In Re: Anthem, Inc. Data Breach Litigation

UNITED STATES DISTRICT COURT
FOR THE DISTRICT OF COLUMBIA
_________________________________________
)
)
)
IN RE: ANTHEM, INC. DATA BREACH ) Case No. 16-mc-02210 (APM)
LITIGATION )
)
)
_________________________________________ )

MEMORANDUM OPINION

Anthem, Inc., a health benefits and health insurance company, suffered a massive

cyberattack on its computer systems sometime between December 2014 and January 2015.

The hackers stole personally identifiable information and personal health information of

approximately 80 million people. Amongst those whose information was compromised were

federal employees who receive their health insurance through the Federal Employee Health

Benefits Program. Some individuals whose information was compromised filed suit against

Anthem, Inc., its affiliates, and involved third-party corporations, ultimately leading to

consolidation of those cases in the form of a class-action, multidistrict litigation in the United

States District Court for the Northern District of California.

On May 13, 2016, Lead Plaintiffs in the multidistrict litigation issued a subpoena for

documents to the United States Office of Personnel Management (“OPM”), the agency responsible

for negotiating and administering the federal government’s health insurance contracts with

Anthem, Inc., and its affiliates. Those contracts authorize OPM to conduct audits of the insurance

carriers’ information technology systems (“IT systems”). Lead Plaintiffs’ subpoena seeks records

relating to OPM’s IT systems audits of Anthem, Inc., and its affiliates, both before and after the

cyberattack. The agency released a portion of the documents responsive to the subpoena but
withheld others, claiming that the deliberative process privilege protected all the withheld

documents from disclosure and the law enforcement privilege also protected certain of those

documents. Lead Plaintiffs then filed, in this court, a Motion to Compel OPM to disclose the

withheld records.

After the benefit of substantial briefing, oral argument, and in camera review of the

documents in question, the court finds that most of documents withheld by OPM are protected by

the deliberative process privilege. Some of the withheld documents or portions thereof, however,

contain only factual information. As to those records or portions of records, the court concludes

that neither the deliberative process nor the law enforcement privilege applies. Accordingly, the

court grants in part and denies in part the Lead Plaintiffs’ Motion to Compel.

I. BACKGROUND

A. Anthem’s Contract with the Office of Personnel Management

Anthem, Inc. (“Anthem”) provides health benefits and health insurance services to millions

of individuals through a nationwide network of affiliate and third-party entities.1 See In re Anthem,

Inc. Data Breach Litig., No. 15-2617, 2016 WL 3029783, at *2 (N.D. Cal. May 27, 2016); Pls.’

Mot. to Compel Compliance with Subpoena Duces Tecum, ECF No. 1 [hereinafter Pls.’ Mot.], at

1–2 & n.3.2 To provide these services, Anthem, its affiliates, and the third-party entities maintain

1
The court notes that from 2004 to December 2014, the entity now known as Anthem, Inc., was called WellPoint,
Inc. See Pls.’ Mot. to Compel Compliance with Subpoena Duces Tecum, ECF No. 1, at 1. For ease of reference and
consistent with the parties’ practice, the court does not distinguish between “WellPoint” and “Anthem” in this opinion.
Anthem provides its services through a number of affiliate and third-party entities. The Third Consolidated
Amended Class Action Complaint in the multidistrict litigation named as defendants not only Anthem, but also 27
Anthem affiliates, the Blue Cross Blue Shield Association, and 14 non-Anthem Blue Cross Blue Shield companies.
See Redacted Version of Third Am. Compl., In re Anthem, Inc. Data Breach Litig., No. 15-2617 (N.D. Cal. July 11,
2016), ECF No. 537-3, ¶¶ 123–51, 153–66. Lead Plaintiffs’ subpoena directed OPM to release documents pertaining
to its audit of “Anthem,” which the subpoena defined to include Anthem and the 27 Anthem affiliates. See Pls. Mot.,
Ex. A [hereinafter Subpoena], Sched. A, at 1–2. This opinion’s use of “Anthem” collectively refers to Anthem, Inc.,
and all those affiliated entities directed to respond to Lead Plaintiffs’ subpoena; it does not encompass any entity not
listed in the subpoena, even if a party to the multidistrict litigation.
2
All pin citations in this opinion are to the cited document’s original pagination or numbered paragraphs, where
available.

2
a common computer database of current and former members’ personal information. See In re

Anthem, 2016 WL 3029783, at *2. This information includes, but is not limited to, individuals’

Social Security numbers, home addresses, and confidential medical information. See Pls.’ Mot. at

2.

Amongst those Anthem serves are federal employees. The United States Office of

Personnel Management (“OPM”) negotiates and administers the federal government’s contracts

with insurance providers, including Anthem. See Non-Party Resp’t’s Mem. in Opp’n to Pls.’ Mot.

to Compel, ECF No. 5 [hereinafter Gov’t’s Opp’n], at 2. By statute, OPM’s Office of the Inspector

General (“OIG”) has authority to periodically conduct audits of entities receiving OPM funds or

benefits, such as insurance carriers that contract to provide services to federal employees. See

5 U.S.C. app. 3 § 2(1); Gov’t’s Opp’n at 2–3; Gov’t’s Opp’n, Decl. of Norbert E. Vint, ECF No.

5-2 [hereinafter Vint Decl.], ¶ 3. Consistent with that statute, Anthem’s contract with OPM

authorizes OIG to audit Anthem’s IT systems. See Pls.’ Mot. at 3.

