Searching over 5,500,000 cases.


searching
Buy This Entire Record For $7.95

Download the entire decision to receive the complete text, official citation,
docket number, dissents and concurrences, and footnotes for this case.

Learn more about what you receive with purchase of this case.

In re Anthem, Inc. Data Breach Litigation

United States District Court, District of Columbia

February 21, 2017

IN RE ANTHEM, INC. DATA BREACH LITIGATION

          MEMORANDUM OPINION

          Amit P. Mehta, United States District Judge

         Anthem, Inc., a health benefits and health insurance company, suffered a massive cyberattack on its computer systems sometime between December 2014 and January 2015. The hackers stole personally identifiable information and personal health information of approximately 80 million people. Amongst those whose information was compromised were federal employees who receive their health insurance through the Federal Employee Health Benefits Program. Some individuals whose information was compromised filed suit against Anthem, Inc., its affiliates, and involved third-party corporations, ultimately leading to consolidation of those cases in the form of a class-action, multidistrict litigation in the United States District Court for the Northern District of California.

         On May 13, 2016, Lead Plaintiffs in the multidistrict litigation issued a subpoena for documents to the United States Office of Personnel Management (“OPM”), the agency responsible for negotiating and administering the federal government's health insurance contracts with Anthem, Inc., and its affiliates. Those contracts authorize OPM to conduct audits of the insurance carriers' information technology systems (“IT systems”). Lead Plaintiffs' subpoena seeks records relating to OPM's IT systems audits of Anthem, Inc., and its affiliates, both before and after the cyberattack. The agency released a portion of the documents responsive to the subpoena but withheld others, claiming that the deliberative process privilege protected all the withheld documents from disclosure and the law enforcement privilege also protected certain of those documents. Lead Plaintiffs then filed, in this court, a Motion to Compel OPM to disclose the withheld records.

         After the benefit of substantial briefing, oral argument, and in camera review of the documents in question, the court finds that most of documents withheld by OPM are protected by the deliberative process privilege. Some of the withheld documents or portions thereof, however, contain only factual information. As to those records or portions of records, the court concludes that neither the deliberative process nor the law enforcement privilege applies. Accordingly, the court grants in part and denies in part the Lead Plaintiffs' Motion to Compel.

         I. BACKGROUND

         A. Anthem's Contract with the Office of Personnel Management

         Anthem, Inc. (“Anthem”) provides health benefits and health insurance services to millions of individuals through a nationwide network of affiliate and third-party entities.[1] See In re Anthem, Inc. Data Breach Litig., No. 15-2617, 2016 WL 3029783, at *2 (N.D. Cal. May 27, 2016); Pls.' Mot. to Compel Compliance with Subpoena Duces Tecum, ECF No. 1 [hereinafter Pls.' Mot.], at 1-2 & n.3.[2] To provide these services, Anthem, its affiliates, and the third-party entities maintain a common computer database of current and former members' personal information. See In re Anthem, 2016 WL 3029783, at *2. This information includes, but is not limited to, individuals' Social Security numbers, home addresses, and confidential medical information. See Pls.' Mot. at 2.

         Amongst those Anthem serves are federal employees. The United States Office of Personnel Management (“OPM”) negotiates and administers the federal government's contracts with insurance providers, including Anthem. See Non-Party Resp't's Mem. in Opp'n to Pls.' Mot. to Compel, ECF No. 5 [hereinafter Gov't's Opp'n], at 2. By statute, OPM's Office of the Inspector General (“OIG”) has authority to periodically conduct audits of entities receiving OPM funds or benefits, such as insurance carriers that contract to provide services to federal employees. See 5 U.S.C. app. 3 § 2(1); Gov't's Opp'n at 2-3; Gov't's Opp'n, Decl. of Norbert E. Vint, ECF No. 5-2 [hereinafter Vint Decl.], ¶ 3. Consistent with that statute, Anthem's contract with OPM authorizes OIG to audit Anthem's IT systems. See Pls.' Mot. at 3.

