On August 16, 2018, the Honorable Lucy H. Koh in the U.S. District Court for the Northern District of California granted final approval to a $115 million settlement – the largest data breach settlement in U.S. history – ending claims that Anthem Inc., one of the nation’s largest for-profit managed health care companies, put 78.8 million customers’ personal information, including social security numbers and health data, at risk in a 2015 data breach.
In February 2015, Anthem reported that it had incurred a massive data breach that compromised the Personally Identifiable Information (PII) and Personal Health Information (PHI), including social security numbers and health data, of 78.8 million insureds, thus constituting one of the largest data breaches ever.
On June 8, 2015 the Judicial Panel on Multidistrict Litigation transferred seventeen putative class action lawsuits to the Honorable Lucy H. Koh in the U.S. District Court for the Northern District of California for coordinated pretrial proceedings. An additional 110 cases were later transferred or related to the MDL.
The complaints alleged that Anthem failed to take adequate and reasonable measures to ensure its data systems were protected, failed to take available steps to prevent and stop the breach from ever happening, and failed to disclose to its customers the material facts that it did not have adequate computer systems and security practices to safeguard their personal data. Victims of the Anthem data breach – including children – face a lifetime risk of interference with their business and financial affairs.
Judge Lucy Koh appointed Cohen Milstein’s Andrew N. Friedman to lead this watershed case as one of two co-lead counsel from amongst hundreds of plaintiffs’ attorneys.
Under Mr. Friedman’s leadership, a team of attorneys aggressively pursued compensation from Anthem, its affiliates, numerous Blue Cross Blue Shield entities and the Blue Cross Blue Shield Association. Judge Koh permitted the case to go forward under a “bellwether” approach, whereby dispositive motions only went forward on 10 of the hundreds of causes of actions alleged in the consolidated complaints. From the six surviving claims (California breach of contract; New Jersey breach of contract; California UCL; an omission claim under the New York GBL; New York unjust enrichment; and third –party beneficiary claims on behalf of federal employees); the Court permitted class certification proceedings to go forward on four of the six claims. Plaintiffs chose to go forward on the California breach of contract, the California UCL, the New York GBL and the federal contract claims.
Through arguments made in several rounds of motions to dismiss, Plaintiffs were successful in convincing Judge Koh to sustain claims and damage theories (in her February 14, 2016 and May 27, 2016 Orders) that are on the cutting edge for privacy/data breach jurisprudence, including:
- the ability to pursue “benefit of the bargain” damages. Ultimately, plaintiffs argued in the class motion that these damages could be based on the difference between the objectively determined market value of the health insurance as promised/represented (with data security) and as actually delivered (with inadequate data security) for contract and consumer protection act claims;
- the ability to pursue damages for loss of value of PII. At the class certification stage, Plaintiffs argued that the value of PII could be measured by the “market” price of that data and/or the cost to class members to protect that PII from being fraudulently used.
Unlike most data breach cases, this case made it all the way through discovery, including the depositions of, and Daubert motions related to, experts.
Mr. Friedman’s team took or defended over 200 depositions and reviewed 3.8 million pages of defendants’ documents.
Ultimately, Mr. Friedman and his co-counsel mediated an historic $115 million settlement, preliminarily approved on August 25, 2017 – the largest settlement ever in a consumer data breach litigation. This record-breaking settlement, if approved, will provide: a minimum of two years of first-rate credit monitoring or alternative cash compensation; payment of out-of-pocket losses related to the breach; fraud resolution services (even if the class member does not submit a claim form); and significant data security practice changes and commitments by Anthem for three years.
For more information about the Anthem Data Breach Litigation, including information about the settlement and important case documents, please see the following website: https://www.databreach-settlement.com/