OIG’s IT systems audits benefit both OPM and the audited entity. The audits “are designed

to identify weaknesses [in the audited entity’s IT systems] so that the audited entity may institute

appropriate safeguards against threats.” Gov’t’s Opp’n, Decl. of Nicholas Hoyle, ECF No. 5-3

[hereinafter Hoyle Decl.], ¶ 4. The overarching goal is for OIG to “evaluate the effectiveness of

the entity’s preventive measures and recommend remedies as needed” so as to “assist the audited

entity with preventing criminal actors from stealing and exploiting [the] personal identifiable

information and protected health information” of federal employee-enrollees. Id. The audit has

the simultaneous effect of keeping OPM abreast of the audited entity’s present compliance with

its federal contract and federal law. Generally speaking, the audit assesses several “general IT

3
security controls: security management, physical access controls; logical access controls; network

security; business continuity; configuration management; and segregation of duties.” Id. ¶ 7.

OIG’s audit takes several steps to complete. The process begins with two on-site

investigations, after which OIG discusses its “preliminary concerns” with the audited entity and

ensures it has all the information it needs to proceed with the audit. See id. ¶¶ 11–12. Next,

equipped with the necessary information, OIG analyzes vulnerabilities in the IT system and

produces a draft audit report, which it releases to the audited entity for response and factual

corrections. See id. ¶¶ 13, 21; Vint Decl. ¶ 7. Finally, OIG publishes a final audit report, which

takes account of any corrections the audited entity made to the draft audit report, the audited

entity’s written response to the draft audit report, and OIG’s “final determination regarding its

findings and recommendations.” Hoyle Decl. ¶ 13; accord Vint Decl. ¶ 7.

B. OIG’s Audits of Anthem’s IT Systems

In 2013, OIG audited Anthem’s IT systems (“the 2013 Audit”) and generated a report with

findings and recommendations for addressing identified weaknesses in Anthem’s systems. See

Pls.’ Mot. at 3; Gov’t’s Opp’n at 3; Pls.’ Mot., Ex. D [hereinafter 2013 Final Audit Report]. OPM’s

internal discussions regarding Anthem continued after the 2013 Audit concluded. OPM’s Audit

Resolution Branch reviewed the recommendations in the 2013 Final Audit Report and evaluated

whether Anthem had appropriately implemented them—a process known as “closing out” a

recommendation. See Gov’t’s Opp’n at 3–4.

One of the key issues that arose during the 2013 Audit was that Anthem, citing company

policy, refused to allow OIG auditors to connect their equipment to Anthem’s network to conduct

a configuration compliance test. See 2013 Final Audit Report at 9–10; see also Pls.’ Mot. at 4. As

a result, the auditors were prevented from conducting as thorough an audit as they had planned

4
and believed necessary. Consequently, after the 2013 Audit concluded, OPM staff discussed

whether and in what ways to amend Anthem’s federal contract “to ensure that OIG audit staff has

sufficient access to contractor systems and materials, to prevent a recurrence of issues encountered

by OIG during the 2013 Audit.” Gov’t’s Opp’n at 3–4; accord Gov’t’s Opp’n, Decl. of Alan

Spielman, ECF No. 5-1 [hereinafter Spielman Decl.], at 2.

In February 2015, Anthem announced that its centralized database had been hacked,

compromising the security of approximately 80 million individuals’ sensitive personal

information. See Pls.’ Mot. at 3; Gov’t’s Opp’n at 2; Pls.’ Mot., Ex. C. Following the cyberattack,

OIG conducted another audit of Anthem’s IT systems, including preparation of draft and final

audit reports. See Gov’t’s Opp’n at 4. Although the 2015 Final Audit Report is now complete and

OPM has shared that report with Anthem, OPM has not yet made the report available to the public.

See id. (stating that the 2015 Final Audit Report has not yet been published); Pls.’ Reply, ECF No.

6 [hereinafter Pls.’ Reply], at 1 & n.2 (explaining that the 2015 Draft Audit Report and 2015 Final

Audit Report are no longer at issue in this litigation because the Government has provided them

to Lead Plaintiffs).

C. The Subpoena to OPM

Following the cyberattack, a number of Anthem customers filed class action claims in

various jurisdictions, generally asserting that Anthem and other involved entities “(1) fail[ed] to

adequately protect Anthem’s data systems, (2) fail[ed] to disclose to customers that Anthem did

not have adequate security practices, and (3) fail[ed] to timely notify customers of the data breach.”

In re Anthem, Inc. Data Breach Litig., 162 F. Supp. 3d 953, 968 (N.D. Cal. 2016). Shortly

thereafter, several plaintiffs moved to consolidate the cases, and the United States Judicial Panel

on Multidistrict Litigation transferred all cases “arising out of the Anthem data breach” to the

5
Northern District of California to proceed as a single action before The Honorable Lucy H. Koh.

See id.3 One of the claims advanced in the multidistrict litigation is a third-party beneficiary claim

for breach of contract on behalf of those federal employees who were enrolled in the Federal

Employee Health Benefits Plan at the time of the cyberattack, received their health insurance and

related benefits from Anthem, and whose personal information was compromised as a result. See

Redacted Version of Third Am. Compl., In re Anthem, No. 15-2617 (N.D. Cal. July 11, 2016),

ECF No. 537-3, ¶¶ 434, 517–33.4

On May 13, 2016, Lead Plaintiffs’ counsel in the multidistrict litigation submitted a request

to OPM’s General Counsel for 17 categories of documents related to the agency’s 2013 and 2015

audits of Anthem. Pls.’ Mot. at 9; see also 5 C.F.R. § 295.203. Counsel simultaneously served

OPM with a subpoena, demanding production of the same 17 categories of documents. See Pls.’

