Less than 12 hours after Anthem Inc. reported hackers had stolen data on as many as 80 million current and former customers, local attorney Irwin Levin already was preparing a class-action lawsuit against the company.
He expects there will be more as Indianapolis-based Anthem tries to control fallout from the largest data breach ever at a U.S. health care company.
“If there’s one place that we expect all of our private data to be safe, it’s with the people we turn over our health information to,” said Levin, of Indianapolis law firm Cohen & Malad. “They formed a contract with people, and people paid premiums. … We’ll be suing them for breach of contract, for negligence and some other legal theories.”
Other recent data breaches have sparked massive litigation against hacked companies. Target Corp. has been hit with more than 100 lawsuits from shoppers, credit card companies and shareholders since late 2013, when a breach exposed 40 million shoppers’ credit and debit card accounts, as well as personal information for as many as 70 million people.
Minnesota-based Target has recorded $248 million in expenses related to the breach and suffered a dip in U.S. sales to boot.
Anthem, which reported its breach late Wednesday, has said it doesn't expect the breach to affect 2015 profit. Wall Street analysts generally agreed.
“From a financial perspective, the attack's timing comes at a time when the open enrollment period for key business lines is largely completed,” UBS analyst A.J. Rice said in a note to investors. That means, unlike Target, Anthem can’t lose many customers, at least immediately, because of the breach.
Anthem said Wednesday night that the “very sophisticated” attack was discovered by Anthem personnel, and is now being investigated by the FBI and a private firm hired by Anthem.
The information compromised includes names, birthdates, Social Security numbers, street and email addresses, and employee data, including income, Anthem said in an email. The insurer said there was no evidence that medical information was stolen.
In 2010, Anthem suffered a breach involving health information of more than 612,000 customers. That far smaller breach led to a $1.7 million settlement between Anthem and the U.S. Department of Health and Human Services, because the disclosure of health information was a possible violation of the federal HIPAA privacy statute.
Anthem will alert customers who were affected and provide credit and identify-theft monitoring services for free, CEO Joseph Swedish said in a letter to members.
“As soon as we learned about the attack, we immediately made every effort to close the security vulnerability, contacted the FBI and began fully cooperating with their investigation,” he said.
Anthem drew praise from the FBI and others for the swiftness of its response. But Levin noted that the stolen information is still enough for the hackers to use to apply for credit cards in the names of Anthem customers, or to use in other ways.
“I hope that no person has their information used for nefarious purposes, but the odds of that are infinitesimally small,” said Levin, who also represents clients suing Target. “The notion that someone is going to go to all this trouble, and then sit on it while they laugh about it, is ridiculous.”