HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

CareFirst Inc. Data Breach Lawsuit Dismissed for Lack of Standing

A class-action data breach lawsuit filed against CareFirst Inc., and CareFirst of Maryland Inc., following the 1.1 million-record data breach of 2015 – and a second breach in 2014 – has been dismissed by a Maryland federal court for lack of standing.

The lawsuit, which was filed by two plaintiffs – Scott Adamson and Pamela Chambliss – was dismissed by Judge Richard Bennett after the pair were unable to allege facts sufficient to support the case.

The pair alleged CareFirst had been negligent for failing to protect its computer hardware, resulting in the exposure of plan members’ names, ID numbers, and dates of birth. While any health insurer data breach could potentially place plan members at risk of harm or loss, in this case no Social Security numbers, credit card numbers, or financial information were exposed.

The plaintiffs did not allege that their personal information had actually been used, but claimed their personal information had value and its exposure placed them at an increased risk of harm or loss. However, there was some doubt as to the amount of potential harm the pair could have faced as a result of their information being exposed.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

The plaintiffs were unable to provide sufficient evidence to suggest that their data had actually been viewed, accessed, or misused and failed to adequately explain how the exposed data could actually have been used to cause harm or loss. In Bennett’s ruling he pointed out that a considerable amount of time had passed since the data breach occurred, yet still no harm had been suffered.

CareFirst filed a motion to have the case dismissed for lack of standing and cited the Clapper v. Amnesty International USA case. In that case, the U.S. Supreme Court ruled that a plaintiff can allege an injury based on future harm, but “the threatened injury must be certainly impending to constitute an injury in fact.”

“Where the alleged injury requires a lengthy chain of assumptions, including ‘guesswork as to how independent decision makers will exercise their judgment,’ the injury is too speculative to be certainly impending.” Judge Bennett said. The financial harm suffered was limited to the costs of mitigating risk – such as credit monitoring services – although this too was dismissed by the judge as being insufficient to confer standing.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.