Anthem breach: what we know so far
Anthem breach: what we know so far

A pair of lawsuits filed in Denver District Court continue a customer legal assault on Anthem, Inc. after a massive data breach exposed private information on more than 80 million of the insurance company's past and present customers and employees.

In both suits, plaintiffs echo the anger and arguments of earlier lawsuits, claiming that Anthem broke faith by failing to protect their information, but one suit contends that customers paid Anthem higher premiums, shelled out dollars to ensure data protection and were promised protection services in the aftermath of the breach which it says Anthem ultimately did not provide.

Anthem “failed to disclose to its customers the material facts that it did not have adequate computer systems and security practices to safeguard customers' personal data,” said the suit filed on behalf of Mary Mellon.

“Despite paying enhanced membership fees and insurance premiums in exchange for Anthem's repeated promises of data security and protection, Anthem's conduct failed to deliver, thus denying Plaintiff and the Class members the benefits of their respective (though identical) bargains,” said a class-action suit filed on behalf of  Dana Hills.

Citing a deluge of phishing emails sent to the company's customers, “Anthem's promise to provide future protective services rings false,” said the Mellon suit. “The unidentified persons have gained access to Plaintiff and Anthem customers' email and mailing addresses.” The phishing emails began appearing almost immediately, the suit explained.

Both legal actions also questioned, as have some states, the delay between Anthem detecting the breach, which had been ongoing for at least a month, and its notification of customers. The Mellon suit called Anthem's failures “compound,” noting, as have others, that the insurance company “failed to take adequate and reasonable measures to ensure its data systems were protected and to prevent the data breach.” And, it said the company “waited approximately nine days before it informed its customers of the data breach and theft of their personal medical information.”

Anthem already has taken a good deal of heat for not encrypting its data and it appears the suits will use that lapse to make their case.  

“Such a failure to protect its members' information violates Anthem's obligations as established by federal law as incorporated into its member agreements,” said the Hills suit.