         OIG's IT systems audits benefit both OPM and the audited entity. The audits “are designed to identify weaknesses [in the audited entity's IT systems] so that the audited entity may institute appropriate safeguards against threats.” Gov't's Opp'n, Decl. of Nicholas Hoyle, ECF No. 5-3 [hereinafter Hoyle Decl.], ¶ 4. The overarching goal is for OIG to “evaluate the effectiveness of the entity's preventive measures and recommend remedies as needed” so as to “assist the audited entity with preventing criminal actors from stealing and exploiting [the] personal identifiable information and protected health information” of federal employee-enrollees. Id. The audit has the simultaneous effect of keeping OPM abreast of the audited entity's present compliance with its federal contract and federal law. Generally speaking, the audit assesses several “general IT security controls: security management, physical access controls; logical access controls; network security; business continuity; configuration management; and segregation of duties.” Id. ¶ 7.

         OIG's audit takes several steps to complete. The process begins with two on-site investigations, after which OIG discusses its “preliminary concerns” with the audited entity and ensures it has all the information it needs to proceed with the audit. See Id. ¶¶ 11-12. Next, equipped with the necessary information, OIG analyzes vulnerabilities in the IT system and produces a draft audit report, which it releases to the audited entity for response and factual corrections. See Id. ¶¶ 13, 21; Vint Decl. ¶ 7. Finally, OIG publishes a final audit report, which takes account of any corrections the audited entity made to the draft audit report, the audited entity's written response to the draft audit report, and OIG's “final determination regarding its findings and recommendations.” Hoyle Decl. ¶ 13; accord Vint Decl. ¶ 7.

         B. OIG's Audits of Anthem's IT Systems

         In 2013, OIG audited Anthem's IT systems (“the 2013 Audit”) and generated a report with findings and recommendations for addressing identified weaknesses in Anthem's systems. See Pls.' Mot. at 3; Gov't's Opp'n at 3; Pls.' Mot., Ex. D [hereinafter 2013 Final Audit Report]. OPM's internal discussions regarding Anthem continued after the 2013 Audit concluded. OPM's Audit Resolution Branch reviewed the recommendations in the 2013 Final Audit Report and evaluated whether Anthem had appropriately implemented them-a process known as “closing out” a recommendation. See Gov't's Opp'n at 3-4.

         One of the key issues that arose during the 2013 Audit was that Anthem, citing company policy, refused to allow OIG auditors to connect their equipment to Anthem's network to conduct a configuration compliance test. See 2013 Final Audit Report at 9-10; see also Pls.' Mot. at 4. As a result, the auditors were prevented from conducting as thorough an audit as they had planned and believed necessary. Consequently, after the 2013 Audit concluded, OPM staff discussed whether and in what ways to amend Anthem's federal contract “to ensure that OIG audit staff has sufficient access to contractor systems and materials, to prevent a recurrence of issues encountered by OIG during the 2013 Audit.” Gov't's Opp'n at 3-4; accord Gov't's Opp'n, Decl. of Alan Spielman, ECF No. 5-1 [hereinafter Spielman Decl.], at 2.

         In February 2015, Anthem announced that its centralized database had been hacked, compromising the security of approximately 80 million individuals' sensitive personal information. See Pls.' Mot. at 3; Gov't's Opp'n at 2; Pls.' Mot., Ex. C. Following the cyberattack, OIG conducted another audit of Anthem's IT systems, including preparation of draft and final audit reports. See Gov't's Opp'n at 4. Although the 2015 Final Audit Report is now complete and OPM has shared that report with Anthem, OPM has not yet made the report available to the public. See Id. (stating that the 2015 Final Audit Report has not yet been published); Pls.' Reply, ECF No. 6 [hereinafter Pls.' Reply], at 1 & n.2 (explaining that the 2015 Draft Audit Report and 2015 Final Audit Report are no longer at issue in this litigation because the Government has provided them to Lead Plaintiffs).

         C. The Subpoena to OPM

         Following the cyberattack, a number of Anthem customers filed class action claims in various jurisdictions, generally asserting that Anthem and other involved entities “(1) fail[ed] to adequately protect Anthem's data systems, (2) fail[ed] to disclose to customers that Anthem did not have adequate security practices, and (3) fail[ed] to timely notify customers of the data breach.” In re Anthem, Inc. Data Breach Litig., 162 F.Supp.3d 953, 968 (N.D. Cal. 2016). Shortly thereafter, several plaintiffs moved to consolidate the cases, and the United States Judicial Panel on Multidistrict Litigation transferred all cases “arising out of the Anthem data breach” to the Northern District of California to proceed as a single action before The Honorable Lucy H. Koh. See id.[3] One of the claims advanced in the multidistrict litigation is a third-party beneficiary claim for breach of contract on behalf of those federal employees who were enrolled in the Federal Employee Health Benefits Plan at the time of the cyberattack, received their health insurance and related benefits from Anthem, and whose personal information was compromised as a result. See Redacted Version of Third Am. Compl., In re Anthem, No. 15-2617 (N.D. Cal. July 11, 2016), ECF No. 537-3, ¶¶ 434, 517-33.[4]

         On May 13, 2016, Lead Plaintiffs' counsel in the multidistrict litigation submitted a request to OPM's General Counsel for 17 categories of documents related to the agency's 2013 and 2015 audits of Anthem. Pls.' Mot. at 9; see also 5 C.F.R. § 295.203. Counsel simultaneously served OPM with a subpoena, demanding production of the same 17 categories of documents. See Pls.' Mot. at 9; Pls. Mot., Ex. A [hereinafter Subpoena]. Pursuant to Rule 45 of the Federal Rules of Civil Procedure, the Department of Justice, acting on OPM's behalf, objected to the subpoena. Pls.' Mot., Ex. M; see Fed. R. Civ. P. 45(d)(2)(B).

         After several discussions between Lead Plaintiffs' counsel and the Department of Justice, Lead Plaintiffs narrowed their demand for documents, and OPM released various documents but continued to withhold others. See Pls.' Mot. at 11-12. OPM asserts that the documents it has not released to Lead Plaintiffs are protected under the deliberate process and law enforcement privileges. See Pls.' Mot. at 12; Gov't's Opp'n at 4-5. The withheld documents fall into three categories:

1. Audit workpapers pertaining to (i) Anthem's refusal to permit OPM to conduct certain audit testing, and (ii) auditor reviews and conclusions about Anthem's information system security measures and practices;
2. Meeting write-ups, which document meetings between auditors and Anthem representatives regarding, amongst other things, Anthem's network configuration management, security, and risk assessment; and
3. E-mails between and amongst federal employees discussing (i) potential changes to federal contracts, including Anthem's contract, and (ii) whether Anthem successfully implemented certain recommendations that OIG made as part of the 2013 Audit.

See Gov't's Opp'n at 5; Pls.' Mot. at 12-23; see also Pls.' Reply at 1.[5] The Government contends that all the documents in these categories are protected from disclosure by the deliberative process privilege and that the law enforcement privilege also applies to prevent disclosure of the audit workpapers and meeting write-ups. See Gov't's Opp'n at 5.

         Lead Plaintiffs' counsel subsequently filed a Motion to Compel Compliance with the Subpoena, which the Government opposed. The court held oral argument on the motion and subsequently ordered OPM to submit the withheld materials to the court for in camera inspection.

         See Minute Order (Jan. 9, 2017). OPM provided an unredacted, Bates-stamped copy of the withheld documents to the court.[6] See Notice of Submission of Docs. for In Camera Inspection, ECF No. 10.

         II. LEGAL PRINCIPLES

         The Government may object to a subpoena for records on the basis that the materials sought are protected from disclosure. See Tuite v. Henry, 98 F.3d 1411, 1416-17 (D.C. Cir. 1996). In doing so, however, the Government bears the burden of proving each element of the privilege it asserts. See In re Sealed Case, 737 F.2d 94, 99 (D.C. Cir. 1984). If the Government raises a qualified privilege, then the burden shifts to the party seeking disclosure to show that its need for the privileged material outweighs the Government's interest in withholding ...


Buy This Entire Record For $7.95

Download the entire decision to receive the complete text, official citation,
docket number, dissents and concurrences, and footnotes for this case.

Learn more about what you receive with purchase of this case.