The U.S. District Court for the Northern District of California ruled that the Employee Retirement Income Security Act (ERISA) preempts state-law claims arising out of Anthem’s data breach in Smilow, et al. v. Anthem Life & Disability Ins. Co., et al., No. 15-MD-02617-LHK (N.D. Cal. Nov. 24, 2015) (consolidated as In re Anthem, Inc. Data Breach Litigation). In reaching its conclusion, the District Court found that Defendants—Anthem and two ERISA plan administrators—did not have an independent legal duty to protect Plaintiffs’ privacy under state privacy laws.

Anthem is one of the largest health benefits companies in the United States. Based on Anthem’s public announcements, in or around December 2014, cyber-attackers breached Anthem’s data systems. The security of personal health information of Anthem plan participants may have been compromised over the course of several weeks.