The HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

CareFirst Inc. Data Breach Lawsuit Dismissed for Lack of Standing

Posted By on Jul 15, 2016

A class-action data breach lawsuit filed against CareFirst Inc., and CareFirst of Maryland Inc., following the 1.1 million-record data breach of 2015 – and a second breach in 2014 – has been dismissed by a Maryland federal court for lack of standing.

The lawsuit, which was filed by two plaintiffs – Scott Adamson and Pamela Chambliss – was dismissed by Judge Richard Bennett after the pair were unable to allege facts sufficient to support the case.

The pair alleged CareFirst had been negligent for failing to protect its computer hardware, resulting in the exposure of plan members’ names, ID numbers, and dates of birth. While any health insurer data breach could potentially place plan members at risk of harm or loss, in this case no Social Security numbers, credit card numbers, or financial information were exposed.

The plaintiffs did not allege that their personal information had actually been used, but claimed their personal information had value and its exposure placed them at an increased risk of harm or loss. However, there was some doubt as to the amount of potential harm the pair could have faced as a result of their information being exposed.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

The plaintiffs were unable to provide sufficient evidence to suggest that their data had actually been viewed, accessed, or misused and failed to adequately explain how the exposed data could actually have been used to cause harm or loss. In Bennett’s ruling he pointed out that a considerable amount of time had passed since the data breach occurred, yet still no harm had been suffered.

CareFirst filed a motion to have the case dismissed for lack of standing and cited the Clapper v. Amnesty International USA case. In that case, the U.S. Supreme Court ruled that a plaintiff can allege an injury based on future harm, but “the threatened injury must be certainly impending to constitute an injury in fact.”

“Where the alleged injury requires a lengthy chain of assumptions, including ‘guesswork as to how independent decision makers will exercise their judgment,’ the injury is too speculative to be certainly impending.” Judge Bennett said. The financial harm suffered was limited to the costs of mitigating risk – such as credit monitoring services – although this too was dismissed by the judge as being insufficient to confer standing.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist