United States District Court, District of Columbia
IN RE ANTHEM, INC. DATA BREACH LITIGATION
P. Mehta, United States District Judge
Inc., a health benefits and health insurance company,
suffered a massive cyberattack on its computer systems
sometime between December 2014 and January 2015. The hackers
stole personally identifiable information and personal health
information of approximately 80 million people. Amongst those
whose information was compromised were federal employees who
receive their health insurance through the Federal Employee
Health Benefits Program. Some individuals whose information
was compromised filed suit against Anthem, Inc., its
affiliates, and involved third-party corporations, ultimately
leading to consolidation of those cases in the form of a
class-action, multidistrict litigation in the United States
District Court for the Northern District of California.
13, 2016, Lead Plaintiffs in the multidistrict litigation
issued a subpoena for documents to the United States Office
of Personnel Management (“OPM”), the agency
responsible for negotiating and administering the federal
government's health insurance contracts with Anthem,
Inc., and its affiliates. Those contracts authorize OPM to
conduct audits of the insurance carriers' information
technology systems (“IT systems”). Lead
Plaintiffs' subpoena seeks records relating to OPM's
IT systems audits of Anthem, Inc., and its affiliates, both
before and after the cyberattack. The agency released a
portion of the documents responsive to the subpoena but
withheld others, claiming that the deliberative process
privilege protected all the withheld documents from
disclosure and the law enforcement privilege also protected
certain of those documents. Lead Plaintiffs then filed, in
this court, a Motion to Compel OPM to disclose the withheld
the benefit of substantial briefing, oral argument, and in
camera review of the documents in question, the court finds
that most of documents withheld by OPM are protected by the
deliberative process privilege. Some of the withheld
documents or portions thereof, however, contain only factual
information. As to those records or portions of records, the
court concludes that neither the deliberative process nor the
law enforcement privilege applies. Accordingly, the court
grants in part and denies in part the Lead Plaintiffs'
Motion to Compel.
Anthem's Contract with the Office of Personnel
Inc. (“Anthem”) provides health benefits and
health insurance services to millions of individuals through
a nationwide network of affiliate and third-party
entities. See In re Anthem, Inc. Data Breach
Litig., No. 15-2617, 2016 WL 3029783, at *2 (N.D. Cal.
May 27, 2016); Pls.' Mot. to Compel Compliance with
Subpoena Duces Tecum, ECF No. 1 [hereinafter Pls.' Mot.],
at 1-2 & n.3. To provide these services, Anthem, its
affiliates, and the third-party entities maintain a common
computer database of current and former members' personal
information. See In re Anthem, 2016 WL 3029783, at
*2. This information includes, but is not limited to,
individuals' Social Security numbers, home addresses, and
confidential medical information. See Pls.' Mot.
those Anthem serves are federal employees. The United States
Office of Personnel Management (“OPM”) negotiates
and administers the federal government's contracts with
insurance providers, including Anthem. See Non-Party
Resp't's Mem. in Opp'n to Pls.' Mot. to
Compel, ECF No. 5 [hereinafter Gov't's Opp'n], at
2. By statute, OPM's Office of the Inspector General
(“OIG”) has authority to periodically conduct
audits of entities receiving OPM funds or benefits, such as
insurance carriers that contract to provide services to
federal employees. See 5 U.S.C. app. 3 § 2(1);
Gov't's Opp'n at 2-3; Gov't's Opp'n,
Decl. of Norbert E. Vint, ECF No. 5-2 [hereinafter Vint
Decl.], ¶ 3. Consistent with that statute, Anthem's
contract with OPM authorizes OIG to audit Anthem's IT
systems. See Pls.' Mot. at 3.
IT systems audits benefit both OPM and the audited entity.
The audits “are designed to identify weaknesses [in the
audited entity's IT systems] so that the audited entity
may institute appropriate safeguards against threats.”
Gov't's Opp'n, Decl. of Nicholas Hoyle, ECF No.
