The Anthem Breach – A Retrospective

Many people and news outlets have opined, weighed in, and informed the public about the 2015 Anthem breach. It remains a hot topic in January 2017, because it currently lines up with other hot stories about hacking ordered by foreign governments.  But even before the Anthem breach was linked to one of the biggest issues of the 2016 election cycle, it was an important data incident, for several reasons.

1. Why was the Anthem breach important at that time?

The Anthem breach was notable because it was the first major data breach that potentially involved protected health information. Media coverage about the breach in 2015 reported that personal information of affected individuals was apparently sitting on Anthem’s servers unencrypted.  Encryption of PHI at rest (i.e., data that is not moving) is a much more common data security practice in 2017, in part because of the lessons learned from the Anthem breach. Some laws now even require personal information to be encrypted when at rest.

Another novelty at the time was a tactic the hackers employed in the Anthem breach.  When Anthem learned of the breach, it quickly notified affected individuals by e-mail and through public announcements, saying it would send follow-up information about next steps. This speedy notification was lauded by many as a best practice.  But in the wake of Anthem’s public announcements, scammers sent fake e-mails to untold thousands of Anthem members and former members, which appeared to be from the company, as a ruse to scam impacted data subjects into providing additional sensitive personal information.  Again, this provided a valuable lesson for the future, to Anthem and other companies impacted by hacker-caused data breaches.

2. The class-actions filed in the wake of Anthem survived commonly asserted “lack of standing” defense.

About a hundred lawsuits filed against Anthem in the wake of the breach were consolidated into one federal class-action case in California. Some claims were asserted under California law, which is much more sympathetic to a consumers’ right to privacy than some other states. Usually, a threshold issue in any data breach class action is the issue of “standing,” which is raised early at the motion to dismiss stage.  In order to overcome this challenge, the plaintiffs’ complaint must sufficiently allege actual harm suffered because of the breach.  Many a data breach class action has failed this test and been thrown out before the discovery stage.

Anthem filed a motion to dismiss, but the judge rejected it. In 2015, this result was not very common.  In fact, it’s still not very common, but plaintiffs are getting more sophisticated at alleging actual harm sufficient to beat back a standing challenge.  People certainly paid attention when Anthem’s motion to dismiss was denied.

In fact, the Anthem case is continuing, long after the stage where the average data breach case is thrown out, and it is well into discovery.  But, the class has still not been certified.  Class certification remains an obstacle that has yet to be successfully dodged in any data breach class action case.   Despite 12 years of litigation over data breaches, no court has yet certified a consumer breach class.

3. What role did the affected individuals play in the breach?

Perhaps there is a visceral reaction when a company like Anthem gets hacked and personally identifiable information is exposed.   Perhaps that reaction is justified.  But consider which personal behaviors consumers engage in both offline and online that may enhance the likelihood that a wrongdoer can compromise personally identifiable data.  Some Internet users are their own worst enemies in this regard.

Consumers should not assume that they cannot or will not be affected by a data breach. Every consumer should regularly take safety precautions to reduce the risk that their personal information is not needlessly exposed.  For instance, they should regularly check the privacy policies of the websites they visit.  If they aren’t comfortable with the information collection practices of a company they do business with, they should either “opt-out” or vote with their feet by choosing another company with which to do business.  They should also regularly check their free credit reports through services like Credit Karma.

The Anthem breach also should have served as a reminder of a very important fact: no organization, no matter how large and no matter what security protocols are in place, is immune from its systems being compromised.  Continued vigilance by entities that store personally identifiable information and by consumers who often willingly provide it is necessary to minimize the potential for harm that can result from its misuse.