Data-Breach Claims Against Anthem Not Preempted by FEHBA

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.bna.com/databreach-claims-against-n57982067394/

A proposed class of federal employees can continue with third-party
beneficiary claims alleging breach of contract by the Blue Cross Blue
Shield Association stemming from Anthem Inc.'s 2015 data breach, the U.S.
District Court for the Northern District of California ruled.

Judge Lucy H. Koh ruled in her Feb. 14 order that since patient privacy and
data security weren't listed as plan benefits, the proposed class's
breach-of-contract claims didn't constitute a proper “health-benefits
claim” under the Federal Employee Health Benefits Act, and as such weren't
preempted by the statute. Koh further ruled that the federal employees'
state-law claims weren't preempted either.

In rejecting Blue Cross's motion to dismiss, Koh relied on Roach v. Mail
Handlers Benefit Plan, 298 F.3d 847 (9th Cir. 2002), in which the U.S.
Court of Appeals for the Ninth Circuit held that in interpreting the scope
of FEHBA, courts created a divide between claims based on a denial of
benefits, which were preempted, and claims based on medical malpractice,
which weren't.

The proposed class action stems from Anthem's announcement in February 2015
that cyberattackers gained unauthorized access to its data systems,
compromising the personal health information of 80 million of its
individual members nationwide.

According to court documents, a number of lawsuits were filed against
Anthem and Blue Cross entities not affiliated with Anthem as a result of
the data breach. In general, the lawsuits alleged Anthem failed to protect
its data systems, failed to disclose to customers that the company didn't
have adequate security practices and failed to timely notify customers of
the data breach.

In spring 2015, proposed class members moved to centralize pretrial
proceedings in a single judicial district. Thus, the Judicial Panel on
Multidistrict Litigation transferred pending cases arising out the Anthem
data breach to the Northern District of California.

In October, class members filed a consolidated amended complaint that
included 13 causes of action pursuant to various state and federal laws.
Subsequently, Anthem and the non-Anthem Blue Cross entities moved to
dismiss.

Federal Employees' Data Privacy Claims

Class members brought a third-party beneficiary breach-of-contract claim
under FEHBA against the non-Anthem entities, asserting that under a
contract between Blue Cross and the Office of Personnel Management, Blue
Cross promised to take reasonable measures to protect the security and
confidentiality of federal employees.

The non-Anthem entities moved to dismiss, arguing that the OPM was the only
party that could seek relief under the contract. The non-Anthem entities
further alleged that certain federal employees' state law claims were
preempted. Specifically, the entities alleged that a member's claim under
California's Unfair Competition Law was preempted by FEHBA.

The court rejected the non-Anthem entities' argument that only the OPM had
exclusive standing to bring the claim. Federal employees were third-party
beneficiaries under the contract, the court said. As a matter of general
contract law, both an intended third-party beneficiary and a party to the
contract may sue for breach, the court ruled. The fact that the OPM could
also bring suit against Blue Cross didn't bar proposed class members from
bringing suit as a third-party beneficiary, the court concluded.

In determining that FEHBA didn't preempt the California statute, the court
again held that the member's unfair competition claim didn't represent a
claim for benefits, since it was related to data privacy.

The court further held that FEHBA's conflict preemption didn't apply to the
class member's claim. Conflict preemption applies when compliance with
federal and state law is physically impossible or when the state law is an
obstacle to the purposes or objectives of the federal law, the court noted.

The court said it wasn't impossible for Blue Cross to comply with both the
federal and state law since all it had to do was to take affirmative and
reasonable measures to protect the members' personal information. In
rejecting Blue Cross's argument that state law claims interfered with the
OPM's exclusive authority to police FEHBA carriers, the court held that the
OPM's authority didn't apply to claims over an individual's data privacy.

“Health benefits—rather than promises concerning data privacy—represent the
unique federal interests protected by FEHBA,” the court said. As a result,
because data privacy wasn't a “benefit” under FEHBA, and isn't a uniquely
federal interest, the member's unfair competition claim wasn't conflict
preempted.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Need access to data breach details or alerts when new breaches happen? Risk Based Security's Cyber Risk Analytics 
portal, fueled by the RBS breach research team, provides detailed information on how data breaches occur and which 
vendors to trust. Contact us today for a demo.