(CN) - Unfair competition law claims in a consolidated class action against health insurer Anthem over a massive data breach that affected 80 million people will go forward, a federal judge ruled.
U.S. District Judge Lucy Koh in California ruled that Anthem was not tied to many of the consumers' claims alleging the insurer, its affiliates and "non-Anthem" entities failed to protect personal data that was stolen last year.
Consumers nationwide filed multiple lawsuits against Anthem, 28 Anthem affiliates, Blue Cross Blue Shield Association, and 17 non-Anthem Blue Cross Blue Shield companies.
Anthem, the nation's second-largest health insurer, serves members through various Blue Cross Blue Shield licensee affiliates and other non-Blue Cross Blue Shield affiliates.
The insurer also works with the Blue Cross Blue Shield Association and several independent Blue Cross Blue Shield licensees via the BlueCard program.
Anthem's computer database, which contains current and former members' personal and health information, totals about 80 million individuals, Koh said.
In February 2015, the insurer publicly announced that "cyberattackers had breached the Anthem database, and [had] accessed [the personal and health information of] individuals in the Anthem database."
In 2009, about 600,000 customers of Wellpoint, Anthem's former trade name, separately "had their personal information and protected healthcare information compromised due to a data breach," Koh said.
The U.S. Department of Health and Human Services fined Anthem $1.7 million for various violations over data security in 2013.
In 2014, the federal government told Anthem and other health care companies of the possibility of future cyberattacks and advised them to take appropriate measures, including data encryption and enhanced password protection.
Consumers claim Anthem and its affiliates did not heed those warnings, however, and allowed hackers to extract massive amounts of data from the insurer's database from December 2014 to January 2015.
The cyberattacks were halted by Jan. 31, 2015, after the insurer discovered the breach and added various containment measures, Anthem said.
Cybersecurity company Mandiant, which Anthem hired to assist and respond to the data breach, released a report in July 2015 that said "Anthem and [its] affiliates [had] failed to take reasonable measures to secure the [personal and health information] in their possession."
Though Anthem publicly disclosed the data breach in February 2015, many affected customers said that were not personally informed until March 2015 if at all.
Anthem still has not disclosed whether it has made any changes to its security practices to prevent a future cyberattack, they said.
Several lawsuits over the data breach were moved to a single district in spring 2015.
In June 2015, a multidistrict litigation judicial panel issued a transfer order and selected Koh.
Her Feb. 14 ruling removed three Anthem entities entirely and partially removed seven more, with leave to amend. Blue Cross and Blue Shield of Arizona, BlueCross BlueShield of Tennessee and Highmark West Virginia were dismissed.
Claims against the remaining defendants may proceed under California's unfair competition law.
"There are nearly 80 million potential class members, with each class member asserting a variety of state and federal law claims," the 82-page ruling states. "Deferring questions of standing until class certification would only make the court's class certification decision all the more unwieldy, and would not be in the interest of promoting efficient litigation."
The data breached affected an estimated 13.5 million customers in California, more than any other state.
Koh otherwise denied Anthem and its affiliates' motion to dismiss.
Anthem argued that an increase in high-profile data breaches provided for a viable defense against the lawsuits, which Koh rejected.
"Under defendants' theory, a company affected by a data breach could simply contest causation by pointing to the fact that data breaches occur all the time, against various private and public entities," Koh said. "This would, in turn, create a perverse incentive for companies: so long as enough data breaches take place, individual companies will never be found liable. No part of the unfair competition law, the relevant authority addressing causation or the specific facts of this case supports such a legal theory."
Koh gave the plaintiffs 30 days to file an amended complaint.
Read the Top 8
Sign up for the Top 8, a roundup of the day's top stories delivered directly to your inbox Monday through Friday.