Mot. at 9; Pls. Mot., Ex. A [hereinafter Subpoena]. Pursuant to Rule 45 of the Federal Rules of

Civil Procedure, the Department of Justice, acting on OPM’s behalf, objected to the subpoena.

Pls.’ Mot., Ex. M; see Fed. R. Civ. P. 45(d)(2)(B).

After several discussions between Lead Plaintiffs’ counsel and the Department of Justice,

Lead Plaintiffs narrowed their demand for documents, and OPM released various documents but

continued to withhold others. See Pls.’ Mot. at 11–12. OPM asserts that the documents it has not

released to Lead Plaintiffs are protected under the deliberate process and law enforcement

privileges. See Pls.’ Mot. at 12; Gov’t’s Opp’n at 4–5. The withheld documents fall into three

categories:

3
Fact discovery in that proceeding closed, with stipulated exceptions, on December 1, 2016. See In re Anthem, No.
15-2617 (N.D. Cal. Oct. 26, 2016), ECF No. 609.
4
For purposes of ruling on Lead Plaintiffs’ Motion, the court does not treat the federal employee-enrollees as situated
differently than any other plaintiff in the multidistrict litigation because Lead Plaintiffs represent that they intend to
use the withheld documents on behalf of all members of the overarching plaintiff-class, rather than restrict their use
to the benefit of the federal employee-enrollees whose personal information was compromised. See Pls.’ Mot. at 9–
10.

6
 1. Audit workpapers pertaining to (i) Anthem’s refusal to permit
OPM to conduct certain audit testing, and (ii) auditor reviews
and conclusions about Anthem’s information system security
measures and practices;

2. Meeting write-ups, which document meetings between auditors
and Anthem representatives regarding, amongst other things,
Anthem’s network configuration management, security, and risk
assessment; and

3. E-mails between and amongst federal employees discussing
(i) potential changes to federal contracts, including Anthem’s
contract, and (ii) whether Anthem successfully implemented
certain recommendations that OIG made as part of the 2013
Audit.

See Gov’t’s Opp’n at 5; Pls.’ Mot. at 12–23; see also Pls.’ Reply at 1.5 The Government contends

that all the documents in these categories are protected from disclosure by the deliberative process

privilege and that the law enforcement privilege also applies to prevent disclosure of the audit

workpapers and meeting write-ups. See Gov’t’s Opp’n at 5.

Lead Plaintiffs’ counsel subsequently filed a Motion to Compel Compliance with the

Subpoena, which the Government opposed. The court held oral argument on the motion and

subsequently ordered OPM to submit the withheld materials to the court for in camera inspection.

See Minute Order (Jan. 9, 2017). OPM provided an unredacted, Bates-stamped copy of the

withheld documents to the court.6 See Notice of Submission of Docs. for In Camera Inspection,

ECF No. 10.

II. LEGAL PRINCIPLES

The Government may object to a subpoena for records on the basis that the materials sought

are protected from disclosure. See Tuite v. Henry, 98 F.3d 1411, 1416–17 (D.C. Cir. 1996). In

5
These categories reflect an amalgam of the parties’ descriptions of the documents currently being withheld. Per
Lead Plaintiffs’ representation, the 2015 Draft Audit Report and 2015 Final Audit Report are no longer at issue.
See Pls.’ Reply at 1 n.2.
6
The pages of the withheld documents are identified as Anthem_00001 through Anthem_00267.

7
doing so, however, the Government bears the burden of proving each element of the privilege it

asserts. See In re Sealed Case, 737 F.2d 94, 99 (D.C. Cir. 1984). If the Government raises a

qualified privilege, then the burden shifts to the party seeking disclosure to show that its need for

the privileged material outweighs the Government’s interest in withholding it. See Hinckley v.

United States, 140 F.3d 277, 285–86 (D.C. Cir. 1998); In re Sealed Case, 121 F.3d 729, 737–38

(D.C. Cir. 1997) (per curiam).

A. Deliberative Process Privilege

The deliberative process privilege permits the Executive Branch to shields from disclosure

those materials “that would reveal advisory opinions, recommendations[,] and deliberations

comprising part of a process by which governmental decisions and policies are formulated.” See

In re Sealed Case, 121 F.3d at 737 (internal quotation marks omitted). The privilege embodies

“the commonsense notion that agencies craft better rules when their employees can spell out in

writing the pitfalls as well as strengths of policy options, coupled with the understanding that

employees would be chilled from such rigorous deliberation if they feared it might become public.”

Judicial Watch, Inc. v. U.S. Dep’t of Def., No. 16-5054, 2017 WL 490417, at *3 (D.C. Cir. Feb. 7,

2017) (citing N.L.R.B. v. Sears, Roebuck & Co., 421 U.S. 132, 150 (1975)). Additionally, it guards

against “premature disclosure of ideas that are not—or not yet—final policy.” Judicial Watch,

2017 WL 490417, at *3.

The Government routinely raises the deliberative process privilege in response to requests

made pursuant to the Freedom of Information Act, see 5 U.S.C. § 552(b)(5), but the privilege’s

application is not limited to that context, see In re Sealed Case, 121 F.3d at 737. The privilege

may be invoked in response to a subpoena for records. See id. Any material that the Government

shows to be both “predecisional” and “deliberative” falls within the ambit of the privilege. Judicial

8
Watch, Inc. v. Food & Drug Admin., 449 F.3d 141, 151 (D.C. Cir. 2006). “[A] document [is]

predecisional if it was generated before the adoption of an agency policy and deliberative if it

reflects the give-and-take of the consultative process.” Id. (internal quotation marks omitted).

