HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Court of Appeals Rules Horizon BCBS Class Action Has Standing Without Evidence of ID Theft

The United States Court of Appeals for the Third Circuit has ruled that a class action lawsuit filed by customers of Horizon Blue Cross Blue Shield whose protected health information was exposed when two laptop computers were stolen from its New Jersey offices does have standing, even without proof of harm. The case had previously been dismissed by U.S. District Judge Claire Cecchi.

The incident which led to the lawsuit occurred between November 1 and 3, 2013. Two unencrypted laptop computers containing the personal information of 839,000 plan members were stolen from Horizon BCBS’s headquarters in Newark, NJ. Stored on the laptops were names, addresses, birth dates, Social Security numbers, medical histories, demographic data, lab test results, insurance information, and other care-related data.

Four plaintiffs – Courtney Diana, Karen Pekelney, Mark Meisel, and Mitchell Rindner – are named on the lawsuit, which was filed on behalf of themselves and other customers whose personal information was exposed.

The complainants maintain that the laptop computers were targeted by thieves who realized the value of data contained on the devices, rather than the computers being stolen for resale for their hardware value.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

The plaintiffs claim that the disclosure, although accidental, placed them at “imminent, immediate, and continuing increased risk of harm from identity theft, identity fraud, and medical fraud, requiring them to take the time and effort to mitigate the actual and potential impact of the Data Breach on their lives.”

The plaintiffs allege Horizon BCBS wilfully and negligently violated the Fair Credit Reporting Act (FCRA) – in addition to a number of state laws – by failing to adequately protect their personal information. The plaintiffs claim that the unauthorized transfer of personal information was a violation of FCRA and that the transfer, in itself, constitutes a cognizable injury.

The District Court dismissed the lawsuit under Federal Rule of Civil Procedure 12(b)(1) claiming a lack of Article III standing. However, the court of appeals judges ruled that even without evidence of misuse of the plaintiffs’ personal information, the case has standing.

According to U.S. Circuit Judge Kent Jordan , who wrote for the three-judge panel, “In light of the congressional decision to create a remedy for the unauthorized transfer of personal information, a violation of FCRA gives rise to an injury sufficient for Article III standing purposes.” Judge Jordan explained, “the alleged disclosure of their personal information created a de facto injury. Accordingly, all of the Plaintiffs suffered a cognizable injury, and the Complaint should not have been dismissed under Rule 12(b)(1).”

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.