CareFirst Blue Cross Blue Shield Breach Lawsuit Filed

Earlier this year, CareFirst Inc., discovered one of its customer databases had been accessed by hackers, exposing the Protected Health Information (PHI) of approximately 1.1 million individuals. Some of the victims have now added their names to a new lawsuit against the insurer, with the plaintiffs seeking damages of $5 million, plus legal costs, for the damage, harm and losses caused as a result of the data breach.

CareFirst, operating under Blue Cross Blue Shield, suffered a cyberattack in 2014, although it was not identified until May 20, 2015. Names, dates of birth, insurance information and email addresses were exposed, but critically, no financial information or Social Security numbers.

CareFirst determined hackers first gained access to the data in June 2014; however it was only when a third party security company, Mandiant, conducted a security audit that the data breach was identified.

CareFirst had elected not to encrypt its database, and it is alleged that the decision not to implement this security measure, and others, constituted negligence on the part of the insurer. Data encryption is not a mandatory requirement under HIPAA.

CareFirst did take steps to mitigate any risk to members by offering 2 years of identity theft and credit monitoring services without charge. The plaintiffs believe that they are entitled to more, and that damages are applicable.

Class-certification is not guaranteed. In recent months some class-actions have been certified, but most fail to get that far. A class-action lawsuit was filed against Advocate Health for a data breach; but an Illinois Appellate Court ruled that the case had no standing, as no palpable loss was suffered by the victims., in May, a Philadelphia judge tossed a data breach lawsuit against Keystone Mercy Health Plan and AmeriHealth Mercy Health Plan, and that the alleged negligence did not warrant a class action claim.

Even if class-action lawsuits are certified, many ultimately are ruled in favor of the defendants, especially when breach victims cannot demonstrate any actual harm or losses that have been suffered.

One of the main issues plaintiffs face is the definition of harm. Harm is often seen as financial, but for the plaintiffs, it is seen as the high risk of suffering identity fraud; a risk that could last a lifetime. The courts often fail to see it the same way, and it is difficulty to persuade judges on threats of future harm.

Eva Casey-Velasquez, President and CEO of the Identity Theft Resource Center, told the Information Security Media Group, “The laws and our perceptions about consumer harm are clearly financial, so when the courts and people in decision-making positions look at consumer harm, they only see dollar signs.” If no financial harm has been suffered, damages will not usually be awarded.

The latest Blue Cross Blue Shield lawsuit was filed on August 6. The plaintiffs are first seeking class certification and damages for the increased risk of identity theft and to cover potential losses as a result of personal data being exposed. The lawsuit was filed in the U.S. District Court of Maryland.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.