First Lawsuits Filed in Response to Anthem Data Breach Disclosure | Healthcare Informatics Magazine | Health IT | Information Technology Skip to content Skip to navigation

First Lawsuits Filed in Response to Anthem Data Breach Disclosure

February 9, 2015
by Mark Hagland
| Reprints
On Feb. 9, USA Today reported that the first lawsuits have already been filed as a result of the data breach experienced by the Indianapolis-based Anthem Health, and which Anthem had disclosed on Feb. 4.

On Feb. 9, USA Today reported that the first lawsuits have already been filed as a result of the data breach experienced by the Indianapolis-based Anthem Health, and which Anthem had disclosed on Feb. 4. According to the USA Today report, at least four had been filed by Monday morning, in Indiana, California, Alabama, and Georgia.

The breach of data security at the nation’s second-largest health insurance company, had been detected on Jan. 27, when an Anthem IS administrator discovered that outsiders were using his own security credentials to log into the company’s information system and stealing data. The hackers had succeeded in penetrating the system and stealing customer data sometime between Dec. 10 and Jan. 27, with attempts possibly having been made earlier in 2014, according to Anthem spokesperson Kristin Binns.

Hackers had gained access to a company database that included members’ names, birthdays, Social Security numbers, addresses, and employment data, including income, but not credit card information.

Monday morning’s USA Today story included  quotes from David Damoto, managing director at FireEye, a security firm brought in to help Anthem analyze the data breach, which may have affected up to 80 million people. “We… saw evidence that the attacker was interested in very specific information, in this case, the database,” Damoto told USA Today. “They did very methodical reconnaissance into the database,” adding that “Attribution takes a lot of data. I think everyone’s just speculating” as to whether Chinese hackers might have been involved, as some press reports citing unnamed sources have stated. “At this point in time, we’re working very closely with the FBI and we haven’t jointly provided any attribution,” Damoto added.

As the USA Today report noted, “Some have questioned why Anthem would have maintained a single database containing information about 80 million current and former members. However,” the report added, “in the healthcare industry, such databases are useful, said J.J. Thompson, the CEO of Rook Security, an Indianapolis-based computer security firm.”

The story quoted Thompson as saying, “If I have my security hat on, I’d say, ‘Never put all your eggs in one basket.’ But in the healthcare world, having the database could lead to better patient outcomes. But it should have been encrypted. I hope it was encrypted.”

All four lawsuits referenced in the USA Today article are class action lawsuits, filed against anthem and/or its affiliate subsidiaries or units, on behalf of large groups of plaintiffs. The Indiana suit, filed in U.S. District Court for the Southern District of Indiana, Indianapolis Division, on Feb. 5, includes in its opening statement, the following:  “Anthem’s conduct—failing to take adequate and reasonable  measures to ensure its data systems were protected, failing to take available steps to prevent and stop the breach from ever happening, failing to disclose to its customers the material facts that it did not have adequate computer systems and security practices to safeguard customers’ financial account and personal data, and failing to provide timely and adequate notice of the Anthem data breach—has caused substantial consumer harm and injuries to consumers across the United States.”

Healthcare Informatics will continue to update readers on developments in this situation, as new developments emerge.




Survey: By 2019, 60% of Medicare Revenues will be Tied to Risk

Medical groups and health systems that are members of AMGA (the American Medical Group Association) expect that nearly 60 percent of their revenues from Medicare will be from risk-based products by 2019, according to the results from a recent survey.

83% of Physicians Have Experienced a Cyber Attack, Survey Finds

Eighty-three percent of physicians in a recent survey said that they have experienced some sort of cyber attack, such as phishing and viruses.

Community Data Sharing: Eight Recommendations From San Diego

A learning guide focuses on San Diego’s experience in building a community health information exchange and the realities of embarking on a broad community collaboration to achieve better data sharing.

HealthlinkNY’s Galanis to Step Down as CEO

Christina Galanis, who has served as president and CEO of HealthlinkNY for the past 13 years, will leave her position at the end of the year.

Email-Related Cyber Attacks a Top Concern for Providers

U.S. healthcare providers overwhelmingly rank email as the top source of a potential data breach, according to new research from email and data security company Mimecast and conducted by HIMSS Analytics.

Former Health IT Head in San Diego County Charged with Defrauding Provider out of $800K

The ex-health IT director at North County Health Services, a San Diego County-based healthcare service provider, has been charged with spearheading fraudulent operations that cost the organization $800,000.