That a document falls within the scope of the deliberative process privilege is not

dispositive of whether the Government ultimately can withhold that document in full or in part.

The privileged is qualified. Otherwise privileged materials may be ordered disclosed if the court

concludes the private need for disclosure outweighs the public interest in non-disclosure. In re

Sealed Case, 121 F.3d at 737. When balancing those interests, the court must consider such factors

as “the relevance of the evidence, the availability of other evidence, the seriousness of the

litigation, the role of the government, and the possibility of future timidity by government

employees” should the materials be released. Id. at 737–38 (internal quotation marks omitted).

The party seeking the documents bears the burden of demonstrating that the balance of interests

tips in his or her favor. See id. at 737. However, even when the court concludes the scales do not

tilt towards disclosure, factual material in privileged documents must be disclosed unless that

material is “so inextricably intertwined with the deliberative sections of documents that its

disclosure would inevitably reveal the government’s deliberations.” Id.

B. Law Enforcement Privilege

The Executive Branch may raise the law enforcement privilege to prevent disclosure of

materials that are part of law enforcement investigations. This privilege aims to protect the

integrity of law enforcement techniques, sources, and investigations—disclosure of which would

be “contrary to the public interest in the effective functioning of law enforcement.” See Tuite v.

Henry, 181 F.R.D. 175, 176–77 (D.D.C. 1998), aff’d per curiam, 203 F.3d 53 (D.C. Cir. 1999).

To prevent a document’s disclosure under this privilege, the Executive Branch must establish that

9
(1) the head of the department, who had some control over the information, made a formal claim

of privilege; (2) that individual had personally considered the basis for raising the privilege; and

(3) the information for which the privilege is claimed, described in detail, properly falls within the

scope of the privilege. In re Sealed Case, 856 F.3d 268, 271 (D.C. Cir. 1988).

This privilege, too, is qualified. In determining whether to order disclosure of privileged

materials, the court must weigh the public interest in non-disclosure against the private need for

the information. Id. at 272. The D.C. Circuit has identified a number of factors for the court to

consider when assessing these competing interests:

(1) the extent to which disclosure will thwart governmental
processes by discouraging citizens from giving the government
information; (2) the impact upon persons who have given
information of having their identities disclosed; (3) the degree to
which governmental self-evaluation and consequent program
improvement will be chilled by disclosure; (4) whether the
information sought is factual data or evaluative summary;
(5) whether the party seeking discovery is an actual or potential
defendant in any criminal proceeding either pending or reasonably
likely to follow from the incident in question; (6) whether the police
investigation has been completed; (7) whether any
interdepartmental disciplinary proceedings have arisen or may arise
from the investigation; (8) whether the plaintiff’s suit is non-
frivolous and brought in good faith; (9) whether the information
sought is available through other discovery or from other sources[;]
[and] (10) the importance of the information sought to the plaintiff’s
case.

Id. (quoting Frankenhauser v. Rizzo, 59 F.R.D. 339, 344 (E.D. Pa. 1973)). No single factor is

dispositive. Additionally, in the context of the law enforcement privilege, “need” is “an elastic

concept that does not turn only on the availability of the information from an alternative source.”

Tuite, 98 F.3d at 1417.

10
III. DISCUSSION

The Government submits that the deliberative process privilege protects all three categories

of documents withheld from disclosure—the audit workpapers, meeting write-ups, and e-mails.

See Gov’t’s Opp’n at 8, 16. Further, according to the Government, none of the factual material

within the audit workpapers and meeting write-ups can be disclosed without revealing OIG’s

deliberative process. See id. at 12. Additionally, the Government contends that the law

enforcement privilege protects the audit workpapers and meeting write-ups from disclosure. See

id. at 22. Lead Plaintiffs respond that neither the deliberative process privilege nor the law

enforcement privilege applies to any document currently withheld, but even if one or both

privileges apply, Lead Plaintiffs’ need for the materials outweighs any interest the Government

has in withholding them. See Pls.’ Mot. at 28–29, 38.

The court begins its analysis by determining which documents are eligible for protection

under the deliberate process privilege and assessing whether the balance of interests weighs in

favor of allowing the Government to withhold those documents. Next, the court evaluates whether

those documents ineligible for protection under the deliberative process privilege are eligible for

protection under the law enforcement privilege. Lastly, the court weighs the competing interests

to determine whether the Government should be required to disclose those documents otherwise

covered by the law enforcement privilege.

A. Which Documents are Subject to the Deliberative Process Privilege

After carefully reviewing the documents in camera, the court concludes that all the

withheld e-mails, but only a portion of the audit workpapers and meeting write-ups, are subject to

the deliberative process privilege.

11
 1. Whether the Materials are “Predecisional”

The parties disagree as to whether the withheld materials are “predecisional” and whether

they are “deliberative.” The Government believes that the audit workpapers, meeting write-ups,

and e-mails are predecisional because they “contain[] specific analysis and recommendations

regarding vulnerabilities” in Anthem’s IT systems that informed the content of the 2013 Final

Audit Report, modifications to Anthem’s contract, and conclusions regarding Anthem’s

compliance with OPM’s recommendations. See Gov’t’s Opp’n at 8, 16.

Lead Plaintiffs disagree that the materials are predecisional because “[t]here is no reference

anywhere in the 2013 [Final] Audit Report to any decisionmaker to whom the Audit will be

submitted, or any decision in which the Audit will be considered.” See Pls.’ Mot. at 30. Moreover,

Lead Plaintiffs contend, the 2013 Final Audit Report does not contain a recommendation to an

agency decisionmaker—instead, it directs its recommendations to Anthem itself—which

undercuts the Government’s representation that the 2013 Final Audit Report is a final agency

decision within the meaning of the deliberative process privilege. See id.

