Anthem, AmEx, PayPal, Must Face ID Theft Suit in Calif.

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Jimmy H. Koo

Health insurance, financial services, and payment card companies failed to keep a California attorney’s identify theft lawsuit in federal court and must face the allegations back in state court, the U.S. District Court for the Northern District of California held May 31 ( Gallo v. Unknown No. of Identity Thieves , 2017 BL 183260, N.D. Cal., No. 17-CV-01465-LHK, 5/31/17 ).

Judge Lucy H. Koh granted plaintiff David J. Gallo’s request for attorneys’ fees, saying that defendant Anthem Blue Cross Life and Health Insurance Co. “lacked an objectively reasonable basis for seeking removal” to federal court in the first place.

The lawsuit stemmed from a 2015 data breach on Anthem’s database, which resulted in the theft of approximately 80 million people’s sensitive information.

According to Gallo’s state court complaint, starting in December 2016, attorneys started alleging that they received unwarranted charges from Gallo’s offices. After investigating the matter, Gallo discovered that unknown identity thieves had opened a credit card merchant account in his name and used it to defraud numerous victims.

According to Gallo, the identity thieves obtained his information when they hacked Anthem and its affiliates in 2015. Alleging six violations of California law, including invasion of privacy and negligence, Gallo sued Anthem, the unknown hackers, American Express Co., PayPal Inc., Powerpay LLC, and Compass Bank Bancshares Inc.

Anthem Feb. 21 successfully removed the lawsuit to federal court, arguing that Gallo’s claims “‘implicate substantial federal interests based on national security interests and the hHealth Insurance Portability and Accountability Act” (HIPAA), as well as the Employee Retirement Income Security Act (ERISA).


Gallo moved to remand the case back to San Diego County Superior Court.

Granting the request, the court held California state law governs each of Gallo’s claims. It rejected Anthem’s argument that the cyberattack at issue involved a state actor and, therefore, constituted a national emergency granting federal courts with jurisdiction.

“Although the breach at issue had nationwide consequences, and although the cause of the breach may implicate national security interests, the instant case is at bottom a lawsuit between a California plaintiff and California defendants based on alleged violations of California law,” the court concluded.

Rejecting Anthem’s bid to keep the case in federal court, Koh said that “self-employed persons are beyond the scope of ERISA,” and HIPAA isn’t relevant to the case because the complaint doesn’t involve theft or misuse of health information.

Gallo is proceeding pro se. Hogan Lovells US LLP represents Anthem. Akerman LLP is representing Compass Bank. Shook, Hardy Bacon LLP is representing American Express. Holland and Knight LLP is representing PayPayl. LTL Attorneys LLP is representing Powerpay.

To contact the reporter on this story: Jimmy H. Koo in Washington at

To contact the editor responsible for this story: Donald Aplin at

For More Information

Full text of the court's opinion is available at

Copyright © 2017 The Bureau of National Affairs, Inc. All Rights Reserved.

Request Bloomberg Law: Privacy & Data Security