PORTLAND, Maine — A Brunswick man on Thursday filed a $5 million class action suit against Anthem Health Plans of Maine, charging that the company failed to adequately protect the personal information of its clients before the data breach reported in February.
In a complaint filed Thursday in U.S. District Court in Portland, attorney Benjamin K. Grant of McTeague Higbee in Topsham wrote on behalf of his client, Brian Mason, that Anthem Inc. acted unreasonably by failing to encrypt clients’ confidential information, including Social Security numbers and medical and financial information.
On Feb. 4, Anthem disclosed the breach, announcing that it suspected hackers had stolen information belonging to tens of millions of current and former customers and employees, including at least 300,000 Maine residents, Reuters reported.
Social Security numbers, names, dates of birth, medical identification numbers, street and email addresses, and employment information including income data of approximately 80 million people was hacked between Dec. 10, 2014, and Jan. 27, 2015.
Although the breach was discovered on Dec. 10, Anthem did not announce it until Feb. 4, according to the suit, which notes, “The Maine Attorney General has joined attorneys general from other affected states in criticizing Anthem Inc.’s delay in notifying affected customers.”
Anthem is the second-largest health insurer in the country and conducts business in Maine as a wholly owned subsidiary, Anthem ME. According to the complaint, one in every nine Americans receives coverage through Anthem or an affiliated plan.
The suit alleges that Anthem also failed to maintain the information in an adequate computer system, failed to implement a process to detect a data breach in a timely way, failed to disclose the breach to consumers and failed to disclose that it could not adequately secure the personal information from theft or misuse.
In court documents, Grant refers to a 2014 FBI report in which the agency’s cyber division warned that health care companies were susceptible to cyberattacks.
According to Grant, had Anthem encrypted the data, “hackers would now possess electronic gibberish” instead of personal information that “is now freely readable by the hackers who acquired it and by whomever these hackers choose to sell the [information] to.”
Mason and other plaintiffs “now face a lifelong battle against identity theft,” Grant wrote, quoting from various publications that labeled the stolen personal information “a treasure trove for cybercriminals” that can “easily be sold on underground markets within hours and used for a wide variety of identity fraud schemes” such as filing fraudulent tax returns and stealing refunds.
The suit seeks “damages, restitution, injunctive relief, and any other appropriate relief” on behalf of the plaintiff “and millions of Anthem’s customers in Maine and throughout the United States” whose information was stolen.
Reached by email Friday, Grant declined to comment on the suit, although he confirmed that more than 60 similar lawsuits have been filed in other states.
A spokesman for Anthem also did not offer immediate comment Friday, saying that the company’s policy is not to comment on pending litigation.