The court concludes that Lead Plaintiffs’ conception of predecisional materials is far too

narrow. Predecisional materials are those that predate an agency’s decision or adoption of a policy

and which comprise part of a process by which the Government reached that decision or policy.

See Judicial Watch, 449 F.3d at 151; In re Sealed Case, 121 F.3d at 737. There can be little doubt

that the audit workpapers and meeting write-ups are predecisional in nature. The Government

represents that OPM’s final “decision” with respect to the audit workpapers and meeting write-ups

is its 2013 Final Audit Report, which results from the collection and review of the interim materials

the audit team generates in the process of making its findings and recommendations. See Oral

12
Argument Tr. (rough draft), at 25.7 The audit workpapers and meeting write-ups currently

withheld all predate and contributed to the 2013 Final Audit Report. Therefore, they are

“predecisional” within the meaning of the deliberative process privilege. See, e.g., Hamilton Secs.

Grp., Inc. v. Dep’t of Housing & Urban Dev., 106 F. Supp. 2d 23, 29–31 (D.D.C. 2000)

(concluding draft audit report was predecisional because it predated and contributed to the final

audit report), aff’d, No. 00-5331, 2001 WL 238162 (D.C. Cir. 2001) (per curiam) (mem.); see also

Moye, O’Brien, O’Rourke, Hogan & Pickert v. Nat’l R.R. Passenger Corp., 376 F.3d 1270, 1279

(11th Cir. 2004) (concluding audit workpapers and internal memoranda were predecisional

because they predated and contributed to the final audit report).

The withheld emails are equally predecisional. “Developing a ‘position’ on actions that

another decision-maker might take is workaday agency business, not nefarious government

activity, and opinions meant to contribute towards that deliberative process” are privileged. ICM

Registry, LLC v. U.S. Dep’t of Commerce, 538 F. Supp. 2d 130, 135 (D.D.C. 2008). The withheld

e-mails document “workaday agency business” concerning (1) whether and how to modify OPM’s

contracts with Anthem and other health insurers, and (2) whether to close out audit

recommendations made in connection with the 2013 Audit. The former category of e-mails

comprises part of OPM’s process of amending carrier contracts to ensure that auditors are able to

carry out their statutory duties by optimizing their access to health insurers’ systems. The latter

category of e-mails comprises part of OPM’s process of evaluating whether Anthem has the ability

to comply and is complying with its federal contract. See Spielman Decl. at 2 (explaining that the

e-mails and their attachments “are utilized to make complicated and sensitive decisions related to

OPM’s contracts with health benefits carriers”); cf. Hoyle Decl. ¶ 4 (explaining that the very

7
A final transcript of the Oral Argument held on January 6, 2017, is not yet available.

13
purpose of the audit is to “evaluate the effectiveness of the entity’s preventive measures and

recommend remedies as needed”). These are precisely the types of agency decision-making

processes that the courts should carefully avoid exposing to the public or to private parties. See

Sears, 421 U.S. at 151 n.18 (“Agencies are, and properly should be, engaged in a continuing

process of examining their policies; this process will generate memoranda containing

recommendations which do not ripen into agency decisions; and the lower courts should be wary

of interfering with this process.”).

Consequently, the audit workpapers, meeting write-ups, and e-mails comprise a part of the

decisional processes that resulted in the 2013 Final Audit Report and inform whether and under

what terms the Government contracts with Anthem and others in the future. Accordingly, those

materials are “predecisional” within the meaning of the deliberative process privilege.

2. Whether the Materials are Deliberative

Predecisional materials are not inherently “deliberative.” To be “deliberative,” a document

must reflect “part of the agency give-and-take by which the decision itself is made.” Hinckley,

140 F.3d at 284 (internal quotation marks omitted). The Government submits that the materials it

has withheld are deliberative because they contain federal employees’ preliminary notes, thoughts,

and opinions regarding the content in the 2013 Final Audit Report, modifications to heath insurers’

contracts, and Anthem’s compliance with OPM’s recommendations. See Gov’t’s Opp’n at 11–12,

16–17. Lead Plaintiffs fundamentally disagree that the withheld materials relate to the agency’s

ultimate adoption of any policy or implicate any high-level decisions and, accordingly, contend

that the withheld documents cannot be considered deliberative. Pls.’ Mot. at 34–35.

14
 a. Audit Workpapers

Two pages of the audit workpapers qualify as “deliberative.” The withheld materials

include two computer screenshots (Anthem_00023, Anthem_00024) that reveal specific sub-

components of OIG’s audit procedure, convey auditors’ progress in their audit of Anthem, and

contain notes and preliminary recommendations concerning the Anthem audit. These materials

plainly reflect sensitive, internal deliberations that are quintessentially “deliberative” within the

meaning of the privilege. Cf. Hamilton Secs. Grp., 106 F. Supp. 2d at 32 (holding draft audit report

was deliberative because it “d[id] not merely involve the collection and compilation of publicly

available data,” but rather, “judgments about what to collect, how to collect, and how to present

it”); Moye, 376 F.3d at 1279 (holding that audit workpapers that “document the entire body of

collaborative work performed by the auditors” in the process of performing the audit are

deliberative).

The remaining pages of the audit workpapers, however, do not qualify as “deliberative.”

