CareFirst Can Be Sued for Breach, Rules Court of Appeals

The D.C. Circuit Court of Appeals has ruled that CareFirst can be sued for a 2014 data breach that saw the PHI of more than 1 million members exposed and potentially stolen.

Following the announcement of the data breach, a lawsuit was filed by seven plaintiffs to recover damages, although in August last year the case was dismissed by a district court judge for lack of standing.

The plaintiffs alleged that the breach had occurred as a result of the carelessness of CareFirst, and as a direct result of that carelessness, they faced an increased risk of suffering identity theft and fraud.

The district court judge dismissed the case as the plaintiffs failed to establish harm, or a significant threat of future harm. The judge explained that “merely having one’s personal information stolen in a data breach is insufficient to establish standing to sue the entity from whom the information was taken.”

However, the three-judge panel overturned the previous ruling claiming the interpretation of the law was ‘unduly narrow’, explaining that all the plaintiffs were required to establish at that point was their allegations were plausible and there was potential for future harm as a result of the breach.

The district court ruling was based on the fact that the plaintiffs had failed to establish how it would be possible for their identities to be stolen by the hackers if their Social Security numbers and/or credit card numbers were not stolen in the attack. CareFirst maintained that Social Security numbers and financial information were not compromised and were stored in a part of the network that was not compromised.

Court of Appeals Judge Thomas Griffith explained that the conclusion drawn by the district court “rested on an incorrect premise: that the complaint did not allege the theft of Social Security or credit card numbers in the data breach.” However, while that was the opinion of CareFirst, it was not the opinion of the plaintiffs, who did include Social Security numbers and financial information in their description of the information that was stolen in the CareFirst cyberattack. That does not mean that those data elements were stolen, only that the plaintiffs alleged that Social Security numbers and financial data had been compromised.

The plaintiffs also alleged separately that the types of information which CareFirst said were compromised – email addresses, names, birth dates and CareFirst account numbers – may not be of use to an identity thief on their own, but did create “a material risk of identity theft.” The appeals court believed the claim was plausible and that the theft of such information could open the door to medical identity theft.

While medical identity theft would result in financial harm for the insurer, fraudulent claims against insurance policies could potentially cause harm to the plaintiffs. The fraudulent claims would go on their accounts and this could be held against the plaintiffs, disqualifying them from certain types of employment or preventing them from taking out life insurance. Social Security numbers would not be required for harm to be caused were that to be the case.

That is not the only lawsuit to be filed against CareFirst for the 2014 breach. In July last year, a case filed by two plaintiffs was similarly dismissed for lack of standing by a Maryland Court. The case was dismissed as the plaintiffs failed to demonstrate harm had been suffered. While it is possible to allege an injury based on future harm, the threatened injury must be impending to constitute an injury in fact. However, the judge ruled that “the injury is too speculative to be certainly impending.” While the decision was appealed, the case was voluntarily dropped by the plaintiffs.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.