5-3 [hereinafter Hoyle Decl.], ¶ 4. The overarching goal
is for OIG to “evaluate the effectiveness of the
entity's preventive measures and recommend remedies as
needed” so as to “assist the audited entity with
preventing criminal actors from stealing and exploiting [the]
personal identifiable information and protected health
information” of federal employee-enrollees.
Id. The audit has the simultaneous effect of keeping
OPM abreast of the audited entity's present compliance
with its federal contract and federal law. Generally
speaking, the audit assesses several “general IT
security controls: security management, physical access
controls; logical access controls; network security; business
continuity; configuration management; and segregation of
duties.” Id. ¶ 7.
audit takes several steps to complete. The process begins
with two on-site investigations, after which OIG discusses
its “preliminary concerns” with the audited
entity and ensures it has all the information it needs to
proceed with the audit. See Id. ¶¶ 11-12.
Next, equipped with the necessary information, OIG analyzes
vulnerabilities in the IT system and produces a draft audit
report, which it releases to the audited entity for response
and factual corrections. See Id. ¶¶ 13,
21; Vint Decl. ¶ 7. Finally, OIG publishes a final audit
report, which takes account of any corrections the audited
entity made to the draft audit report, the audited
entity's written response to the draft audit report, and
OIG's “final determination regarding its findings
and recommendations.” Hoyle Decl. ¶ 13;
accord Vint Decl. ¶ 7.
OIG's Audits of Anthem's IT Systems
2013, OIG audited Anthem's IT systems (“the 2013
Audit”) and generated a report with findings and
recommendations for addressing identified weaknesses in
Anthem's systems. See Pls.' Mot. at 3;
Gov't's Opp'n at 3; Pls.' Mot., Ex. D
[hereinafter 2013 Final Audit Report]. OPM's internal
discussions regarding Anthem continued after the 2013 Audit
concluded. OPM's Audit Resolution Branch reviewed the
recommendations in the 2013 Final Audit Report and evaluated
whether Anthem had appropriately implemented them-a process
known as “closing out” a recommendation.
See Gov't's Opp'n at 3-4.
the key issues that arose during the 2013 Audit was that
Anthem, citing company policy, refused to allow OIG auditors
to connect their equipment to Anthem's network to conduct
a configuration compliance test. See 2013 Final
Audit Report at 9-10; see also Pls.' Mot. at 4.
As a result, the auditors were prevented from conducting as
thorough an audit as they had planned and believed necessary.
Consequently, after the 2013 Audit concluded, OPM staff
discussed whether and in what ways to amend Anthem's
federal contract “to ensure that OIG audit staff has
sufficient access to contractor systems and materials, to
prevent a recurrence of issues encountered by OIG during the
2013 Audit.” Gov't's Opp'n at 3-4;
accord Gov't's Opp'n, Decl. of Alan
Spielman, ECF No. 5-1 [hereinafter Spielman Decl.], at 2.
February 2015, Anthem announced that its centralized database
had been hacked, compromising the security of approximately
80 million individuals' sensitive personal information.
See Pls.' Mot. at 3; Gov't's Opp'n
at 2; Pls.' Mot., Ex. C. Following the cyberattack, OIG
conducted another audit of Anthem's IT systems, including
preparation of draft and final audit reports. See
Gov't's Opp'n at 4. Although the 2015 Final Audit
Report is now complete and OPM has shared that report with
Anthem, OPM has not yet made the report available to the
public. See Id. (stating that the 2015 Final Audit
Report has not yet been published); Pls.' Reply, ECF No.
6 [hereinafter Pls.' Reply], at 1 & n.2 (explaining
that the 2015 Draft Audit Report and 2015 Final Audit Report
are no longer at issue in this litigation because the
Government has provided them to Lead Plaintiffs).
The Subpoena to OPM
the cyberattack, a number of Anthem customers filed class
action claims in various jurisdictions, generally asserting
that Anthem and other involved entities “(1) fail[ed]
to adequately protect Anthem's data systems, (2) fail[ed]
to disclose to customers that Anthem did not have adequate
security practices, and (3) fail[ed] to timely notify
customers of the data breach.” In re Anthem, Inc.