The withheld materials contain two sign-in sheets for meetings conducted in connection with the

2013 Audit (Anthem_00005, Anthem_00017). These pages reflect only who attended the meeting,

the topic of the meeting, and the date and time of the meeting; not the productive content of the

meeting. Those materials are not deliberative. See, e.g., MacNamara v. City of New York, 249

F.R.D. 70, 81 (S.D.N.Y. 2008) (holding that documents listing individuals in attendance at

meetings of the municipal Civil Disturbance Subcommittee were not deliberative). Additionally,

the Government withheld an e-mail chain containing OPM’s request for Anthem’s official policy

statement as to why OPM was not permitted to perform its own vulnerability scans on Anthem’s

network (Anthem_00018–Anthem_00020), as well as two memoranda from OPM to Anthem

requesting actions by Anthem that served as an alternate to an auditor-performed vulnerability

15
scan (Anthem_00007, Anthem_00008).8 Neither the e-mail request for a policy statement nor

either memorandum is deliberative. Each conveys purely factual information. Moreover, these

documents do not contain auditors’ internal discussions; they reflect discussions between agency

auditors and non-agency actors, i.e., Anthem employees. In short, these materials do not “reflect[]

the give-and-take of the consultative process.” See Judicial Watch, 449 F.3d at 151 (internal

quotation marks omitted).

b. Meeting Write-Ups

The court finds that portions of three of the five meeting write-ups are “deliberative” within

the meaning of the deliberative process privilege. 9 The withheld materials include five report-like

summaries of topics discussed during meetings between the OIG auditors and Anthem

representatives.10 Each report identifies the topic of the meeting and contains an auditor-drafted

summary of facts presented by Anthem representatives. The reports cover the following topics:

configuration management, enterprise security, logical access, network security, and special

investigations and fraud. See Vint Decl. ¶ 13(a); Hoyle Decl. ¶ 14(a). Two reports—one on

enterprise security (Anthem_00006), the other on logical access (Anthem_00009–

Anthem_00010)—contain only factual information, without any annotations that reflect auditor

deliberations or thought processes. For the reasons discussed above, these meeting write-ups are

8
One memorandum contains bolded language updating the information request to include Anthem’s responses. This
language, however, is Anthem’s informal response to OPM’s information request, not government auditors’ internal
annotations. See Vint Decl. ¶ 13(b).
9
The court has identified which portions of these materials should be disclosed in the Order that accompanies this
Memorandum Opinion.
10
Although the Government represented that the withheld materials included “[s]even ‘Meeting Write-up’
workpapers,” see Vint Decl. ¶ 13(a); Hoyle Decl. ¶ 14(a), the materials submitted to the court in camera contained
only five meeting write-ups. Accordingly, the court passes no judgment on meeting write-ups purportedly regarding
“physical access” and “risk assessment.” See Vint Decl. ¶ 13(a)(v)–(vi); Hoyle Decl. ¶ 14(a)(v)–(vi). If those two
additional meeting write-ups were inadvertently excluded from OPM’s in camera submission, then OPM should
submit those records to the court for review.

16
not deliberative and, therefore, are not protected by the privilege. See Judicial Watch, 449 F.3d at

151.

The other three reports—on configuration management (Anthem_00001–Anthem_00004),

network security (Anthem_00011–Anthem_00016), and special investigations and fraud

(Anthem_00021–Anthem_00022)—contain mostly factual information, but also include some

subjective impressions of the auditors regarding pertinent points raised at the meetings and

subsequent steps to be taken in response to meeting discussions. The auditors’ subjective

impressions reflect the agency’s internal thoughts and considerations and are protected by the

privilege. See id. The factual information contained adjacent to those subjective impressions,

however, is plainly separate from those subjective impressions. The court is satisfied that the

factual material is not presented in a way that “distill[s] or highlight[s] particular facts,” but rather,

simply reflects information that Anthem provided OPM as part of the audit. Contra Gov’t’s Opp’n

at 12–14. Accordingly, because this factual information is not “inextricably intertwined” with

those portions of the documents that contain auditors’ notes and internal debates, and disclosure

of that information would not compromise privileged deliberations contained elsewhere, those

portions of the reports containing factual information are not covered by the privilege. See In re

Sealed Case, 121 F.3d at 737.

c. E-mail Correspondence

Lastly, the court concludes that the withheld e-mails (Anthem_00025–Anthem_00267)

between and amongst federal employees are uniformly deliberative. These e-mails present written

evidence of agency “brainstorming,” encompassing a wide range of suggestions, opinions,

productive disagreements, and preliminary conclusions involving revisions to OPM’s standard

federal contracts; recommendations for modifications to Anthem’s contract following the

17
cyberattack; and discussions over whether to accept Anthem’s responses to audit

recommendations. These materials are, at their core, the back-and-forth deliberative process

required for an agency to reach a decision. See id.; see also Moye, 376 F.3d at 1278 (explaining

that “materials embodying officials’ opinions are ordinarily exempt from disclosure”). They do

not contain segregable factual information. Accordingly, the withheld e-mails are “deliberative”

within the meaning of the deliberative process privilege.

* * *

In sum, only a portion of the withheld materials are subject to the deliberative process

privilege. Of the audit workpapers, only the two screenshots (Anthem_000023, Anthem_00024)

are subject to the deliberative process privilege. In contrast, the sign-in sheets (Anthem_00005,

Anthem_00017); e-mail request for a policy statement from Anthem (Anthem_00018–

Anthem_00020); and information request memoranda between OPM and Anthem

(Anthem_00007, Anthem_00008) are not subject to the deliberative process privilege. With

respect to the meeting write-ups, the enterprise security and logical access reports (Anthem_00006,

Anthem_00009–10) contain only factual material and are not subject to the privilege, but the

configuration management, network security, and special investigations and fraud reports

(Anthem_00001–Anthem_00004, Anthem_00011–Anthem–00016, Anthem_00021–Anthem–

00022) contain certain material that is both predecisional and deliberative, rendering those portions

of the documents subject to the privilege. Lastly, all the withheld electronic correspondence

between and amongst government actors (Anthem_00025–Anthem_00267) is subject to the

deliberative process privilege.

