Anthem Inc.’s massive data breach reported early this year is now generating real cases of identity theft, according to allegations in a small but growing number of lawsuits filed across the country.
Twenty-six people who have sued the Indianapolis-based health insurer claim they were victims of fraud, with most saying fraudulent tax returns were filed in their names using information obtained from Anthem. It had 78.8 million current and former customers’ records stolen by hackers from Dec. 10 to Jan. 27.
One woman says someone used her information from Anthem’s records to sign up for credit cards, a PayPal account, and a cell phone. Another woman says someone bought health insurance in her name on the Obamacare exchange in Georgia. And a third woman received a fraud alert from the ID-theft-protection company hired by Anthem, reporting that her teenage daughter’s Social Security number had been used to obtain credit.
“The timing is uncanny. We think that’s it’s more likely than not that it’s connected to Anthem,” said Lynn Toops, an Indianapolis attorney at Cohen & Malad LLP, which is representing more than three dozen plaintiffs in litigation against Anthem. She said “hundreds” more with identity-theft claims haven’t sued, but will join the class-action suit later this year.
But Anthem maintains it’s not the source of its customers’ troubles. That’s based on weekly reports it receives from the FBI, which is checking the black market to see if anyone is selling information from the Anthem hack.
“As part of the ongoing investigation regarding Anthem’s cyber attack, the FBI has been routinely monitoring for fraudulent activity related to this incident,” Anthem spokeswoman Kristin Binns wrote in an email. “Despite allegations to the contrary, there is no evidence that the cyber attackers have shared or sold any individuals’ data; and there is no evidence that fraud has occurred against any individuals who could have been impacted.”
Joshua Campbell, a supervisory special agent at the FBI’s Washington, D.C., office, confirmed that the FBI continues to investigate and that “we have not observed data stolen from the Anthem breach being sold on online dark markets.” However, he said the FBI could not directly confirm that no fraud has occurred against individual Anthem customers.
Figuring out who’s right could play a key role in determining whether Anthem ends up paying damages in these cases, which now number 101. The cases have been consolidated before a federal judge in California.
Of those suits, nine include a claim of specific damages, on top of the lawsuits’ claims that Anthem’s failure to protect its customers’ privacy was a breach of contract and, therefore, has already created damages before any identity theft occurs.
Having a specific claim of damages could help the plaintiffs’ cases survive a motion by Anthem to dismiss based on lack of standing, said Jeff Kosc, a litigator and partner at the Indianapolis office of Benesch Friedlander Coplan & Aronoff LLP.
That’s because the U.S. Supreme Court ruled in 2013 that claiming the potential for future harm (the case dealt with federal government surveillance) was “too speculative” to allow plaintiffs to sue.
“These are actual damages that will help the cases move forward,” Kosc said.
The trouble is, he added, it could be difficult to prove it was the Anthem data breach—rather than some other breach of data—that led to the identity theft.
The Indiana Department of Revenue is making the connection, according to Kathryn Leniski, an Anthem customer in Mishawaka.
In early March, Leniski received a letter from the Department of Revenue instructing her to claim her tax refund. But she had not yet filed her 2014 taxes. That prevented her from claiming a $2,200 refund she actually was owed.
To sort it out, Leniski spent three days with investigators at the Department of Revenue, the Internal Revenue Service and the FBI.
“Ms. Leniski was informed by the Department of Revenue that the attempted fraud respecting any 2014 state tax refund likely resulted from the Anthem breach,” wrote her attorneys in their lawsuit against Anthem.
A spokeswoman for the Department of Revenue declined to say how many other cases the department linked to Anthem.
“For security reasons, we cannot discuss the specifics of our fraud review process,” wrote Amanda Stanley in an email. “While we may be able to speculate that a fraudulent return is related to a recent data breach, we are not able to determine this link with certainty.”
The FBI has not publicly identified who was behind the Anthem data breach, but private security firms have linked it to hackers in China.
The Anthem case is part of a nationwide epidemic of breaches and identity theft—a proliferation that makes it difficult to untangle which breach led to which theft.
Since launching its Identity Protection Program last year, the Indiana Department of Revenue has helped 8,688 taxpayers discover their identities were stolen.
In addition to Anthem, hackers have breached 410 other companies or governments through July 7 this year, according to statistics reported by the Identity Theft Resource Center. In 2014, a record 783 business or government data breaches were documented by the center.
About 80 employees at Ball State University, which is an Anthem customer, had fraudulent tax returns filed in their names earlier this year. Some of the lawsuits against Anthem pointed to Ball State’s experience as evidence of the harm being caused by the Anthem data breach.
But Ball State spokeswoman Joan Todd said the university has “received no indication” that the ID thefts were connected to Anthem.
Bruce Geelhoed, a Ball State history professor who had a federal tax return filed in his name, noted that it was done before the Anthem breach was made public and that the fraudulent return used his salary—which is publicly available because Ball State is a public university—but included no information about his wife, who works for a private entity.
“The news of that [Anthem data breach] came sometime after we learned we had been hacked,” Geelhoed said.
Since hackers first breached Anthem’s computer systems nearly two months before the company made it public, it’s possible the stolen information could have been used before the breach hit the news.
More thefts surface
The pace of Anthem customers’ claiming identity theft has quickened as time as has gone on. While just three people claimed identity theft via lawsuits in February and March, 23 have done so since April, according to court records.
Evansville resident Andy Yarber didn’t file suit against Anthem until June—after his tax refund of $2,845 was denied because someone had already filed taxes in his name. He has spent more than $1,200 for accounting work to sort out the issue.
In one of several lawsuits it has filed against Anthem, Toops’ firm claimed 11 of its plaintiffs were victims of identity theft.
Toops noted there are some details about recent cases among Anthem customers that make her think they are connected to the Anthem data breach.
For example, she said, a number of the reports involve the fraudulent use of kids’ Social Security numbers. Health insurance records would be one of the few places such information could be obtained, she noted.
“Those are not just out there like adults’ Social Security numbers are,” Toops said.
Mary Carter, an Anthem customer in California, said she signed up her family for ID theft monitoring from AllClear, for which Anthem is paying for all its customers for up to two years. AllClear offers a special service called ChildScan for minors, which examines thousands of credit-related databases using a child’s Social Security number to uncover hard-to-find cases where a thief has used the number with someone else’s name to commit fraud.
In March, AllClear opened an investigation into Carter’s teenage daughter after her Social Security number was used to apply for credit. Carter is now suing on behalf of her daughter and potentially all other minors insured by Anthem.
“Because Defendants [Anthem] have failed to safeguard the personally identifiable information of tens of millions of children nationwide, they must stand to account before the law,” wrote Carter’s attorneys in her lawsuit.
Binns, the Anthem spokeswoman, said the fact AllClear is catching instances of identity theft involving minors means the service is helping Anthem customers—but doesn’t indicate that Anthem was the source of that identity theft.•