Data-Breach Claims Against Anthem Not Preempted by FEHBA

Pension & Benefits Daily™ covers all major legislative, regulatory, legal, and industry developments in the area of employee benefits every business day, focusing on actions by Congress,...

By Carmen Castro-Pagan

Feb. 16 — A proposed class of federal employees can continue with third-party beneficiary claims alleging breach of contract by the Blue Cross Blue Shield Association stemming from Anthem Inc.'s 2015 data breach, the U.S. District Court for the Northern District of California ruled.

Judge Lucy H. Koh ruled in her Feb. 14 order that since patient privacy and data security weren't listed as plan benefits, the proposed class's breach-of-contract claims didn't constitute a proper “health-benefits claim” under the Federal Employee Health Benefits Act, and as such weren't preempted by the statute. Koh further ruled that the federal employees' state-law claims weren't preempted either.

In rejecting Blue Cross's motion to dismiss, Koh relied on Roach v. Mail Handlers Benefit Plan, 298 F.3d 847 (9th Cir. 2002), in which the U.S. Court of Appeals for the Ninth Circuit held that in interpreting the scope of FEHBA, courts created a divide between claims based on a denial of benefits, which were preempted, and claims based on medical malpractice, which weren't.

The proposed class action stems from Anthem's announcement in February 2015 that cyberattackers gained unauthorized access to its data systems, compromising the personal health information of 80 million of its individual members nationwide.

According to court documents, a number of lawsuits were filed against Anthem and Blue Cross entities not affiliated with Anthem as a result of the data breach. In general, the lawsuits alleged Anthem failed to protect its data systems, failed to disclose to customers that the company didn't have adequate security practices and failed to timely notify customers of the data breach.

In spring 2015, proposed class members moved to centralize pretrial proceedings in a single judicial district. Thus, the Judicial Panel on Multidistrict Litigation transferred pending cases arising out the Anthem data breach to the Northern District of California.

In October, class members filed a consolidated amended complaint that included 13 causes of action pursuant to various state and federal laws. Subsequently, Anthem and the non-Anthem Blue Cross entities moved to dismiss.

Federal Employees' Data Privacy Claims

Class members brought a third-party beneficiary breach-of-contract claim under FEHBA against the non-Anthem entities, asserting that under a contract between Blue Cross and the Office of Personnel Management, Blue Cross promised to take reasonable measures to protect the security and confidentiality of federal employees.

The non-Anthem entities moved to dismiss, arguing that the OPM was the only party that could seek relief under the contract. The non-Anthem entities further alleged that certain federal employees' state law claims were preempted. Specifically, the entities alleged that a member's claim under California's Unfair Competition Law was preempted by FEHBA.

The court rejected the non-Anthem entities' argument that only the OPM had exclusive standing to bring the claim. Federal employees were third-party beneficiaries under the contract, the court said. As a matter of general contract law, both an intended third-party beneficiary and a party to the contract may sue for breach, the court ruled. The fact that the OPM could also bring suit against Blue Cross didn't bar proposed class members from bringing suit as a third-party beneficiary, the court concluded.

In determining that FEHBA didn't preempt the California statute, the court again held that the member's unfair competition claim didn't represent a claim for benefits, since it was related to data privacy.

The court further held that FEHBA's conflict preemption didn't apply to the class member's claim. Conflict preemption applies when compliance with federal and state law is physically impossible or when the state law is an obstacle to the purposes or objectives of the federal law, the court noted.

The court said it wasn't impossible for Blue Cross to comply with both the federal and state law since all it had to do was to take affirmative and reasonable measures to protect the members' personal information. In rejecting Blue Cross's argument that state law claims interfered with the OPM's exclusive authority to police FEHBA carriers, the court held that the OPM's authority didn't apply to claims over an individual's data privacy.

“Health benefits—rather than promises concerning data privacy—represent the unique federal interests protected by FEHBA,” the court said. As a result, because data privacy wasn't a “benefit” under FEHBA, and isn't a uniquely federal interest, the member's unfair competition claim wasn't conflict preempted.

To contact the reporter on this story: Carmen Castro-Pagan in Washington at

To contact the editor responsible for this story: Jo-el J. Meyer at