Burden on Anthem in|Massive Data Breach Case

     SAN JOSE (CN) — A federal judge sided with Blue Cross Blue Shield in a discovery dispute with plaintiffs whose private data was compromised during the massive 2015 Anthem data breach.
     The plaintiffs, who sued Blue Cross Blue Shield Association and Anthem for failing to protect important data, claim Blue Cross is withholding documents that directly relate to Anthem’s cybersecurity.
     “We believe that the discovery we are requesting will show that the databases at issue in this case remain vulnerable,” plaintiffs’ attorney Geoffrey Graber said at a hearing on the matter Wednesday.
     At the heart of the dispute, Graber says, Blue Cross’s refusal to provide documents created after Feb. 3, 2015 could deny his clients “a smoking-gun document” about Anthem’s security.
     But Blue Cross attorney Brian Kavanaugh said Anthem, as the main defendant, is better positioned to provide discovery.
     “We’ve been charged with one count and we have provided discovery with respect to that count,” Kavanaugh said.
     U.S. Magistrate Judge Nathanael Cousins sided with Blue Cross, saying the compromise it offered throughout was reasonable, and that his decision did not mean Blue Cross could drag its feet on providing discovery to which it already has agreed.
     The Anthem data breach, which the company disclosed in February 2015, involved more than 37 million records from the company’s computer system, affecting an estimated 80 million people.
     The records included credit card numbers, Social Security numbers, income, home and email addresses and employment information.
     Consumers nationwide filed multiple lawsuits against Anthem, 28 Anthem affiliates, Blue Cross Blue Shield Association, and 17 non-Anthem Blue Cross Blue Shield companies.
     Anthem, the nation’s second-largest health insurer, serves members through various Blue Cross Blue Shield licensee affiliates and other non-Blue Cross Blue Shield affiliates. It also works with the Blue Cross Blue Shield Association and several independent Blue Cross Blue Shield licensees via the BlueCard program.
     The Department of Health and Human Services fined Anthem $1.7 million in 2013 for violations of data security.
     In 2014, the federal government warned Anthem and other health care-companies of the possibility of more cyberattacks and advised them to take appropriate measures, including data encryption and enhanced password protection.
     Consumers claim Anthem and its affiliates did not heed the warnings, and allowed hackers to extract massive amounts of data from its database from December 2014 to January 2015.
     Anthem said it stopped the cyberattacks by Jan. 31, 2015.
     Though Anthem publicly disclosed the data breach in February 2015, many customers said they were not informed until March 2015, if at all. They also said Anthem failed to disclose whether it has made any changes to its security practices to prevent another cyberattack.
     Multiple lawsuits were transferred and consolidated in spring 2015. In June 2015, a multidistrict litigation judicial panel issued a transfer order and selected U.S. District Judge Lucy Koh.
     On Feb. 14, she dismissed three Anthem entities and partially dismissed seven more, with leave to amend. Blue Cross and Blue Shield of Arizona, BlueCross BlueShield of Tennessee and Highmark West Virginia were dismissed.
     Koh has indicated she will not grant a motion to dismiss, but asked both sides to narrow the seven claims to four in the interest of managing the complex case.

%d bloggers like this: