A federal appeals court earlier this week dealt a blow to healthcare insurer CareFirst, Inc., concluding that a group of customers have the right to pursue a class action data breach lawsuit based on a 2014 cyberattack.
In a unanimous ruling, a three-judge panel of the United States Court of Appeals for the District of Columbia held that the insurer’s customers had demonstrated a substantial risk of harm “simply by virtue of the hack and the nature of the data that … was taken.”
The district court had dismissed the case for lack of standing, finding that they had not alleged a present injury or high enough likelihood of future injury.
The ruling comes at a time when courts around the country continue to tussle with the issue of whether plaintiffs in data breach cases have plausibly alleged a risk of future injury sufficient enough to satisfy the injury-in-fact requirement of Article III. Since the U.S. Supreme Court’s 2016 ruling in Spokeo v. Robins, the federal appellate courts have been split on the standing issue. The Second Circuit – among others – has taken a narrower view of “harm” and held that consumers generally lack standing if they have not experienced actual identity theft or other concrete injuries.
CareFirst operates a group of healthcare insurance companies in the D.C. area, serving 1 million customers. In order for customers to purchase CareFirst policies, they must provide personal information including their names, birthdates, email address, social security numbers and credit card information.
According to the complaint, in June 2014, a hacker breached 22 CareFirst servers that included customer’s personal information. The breach was not discovered until April 2015 and customers notified the following month. The complaint charges that CareFirst was careless is its handling of the customer’s data including a failure “to properly encrypt some of the data entrusted to its care.” As a result, the complaint alleges, that plaintiffs suffered an increased risk of identity theft.
In reversing the district court, the D.C. Circuit said that the sole issue before it was whether, at the pleading stage, the complaint “plausibly alleges that the plaintiffs now face a substantial risk of identity theft as a result of CareFirst’s alleged negligence in the data breach.”
The D.C. Circuit found that the complaint sufficiently alleged that CareFirst “collected and stored” protected healthcare and sensitive information – which included social security numbers and credit card information – and that such information was stolen by the hackers and placed plaintiffs at a high risk of financial fraud.
“No long sequence of uncertain contingencies involving multiple independent actors has to occur before the plaintiffs … will suffer any harm,” wrote the court. It was sufficient, the court held, that “a substantial risk of harm exists already” as a result of the data breach and nature of the information allegedly taken.