Data Breach Litig., 162 F.Supp.3d 953, 968 (N.D. Cal.
2016). Shortly thereafter, several plaintiffs moved to
consolidate the cases, and the United States Judicial Panel
on Multidistrict Litigation transferred all cases
“arising out of the Anthem data breach” to the
Northern District of California to proceed as a single action
before The Honorable Lucy H. Koh. See
id. One of the claims advanced in the
multidistrict litigation is a third-party beneficiary claim
for breach of contract on behalf of those federal employees
who were enrolled in the Federal Employee Health Benefits
Plan at the time of the cyberattack, received their health
insurance and related benefits from Anthem, and whose
personal information was compromised as a result.
See Redacted Version of Third Am. Compl., In re
Anthem, No. 15-2617 (N.D. Cal. July 11, 2016), ECF No.
537-3, ¶¶ 434, 517-33.
13, 2016, Lead Plaintiffs' counsel in the multidistrict
litigation submitted a request to OPM's General Counsel
for 17 categories of documents related to the agency's
2013 and 2015 audits of Anthem. Pls.' Mot. at 9; see
also 5 C.F.R. § 295.203. Counsel simultaneously
served OPM with a subpoena, demanding production of the same
17 categories of documents. See Pls.' Mot. at 9;
Pls. Mot., Ex. A [hereinafter Subpoena]. Pursuant to Rule 45
of the Federal Rules of Civil Procedure, the Department of
Justice, acting on OPM's behalf, objected to the
subpoena. Pls.' Mot., Ex. M; see Fed. R. Civ. P.
several discussions between Lead Plaintiffs' counsel and
the Department of Justice, Lead Plaintiffs narrowed their
demand for documents, and OPM released various documents but
continued to withhold others. See Pls.' Mot. at
11-12. OPM asserts that the documents it has not released to
Lead Plaintiffs are protected under the deliberate process
and law enforcement privileges. See Pls.' Mot.
at 12; Gov't's Opp'n at 4-5. The withheld
documents fall into three categories:
1. Audit workpapers pertaining to (i) Anthem's refusal to
permit OPM to conduct certain audit testing, and (ii) auditor
reviews and conclusions about Anthem's information system
security measures and practices;
2. Meeting write-ups, which document meetings between
auditors and Anthem representatives regarding, amongst other
things, Anthem's network configuration management,
security, and risk assessment; and
3. E-mails between and amongst federal employees discussing
(i) potential changes to federal contracts, including
Anthem's contract, and (ii) whether Anthem successfully
implemented certain recommendations that OIG made as part of
the 2013 Audit.
See Gov't's Opp'n at 5; Pls.' Mot.
at 12-23; see also Pls.' Reply at
The Government contends that all the documents in these
categories are protected from disclosure by the deliberative
process privilege and that the law enforcement privilege also
applies to prevent disclosure of the audit workpapers and
meeting write-ups. See Gov't's Opp'n at
Plaintiffs' counsel subsequently filed a Motion to Compel
Compliance with the Subpoena, which the Government opposed.
The court held oral argument on the motion and subsequently
ordered OPM to submit the withheld materials to the court for
in camera inspection.
Minute Order (Jan. 9, 2017). OPM provided an unredacted,
Bates-stamped copy of the withheld documents to the
court. See Notice of Submission of Docs.
for In Camera Inspection, ECF No. 10.
Government may object to a subpoena for records on the basis
that the materials sought are protected from disclosure.
See Tuite v. Henry, 98 F.3d 1411, 1416-17 (D.C. Cir.
1996). In doing so, however, the Government bears the burden
of proving each element of the privilege it asserts. See
In re Sealed Case, 737 F.2d 94, 99 (D.C. Cir. 1984). If
the Government raises a qualified privilege, then the burden
shifts to the party seeking disclosure to show that its need
for the privileged material outweighs the Government's
interest in withholding ...