed by Monday morning, in Indiana, California, Alabama, and Georgia.

The breach of data security at the nation’s second-largest health insurance company, had been detected on Jan. 27, when an Anthem IS administrator discovered that outsiders were using his own security credentials to log into the company’s information system and stealing data. The hackers had succeeded in penetrating the system and stealing customer data sometime between Dec. 10 and Jan. 27, with attempts possibly having been made earlier in 2014, according to Anthem spokesperson Kristin Binns.

Hackers had gained access to a company database that included members’ names, birthdays, Social Security numbers, addresses, and employment data, including income, but not credit card information.

Monday morning’s USA Today story included  quotes from David Damoto, managing director at FireEye, a security firm brought in to help Anthem analyze the data breach, which may have affected up to 80 million people. “We… saw evidence that the attacker was interested in very specific information, in this case, the database,” Damoto told USA Today. “They did very methodical reconnaissance into the database,” adding that “Attribution takes a lot of data. I think everyone’s just speculating” as to whether Chinese hackers might have been involved, as some press reports citing unnamed sources have stated. “At this point in time, we’re working very closely with the FBI and we haven’t jointly provided any attribution,” Damoto added.

As the USA Today report noted, “Some have questioned why Anthem would have maintained a single database containing information about 80 million current and former members. However,” the report added, “in the healthcare industry, such databases are useful, said J.J. Thompson, the CEO of Rook Security, an Indianapolis-based computer security firm.”

The story quoted Thompson as saying, “If I have my security hat on, I’d say, ‘Never put all your eggs in one basket.’ But in the healthcare world, having the database could lead to better patient outcomes. But it should have been encrypted. I hope it was encrypted.”

All four lawsuits referenced in the USA Today article are class action lawsuits, filed against anthem and/or its affiliate subsidiaries or units, on behalf of large groups of plaintiffs. The Indiana suit, filed in U.S. District Court for the Southern District of Indiana, Indianapolis Division, on Feb. 5, includes in its opening statement, the following:  “Anthem’s conduct—failing to take adequate and reasonable  measures to ensure its data systems were protected, failing to take available steps to prevent and stop the breach from ever happening, failing to disclose to its customers the material facts that it did not have adequate computer systems and security practices to safeguard customers’ financial account and personal data, and failing to provide timely and adequate notice of the Anthem data breach—has caused substantial consumer harm and injuries to consumers across the United States.”

Healthcare Informatics will continue to update readers on developments in this situation, as new developments emerge.




CMS Hospital Compare Website Updated with VA Data

The Centers for Medicare & Medicaid Services (CMS) has announced the inclusion of Veterans Administration (VA) hospital performance data as part of the federal agency’s Hospital Compare website.

CMS Awards Funding to Special Innovation Projects

The Centers for Medicare & Medicaid Services (CMS) has awarded 20, two-year Special Innovation Projects (SIPs) aimed at local efforts to deliver better care at lower cost.

Center of Excellence in Genomic Science to be Established in Chicago

The National Human Genome Research Institute has awarded $10.6 million over five years for the establishment of a new research center in Chicago to advance genomic science.

EHNAC and HITRUST Combine HIPAA Security Criteria, CSF Framework

The Electronic Healthcare Network Accreditation Commission (EHNAC) and the Health Information Trust Alliance (HITRUST) announced plans to streamline their accreditation and certification programs.

Halamka on MACRA Final Rule: “CMS is Listening and I Thank Them”

Health IT notable expert John Halamka, M.D., CIO of Beth Israel Deaconess Medical Center in Boston, recently weighed in on the Medicare Access and CHIP Reauthorization Act (MACRA) final rule.

Texas Patient Care Clinic Hit with Ransomware Attack

Grand Prairie, Texas-based Rainbow Children's Clinic was the victim of a ransomware attack on its IT systems in August, affecting more than 33,000 patients, according to multiple news media reports this week.