Court Rules Out State Law Claims for Anthem Data Breach

Anthem Data Hack

Anthem health plan participants seeking redress for the massive data breach of their personal health information shouldn’t look to state law for help.

For the second time this year, the U.S. District Court for the Northern District of California has ruled that state law claims arising from Anthem’s February data breach are preempted by the Employee Retirement Income Security Act (Smilow v. Anthem Life & Disability Ins. Co. (In re Anthem, Inc. Data Breach Litig.), N.D. Cal., No. 5:15-cv-04739-LHK, 11/24/15).

In this case, originally filed in New York state court, the participants alleged negligence, breach of implied contract, unjust enrichment and invasion of privacy, among other state law claims. The participants sought relief on behalf of a class of other New York citizens whose health information was compromised.

In all, the data breach compromised the personal health information of 80 million of Anthem individual members nationwide.

Anthem removed the case to federal court, arguing that the state law claims were preempted by ERISA.

Cyberattacks on health insurers Anthem Inc. and Premiere Blue Cross earlier in 2015 have many health-care organizations worried they'll be next (See Health-Care Industry Not Ready for Cyberattack).

ERISA Preemption Analysis

ERISA preempts any state law cause of action that duplicates, supplements or supplants the ERISA civil enforcement remedy, Section 502(a), Judge Lucy H. Kohn wrote in this latest decision.

The court applied the test articulated in Aetna Health, Inc. v. Davila, 542 U.S. 200 (2004), which provides that a state law cause of action is completely preempted if an individual could have brought the claim under Section 502(a), and no other independent legal duty is implicated by the defendant's actions.

The participants sought to enforce their rights under the ERISA plan through their breach-of-contract and unjust-enrichment claims. Since these claims were premised on the insurance contract between the participants and Anthem they could have brought their actions under Section 502(a), the court concluded.

In addition, Anthem didn’t have an independent legal duty to protect participants’ privacy pursuant to state law, the court said.

State legal duties aren't independent of ERISA if they are based on an obligation under an ERISA plan and if they wouldn't exist if the plan didn't exist, the court explained.

Looking into the benefits handbook that participants received from Anthem which stated Anthem's privacy policy, the court concluded that Anthem's duty to comply with state privacy laws was an obligation under the ERISA plan.

See related story Data Breach Claims Against Anthem ERISA-Preempted.

Stay on top of the latest industry trends and news coverage with a free trial to the Benefits Practice Resource Center.