PORTLAND — A Brunswick man on March 5 filed a $5 million federal class-action lawsuit against Anthem Health Plans of Maine, charging that the company failed to adequately protect the personal information of its clients prior to a data breach reported in February.
The complaint filed in U.S. District Court by attorney Benjamin Grant on behalf of his client, Brian Mason, alleges Anthem failed in its duty to adequately encrypt clients’ personal and confidential information, including Social Security numbers and medical and financial information.
Anthem disclosed the breach on Feb. 4, announcing that it suspected hackers had stolen information belonging to tens of millions of current and former customers and employees, including at least 300,000 Maine residents, Reuters reported.
Social Security numbers, names, dates of birth, medical identification numbers, street and email addresses and employment information including income data of approximately 80 million current and former customers was hacked between Dec. 10, 2014, and Jan. 27, 2015, Anthem disclosed.
The breach was discovered Dec. 10, 2014, according to Anthem, and the lawsuit notes “the Maine Attorney General has joined attorneys general from other affected states in criticizing Anthem Inc.’s delay in notifying affected customers.”
Anthem is the second-largest health insurer in the country and conducts business in Maine through a wholly owned subsidiary, Anthem ME. According to the complaint, one in every nine Americans receives coverage through Anthem or an affiliated plan.
The suit alleges that Anthem also failed to maintain the information in an adequate computer system, failed to implement a process to detect a breach of the information in a timely way, failed to disclose the breach to consumers and failed to disclose that it could not adequately secure the personal information from theft or misuse.
In court documents, Grant refers to a 2014 FBI report in which the agency’s cyber division warned that health-care companies were susceptible to cyberattacks.
According to Grant, had Anthem encrypted the data, “hackers would now possess electronic gibberish” instead of personal information that “is now freely readable by the hackers who acquired it and by whomever these hackers choose to sell the (information) to.”
Mason and other plaintiffs “now face a lifelong battle against identity theft,” Grant wrote, quoting from various publications that reported that the personal information stolen constitutes “a treasure trove for cybercriminals” that can “easily be sold on underground markets within hours and used for a wide variety of identity fraud schemes,” such as filing fraudulent tax returns and stealing refunds.
The suit seeks “damages, restitution, injunctive relief, and any other appropriate relief” on behalf of the plaintiff “and millions of Anthem’s customers in Maine and throughout the United States” whose information was stolen.
Reached by email, Grant declined to comment on the suit, although he confirmed that more than 60 similar lawsuits have been filed in other states.
A spokesman for Anthem also did not offer immediate comment, saying that the company’s policy is not to comment on pending litigation.