18
 B. Whether Documents Protected Under the Deliberate Process Privilege Should
be Disclosed in Light of Lead Plaintiffs’ Demonstrated Need

Documents, or portions thereof, that are subject to the deliberative process privilege may

nonetheless be disclosed if Lead Plaintiffs’ demonstrated need for the document outweighs the

Government’s interest in withholding it. Lead Plaintiffs assert that they need all the withheld

materials in order to effectively support their position in the multidistrict litigation in California.

See Pls.’ Mot. at 38–39. They contend that the materials are not only relevant to that serious

litigation, but also that OPM is the only source on which they can depend to obtain the materials.

Id. at 38–40. Moreover, they submit, these materials were intended to benefit the very people who

now seek to use them—federal employee-enrollees who are plaintiffs in the multidistrict litigation.

Id. at 40. Lastly, Lead Plaintiffs suggest that any collateral possibility of government timidity or

harm resulting from the materials’ disclosure is mild, at worst, because the documents were

prepared by lower-level government staff members and could be released under a protective order

for use only in the multidistrict litigation, after which they would be returned to OPM. Id. at 40–

41. The Government responds that several factors indicate Lead Plaintiffs have not met their

burden of showing their need justifies disclosure of the privileged materials: (1) a blanket assertion

of “relevance” to the multidistrict litigation is too vague; (2) some of the information Lead

Plaintiffs seek is available from Anthem itself; (3) though the multidistrict litigation is serious, the

Government has an equal, if not more, serious interest in maintaining the confidentiality of its

audit procedures and methods; (4) OPM and OIG are not parties to the litigation; and (5) most

importantly, disclosure of these materials would prevent employees, of all levels, from engaging

in the “‘open and frank’ assessment that leads to better quality decision-making in government.”

See Gov’t’s Opp’n at 24–28.

19
 The court agrees with the Government. Lead Plaintiffs have not sufficiently shown that

their need to use documents and portions of documents protected by the deliberative process

privilege outweighs the Government’s interest in withholding those documents.

The only audit workpapers the deliberative privilege process protects in full—the two

screenshots—reveal information at the center of the audit process and the auditor’s notations. Lead

Plaintiffs’ need to understand the audit process does not logically extend to an image of the

software used to conduct that audit. Moreover, the screenshots contain auditors’ subjective

impressions that, if disclosed, would risk chilling the critical eye with which auditors must perform

their duties. Indeed, the honesty and forthrightness of the entire audit process could be

compromised or diminished if government employees undertook the steps of an audit believing

their contemporaneous annotations would be subject to disclosure in later litigation.

Similar considerations lead the court to conclude that the internal agency e-mails

concerning audit close-out issues and potential contract modifications, as well as those portions of

the meeting write-ups subject to the deliberative process privilege, also should not be disclosed.

While these categories of documents may be available only from OPM, see Pls.’ Mot. at 39, their

disclosure too greatly risks thwarting employees’ ability to freely communicate and exchange

ideas. See Judicial Watch, 2017 WL 490417, at *3. Furthermore, substantial portions of the

withheld e-mails regarding contract modification are of limited or no relevance to the underlying

multidistrict litigation. Many pertain to OPM’s development of future federal benefits and

insurance contracts, generally, without any reference to Anthem, specifically. These e-mails are

of no obvious relevance in the underlying litigation, but are of great importance to the Government,

given that they reflect employees’ back-and-forth discussions over the proper character and

content of federal contracts. To the extent other e-mails are specific to Anthem, either regarding

20
contract modification or the closing out of particular recommendations, none pertain specifically

to the data breach or its causes. Therefore, what minimal interest, if any, Lead Plaintiffs have in

those records is still outweighed by the substantial risk of chilling government actors’ ability to

communicate effectively during the audit process. See id.

Overall, although the scope and allegations of the underlying litigation plainly are serious,

maintaining the confidentiality of the withheld information is of equal, if not greater, import.

Under these circumstances, on the record presented and with the benefit of having reviewed the

materials in camera, the court cannot say Lead Plaintiffs have carried their burden of proving the

balance of interests tips in favor of disclosure.

C. Which Documents Not Subject to the Deliberative Process Privilege are
Protected Under the Law Enforcement Privilege and Whether those
Documents Should be Disclosed in Light of Lead Plaintiffs’ Demonstrated
Need

Because the court concludes that several audit workpapers, two meeting write-ups, and

portions of three other meeting write-ups are not subject to the deliberative process privilege, the

court must reach the Government’s secondary argument that those materials are protected from

disclosure under the law enforcement privilege. The Government bears the burden of proving the

information for which the law enforcement privilege is claimed falls within the scope of the

privilege. See In re Sealed Case, 856 F.3d at 271.

Lead Plaintiffs maintain that the privilege cannot apply to the audit workpapers and

meeting write-ups because these materials were not created for and do not otherwise relate to an

ongoing criminal investigation—rather, in Lead Plaintiffs’ view, the audit was a routine

government act. See Pls.’ Mot. at 28–29. The Government submits that OPM’s audits are

conducted, in part, for law enforcement purposes, as part of the OIG’s statutory duty to “prevent

and detect fraud and abuse.” See Gov’t’s Opp’n at 20 (alterations omitted) (quoting 5 U.S.C. app.

