Just this morning, USA Today reported the filing within the past few days of class-action lawsuits in four states—Indiana, California, Alabama, and Georgia, in response to the disclosure last week on the part of the Indianapolis-based Anthem Inc. of a massive data breach that may have affected as many as 80 million people, making it the biggest data breach in U.S. healthcare to date.
Of course, some of the more jaded in the healthcare industry might immediately sigh and express disdain for the litigiousness of American society here, as lawsuits over that massive data breach have been filed in courts nationwide within days of its public disclosure. But I have a different perspective here.
Let’s look at the text of the motion filed last Friday in the U.S. District Court for the Southern District of Indiana, Indianapolis Division (and yes, that was the day after Anthem’s public disclosure of the data breach—the lawyers did indeed work fast there). In its opening statement, the suit included the following: “Anthem’s conduct—failing to take adequate and reasonable measures to ensure its data systems were protected, failing to take available steps to prevent and stop the breach from ever happening, failing to disclose to its customers the material facts that it did not have adequate computer systems and security practices to safeguard customers’ financial account and personal data, and failing to provide timely and adequate notice of the Anthem data breach—has caused substantial consumer harm and injuries to consumers across the United States.”
What’s more, the attorneys wrote this—and please bear with me here, this is long, and there is a bit of legalese in it, but the details are important:
“As a result of the Anthem data breach, 80 million Anthem customers have been exposed to fraud and these 80 million customers have been harmed. The injuries suffered by the proposed class as a direct result of the Anthem data breach include: theft of their personal and financial information; costs associated with the detection and prevention of identity theft and unauthorized use of their financial accounts; costs associated with time spent and the loss of productivity from taking time to address and attempt to ameliorate, mitigate, and deal with the actual and future consequences of the data breach, including finding fraudulent charges, cancelling and reissuing cards, purchasing credit monitoring and identity theft protection services, imposition of withdrawal and purchase limits on compromised accounts, and the stress, nuisance, and annoyance of dealing with all issues result from the Anthem data breach; the imminent and certainly impending injury flowing from potential fraud and identity theft posed by their personal and financial information being placed in the hands of hackers; damages to and diminution in value of their personal and financial information entrusted to Anthem for the sole purpose of obtaining health insurance from Anthem and with the mutual understanding that Anthem would safeguard Plaintiff’s and Class members’ data against theft and not allow access and misuse of their data by others; money paid to anthem for health insurance during the period of the Anthem data breach in that Plaintiff and Class members would not have obtained insurance from Anthem had Anthem disclosed that it lacked adequate systems and procedures to reasonably safeguard customers’ financial and personal information had had Anthem provided timely and accurate notice of the Anthem data breach; overpayments paid to Anthem for health insurance purchased during the Anthem data breach in that a portion of the price for insurance paid by Plaintiff and the Class to Anthem was for the costs of Anthem providing reasonable and adequate safeguards and security measures to protect customers’ financial and personal data, which Anthem did not do, and as a result, Plaintiff and members of the Class did not receive what they paid for and were overcharged by Anthem; and continued risk to their financial and personal information, which remains in the possession of Anthem and which is subject to further breaches so long as Anthem fails to undertake appropriate and adequate measures to protect Plaintiff’s and Class members’ data in its possession.”
So why have I reiterated the core of the complaint against Anthem here, as presented in one of the class action lawsuits just recently filed against it? Because it contains the seeds of what could evolve into a functional legal standard on what will be required for health plans—and providers—to avoid being hit with multi-million-dollar judgments in breach cases.
In that regard, I think one of the key causes in the above complaint is this one: “the imminent and certainly impending injury flowing from potential fraud and identity theft posed by their personal and financial information being placed in the hands of hackers; damages to and diminution in value of their personal and financial information entrusted to Anthem for the sole purpose of obtaining health insurance from Anthem and with the mutual understanding that Anthem would safeguard Plaintiff’s and Class members’ data against theft and not allow access and misuse of their data by others.”
In other words, simply by signing up, or being signed up by their employers, with Anthem, for health insurance, health plan members are relying on Anthem to fully safeguard their data, and a significant data breach is essentially what is known in the law as a tort.
And here’s where things get really, really sticky for Anthem, and that has to do with encryption—or the lack of it. In his excellent blog last Friday, HCI Senior Editor Gabriel Perna wrote this:
“Do we know everything there is to know about the Anthem hack? Of course not. Something could come out that exonerates Anthem in some respect. I think they deserve admiration for coming forward quickly and working with the FBI.
One thing we do know though is Anthem’s data was unencrypted. Like many of its healthcare peers, Anthem left its sensitive data exposed. As said by Trent Telford, CEO of Reston, Va.-based Covata and a member of Anthem, it is downright irresponsible to not protect sensitive data through encryption. McMillan added a pertinent observation, “The real question is how does information on 80 million people, which can’t be trivial, leave the enterprise without setting off any alarms?’”
And that simple fact—the fact of keeping the health, demographic, and financial information of about 80 million people in unencrypted databases—could result in a truly massive judgment against Anthem in court.
And that would be absolutely precedent-setting, both legally and business-wise.
So these lawsuits against Anthem in this breach case are extremely important on a number of levels. And their outcomes could very well set practical legal precedents for all healthcare organizations—health insurers and providers—for decades.
So we’ll all need to track these suits as they move forward in the courts. And we’ll also need to learn from them—now, and over time.