Login Register Subscribe
Current Issue

Data breach class action against health insurer reinstated

Reprints

A federal appeals court has reinstated a putative class action lawsuit filed by health insurer CareFirst Inc. customers in connection with a 2014 data breach, holding their potential risk of injury from the breach is “substantial.”

In June 2014, an unknown intruder breached 22 of Baltimore-based CareFirst’s computers and accessed a database containing its customers’ personal information, according to Tuesday’s ruling by the U.S. Court of Appeals for the District of Columbia Circuit in Chantal Attias et al. v. CareFirst Inc. et al.

CareFirst did not discover the breach until April 2015 and notified its customers the following month. Shortly after the announcement, seven CareFirst customers filed a putative class action against CareFirst and its subsidiaries in U.S. District Court in Washington, D.C.

The District Court dismissed the case on the grounds plaintiffs had not alleged either a present injury “nor a high enough likelihood of future injury.”

On appeal, a unanimous three-judge panel reinstated the case.

“Nobody doubts that identity theft, should it befall one of these plaintiffs, would constitute a concrete and particularized injury,” said the ruling. “The remaining question, then, keeping in mind the light burden of proof the plaintiffs bear at the pleading stage, is whether the complaint plausibly alleges that the plaintiffs now face a substantial risk of identity theft as a result of CareFirst’s alleged negligence in the data breach.”

Medical identity theft leads to inaccurate entries in victims’ medical records and can cause them “to receive improper medical care, have their insurance depleted, become ineligible for health or life insurance or become disqualified for some jobs,” said the ruling, quoting an earlier decision.

“These portions of the complaint would make up, at the very least, a plausible allegation that plaintiffs face a substantial risk of identity fraud even if their Social Security numbers were never exposed to the data thief,” said the ruling.

“No long sequence of uncertain contingencies involving multiple independent actors has to occur before the plaintiffs in this case will suffer any harm; a substantial risk of harm exists already, simply by virtue of the hack and the nature of the data that the plaintiffs allege was taken,” said the ruling, in reversing the lower court ruling and remanding the case for further proceedings.