21
3 § 2). Consequently, the Government’s argument continues, the audit workpapers and meeting

write-ups at issue here are subject to the privilege because they are written evidence of law

enforcement techniques the agency uses “to uncover weaknesses and potential violations of law

or practice, should they exist,” and, therefore, are protected from disclosure by the law enforcement

privilege. Id. at 21; see also id. at 20–22.

The Government advances three additional arguments against disclosure. First, the

Government represents that revelation of these materials would impair OPM’s ability to conduct

future investigations because companies would become aware of how OPM conducts its audits.

See id. at 22. Second, and relatedly, the Government believes disclosing the audit workpapers and

meeting write-ups would inappropriately make public what federal auditors found significant

about Anthem’s audit, thereby encouraging companies to tailor their responses to OIG audits and,

correlatively, jeopardizing the accuracy of OIG’s audit findings and recommendations. See id. at

23. Third, the Government fears that disclosing these materials will also have the effect of chilling

auditors’ candidness in describing the issues they encounter. See id.

The court assumes, without deciding, that the law enforcement privilege applies to these

materials because the court ultimately finds that the balance of interests tips in favor of disclosing

them to Lead Plaintiffs. First and foremost, these audit workpapers and meeting write-ups do not

pertain to an ongoing or closed criminal or civil investigation of a particular law violation and,

therefore, fall outside the heartland of the types of records the privilege is designed to protect.

Even if the court were to accept the Government’s position that an audit designed to ferret out

unknown, potential system weaknesses or law violations is entitled to some protection, OPM’s

2013 investigation of Anthem’s IT systems is now complete, and OPM has publicly disclosed the

weaknesses it identified in Anthem’s systems by publishing the 2013 Final Audit Report. See,

22
e.g., 2013 Final Audit Report at 9–10 (evaluating Anthem’s configuration compliance auditing

and stating that Anthem was “unable to provide any evidence that a configuration compliance

program had ever been in place at the company”). Thus, the need for continued secrecy of the

records informing OPM’s assessment is diminished. Additionally, the information to be disclosed

in the sign-in sheets, e-mail request for a policy statement, information requests, and write-ups on

the enterprise security and logical access meetings is purely factual. As these documents contain

no deliberative content, they cannot reasonably risk chilling government self-evaluation or internal

efforts to improve the audit process. Although certain materials are of greater significance and

relevance to Lead Plaintiffs’ lawsuit—e.g., the court presumes the sign-in sheets are of somewhat

lesser value to Lead Plaintiffs’ breach of contract claims than is OPM’s request for Anthem to send

an official policy statement pertaining to why it would not allow OPM to run a vulnerability scan

on Anthem’s network—the court accepts that all these materials may reasonably assist Lead

Plaintiffs in their underlying efforts to establish that “Anthem failed to take even the most basic

security precautions” that could have protected personal information. See Pls.’ Mot. at 2.11

Furthermore, disclosure of these materials simply does not carry the risks the Government

anticipates. First and foremost, all the materials to be disclosed will be covered by the protective

order in the underlying litigation. See Proposed Stipulated Protective Order, In re Anthem, No.

15-2617 (N.D. Cal. Sept. 18, 2015), ECF No. 292; Order Granting Stipulated Protective Order, In

re Anthem, No. 15-2617 (N.D. Cal. Sept. 21, 2015), ECF No. 293. Additionally, with respect to

the Government’s fears that disclosure will cause companies like Anthem to be less candid with

OIG auditors in the future, those fears are mitigated by the fact that the companies are contractually

obligated to cooperate during OIG’s IT systems audits. The companies also are incentivized to

11
The court also notes that it has no reason to believe Lead Plaintiffs’ lawsuit is frivolous or brought in bad faith.

23
supply requested information to auditors to promote renewal of their federal contract. Moreover,

given that OPM posts redacted final audit reports on OIG’s website, see Vint Decl. ¶ 9, companies

are further incentivized to cooperate with government auditors to avoid the public embarrassment

of their non-cooperation coming to light.12

Therefore, the court concludes that, even assuming the law enforcement privilege is broad

enough to encompass the materials in this litigation that are not protected by the deliberative

process privilege, the balance of interests warrants disclosure.

IV. CONCLUSION

In light of the foregoing, the court grants in part and denies in part Lead Plaintiffs’ Motion

to Compel. The court concludes the audit workpapers that are screenshots of internal auditing

procedures (Anthem_000023, Anthem_00024) and the e-mails between and amongst OPM

employees (Anthem_00025–Anthem_00267) are privileged and shall not be disclosed. The court

orders partial disclosure, in accordance with the Order accompanying this Memorandum Opinion,

of the three meeting write-ups pertaining to Anthem’s configuration management

(Anthem_00001–Anthem_00004), network security (Anthem_00011–Anthem_00016), and

special investigations and fraud (Anthem_00021–Anthem_00022). Further, the Government shall

disclose in full the written reports pertaining to meetings on Anthem’s “enterprise security” and

“logical access” (Anthem_00006, Anthem_00009–10). Lastly, the court orders disclosure in full

of the audit workpapers comprising the sign-in sheets (Anthem_00005, Anthem_00017); e-mail

12
Although the Government does not make the argument, the court also has considered the extent to which disclosure
of the sign-in sheets would affect those whose names, work telephone numbers, and/or employment titles appear
therein. The court concludes that release of this personal information will have little to no effect on these individuals’
privacy, as this personal information will be subject to the protective order.

24
request for a policy statement from Anthem (Anthem_00018–Anthem_00020); and information

request memoranda between OPM and Anthem (Anthem_00007, Anthem_00008).

A separate Order accompanies this Memorandum Opinion.

Dated: February 21, 2017 Amit P. Mehta
United States District Judge

25