CareFirst Inc. Data Breach Lawsuit Dismissed for Lack of Standing
A class-action data breach lawsuit filed against CareFirst Inc., and CareFirst of Maryland Inc., following the 1.1 million-record data breach of 2015 – and a second breach in 2014 – has been dismissed by a Maryland federal court for lack of standing.
The lawsuit, which was filed by two plaintiffs – Scott Adamson and Pamela Chambliss – was dismissed by Judge Richard Bennett after the pair were unable to allege facts sufficient to support the case.
The pair alleged CareFirst had been negligent for failing to protect its computer hardware, resulting in the exposure of plan members’ names, ID numbers, and dates of birth. While any health insurer data breach could potentially place plan members at risk of harm or loss, in this case no Social Security numbers, credit card numbers, or financial information were exposed.
The plaintiffs did not allege that their personal information had actually been used, but claimed their personal information had value and its exposure placed them at an increased risk of harm or loss. However, there was some doubt as to the amount of potential harm the pair could have faced as a result of their information being exposed.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
The plaintiffs were unable to provide sufficient evidence to suggest that their data had actually been viewed, accessed, or misused and failed to adequately explain how the exposed data could actually have been used to cause harm or loss. In Bennett’s ruling he pointed out that a considerable amount of time had passed since the data breach occurred, yet still no harm had been suffered.
CareFirst filed a motion to have the case dismissed for lack of standing and cited the Clapper v. Amnesty International USA case. In that case, the U.S. Supreme Court ruled that a plaintiff can allege an injury based on future harm, but “the threatened injury must be certainly impending to constitute an injury in fact.”
“Where the alleged injury requires a lengthy chain of assumptions, including ‘guesswork as to how independent decision makers will exercise their judgment,’ the injury is too speculative to be certainly impending.” Judge Bennett said. The financial harm suffered was limited to the costs of mitigating risk – such as credit monitoring services – although this too was dismissed by the judge as being insufficient to confer standing.