A Brunswick man has filed a class-action lawsuit in federal court against Anthem Health Plans of Maine, just one month after the company disclosed a data breach that compromised personal and identifying information of 300,000 Maine residents.

Brian Mason alleges that Anthem failed to take the basic precautionary measure of encrypting consumers’ information, including dates of birth, addresses and Social Security numbers, which allowed hackers to access the company patient database.

“Unfortunately, Anthem, Inc.’s failure to encrypt … means that these customers’ data is now freely readable by the hackers who acquired it and by whomever these hackers choose to sell the (information) to,” the complaint states.

Mason is seeking $5 million in “damages, restitution, injunctive relief, and any other appropriate relief,” the suit states.

The breach, which occurred between Dec. 10, 2014, and Jan. 27, 2015, affected an estimated 80 million customers of Indianapolis-based Anthem nationwide. The company is the United States’ second-largest health insurance provider but is Maine’s largest by a wide margin.

Several state attorneys general, including Maine’s, have criticized Anthem’s delay in notifying customers of the breach.


The lawsuit, filed by Mason’s attorney, Ben Grant of Portland, mentions a 2014 report by the FBI that warned of cyberattacks on health insurance companies and claims Anthem did not heed those warnings.

Anthem also has had prior breaches.

In 2013, the insurer agreed to pay $1.7 million to resolve allegations it left the information of more than 612,000 members available online because of inadequate safeguards.

In 2008, the insurer offered free credit monitoring after it said personal information for about 128,000 customers in several states had been exposed online.

An in 2006, backup computer tapes containing the personal information of 200,000 of its members were stolen from a Massachusetts vendor’s office.

Dozens of similar lawsuits have been filed against Anthem in other states related to the most recent cyberattack.


Anthem officials have declined to comment on any pending litigation.

However, in a statement after its Feb. 5 announcement, Anthem spokesman Rory Sheehan said, “No credit card information was compromised, nor is there evidence at this time that medical information such as claims, test results or diagnostic codes were targeted or obtained.”

After the breach, Anthem retained Mandiant, a leading cybersecurity firm, to evaluate the company’s systems and identify solutions.

The company also offered to provide free credit monitoring and identity protection services to affected customers for up to one year.

Staff Writer Eric Russell can be contacted at 791-6344 or:

[email protected]

Twitter: @PPHEricRussell

Only subscribers are eligible to post comments. Please subscribe or login first for digital access. Here’s why.

Use the form below to reset your password. When you've submitted your account email, we will send an email with a reset code.