By Jeffrey H. Brochin, J.D.
A federal district court improperly dismissed a class action brought by customers of CareFirst, Inc. (CareFirst) after their sensitive personal and medical information was exposed to hackers in a cyberattack, a federal appeals court has ruled. The district court had overlooked the allegations of credit card and social security number exposure when they found a lack of "substantial risk of future injury" in dismissing the case due to lack of standing (Attias v. CareFirst, Inc., August 1, 2017, Griffith, CJ).
Breach. In June 2014, an unknown intruder breached twenty-two CareFirst computers and reached a database containing customers’ personal information. The company did not discover the breach until April 2015 and only notified its customers of the cyberattack in May 2015. Seven CareFirst customers subsequently brought a class action against CareFirst and its subsidiaries in district court. Their complaint raised eleven different state-law causes of action, including breach of contract, negligence, and violation of various state consumer-protection statutes.
The parties disagreed over what the complaint alleged. According to CareFirst, the complaint alleged only the exposure of limited identifying data, such as customer names, addresses, and subscriber ID numbers; however, according to the customers, the complaint also alleged the theft of customers’ social security numbers. The consumers also sought to certify a class consisting of all CareFirst customers residing in the District of Columbia, Maryland, and Virginia whose personal information had been breached. CareFirst moved to dismiss for lack of standing and, in the alternative, for failure to state a claim. The district court agreed that the consumers lacked standing, holding that the customers had alleged neither a present injury nor a high enough likelihood of future injury.
Elements of standing. To demonstrate standing, the customers were required to show (1) that they suffered an injury in fact; (2) that is fairly traceable to CareFirst’s actions; and (3) that is likely to be redressed by the relief sought. The appeals court determined that the main issue on appeal revolved around the injury-in-fact requirement—which must be concrete, particularized, and, most importantly "actual or imminent"—because that element was necessary to ensure that the customers had a personal stake in the litigation. The district court found no showing that the alleged injury was actual or imminent, and that the consumers had not plausibly alleged a risk of future injury that was substantial enough to create standing.
Substantial risk test. The appeals court cited precedent under which standing could be satisfied by either the "certainly impending" test or the "substantial risk" test, and noted that claims of standing based on allegations of a substantial risk of future injury have frequently been upheld. It further remarked that no one would doubt that identity theft—should it befall one of the customers—would constitute a concrete and particularized injury. The remaining question, then, became one of whether the complaint plausibly allegedthat the customers now faced a substantial risk of identity theft as a result of CareFirst’s alleged negligence in the data breach.
District court’s incorrect premise. The district court had concluded that the customers had not demonstrated a sufficiently substantial risk of future harm stemming from the breach to establish standing, in part because they had not suggested, let alone demonstrated, how the CareFirst hackers could steal their identities without access to their social security or credit card numbers. However, the appeals court found that the district court’s conclusion rested on an incorrect premise: that the complaint did not allege the theft of social security or credit card numbers in the data breach, when in fact, the complaint did.
The complaint alleged that CareFirst, as part of its business, collects and stores its customers’ personal identification information, personal health information, and other sensitive information, all of which the complaint referred to collectively as "PII/PHI/Sensitive Information." This category, as the customers defined it, included patient credit card and social security numbers in addition to protected health information. The complaint also alleged that the cyberattack on CareFirst allowed access to personal and sensitive information, and that the identity thieves could use identifying data—including that accessed on CareFirst’s servers—to open new financial accounts, incur charges in another person’s name, and commit various other financial crimes.
The appeals court found that an unauthorized party had already accessed personally identifying data on CareFirst’s servers, and that is was therefore not at all speculative—but rather at the very least, plausible—to infer that the intruders had both the intent and the ability to use that data for ill. No long sequence of uncertain contingencies involving multiple independent actors need occur before the customers will suffer any harm; a substantial risk of harm exists already simply by virtue of the hack and the nature of the data that was taken. The court found that the elements required for standing were met, and it reversed the district court’s dismissal of the action and remanded the matter for further proceedings.
The case is No. 16-7108.
Attorneys: Christopher T. Nace (Paulson & Nace, PLLC) for Chantal Attias. Matthew O. Gatewood (Eversheds Sutherland [US] LLP) and Robert D. Owen (Sutherland Asbil & Brennan, LLP) for Carefirst, Inc. d/b/a Group Hospitalization Medical Services, Inc. d/b/a Carefirst of Maryland, Inc. d/b/a Carefirst Bluecross Blueshield d/b/a Carefirst Bluechoice., Group Hospitalization and Medical Services, Inc. d/b/a Carefirst Bluecross Blueshield d/b/a Carefirst Bluechoice and Carefirst of Maryland, Inc. d/b/a Carefirst Bluecross Blueshield d/b/a Bluecross and Blueshield of Maryland Inc., d/b/a Carefirst Bluechoice.
Companies: Carefirst, Inc. d/b/a Group Hospitalization Medical Services, Inc. d/b/a Carefirst of Maryland, Inc. d/b/a Carefirst Bluecross Blueshield d/b/a Carefirst Bluechoice.; Group Hospitalization and Medical Services, Inc. d/b/a Carefirst Bluecross Blueshield d/b/a Carefirst Bluechoice; Carefirst of Maryland, Inc. d/b/a Carefirst Bluecross Blueshield d/b/a Bluecross and Blueshield of Maryland Inc., d/b/a Carefirst Bluechoice
MainStory: TopStory CorporateNews CyberPrivacyFeed GCNNews HITNews IdentityTheftNews DistrictofColumbiaNews
Interested in submitting an article?
Submit your information to us today!Learn More