Appeals Court Allows CareFirst Breach Class Action Lawsuit to Proceed

A class action lawsuit filed against health insurer CareFirst Blue Cross Blue Shield in the wake of a 2014 cyberattack impacting the personal data of 1.1 million individuals is being revived: A federal appeals court ruling has overturned a lower court's decision last year to dismiss the case.

Some legal experts say the Aug. 1 ruling by the U.S. Court of Appeals for District of Columbia Circuit is noteworthy because it could set precedent for other pending and future data breach cases.

The ruling by a three-judge appellate panel means that plaintiffs in the CareFirst case can proceed with their punitive class action lawsuit against the insurer, which had been dismissed in 2016 by the U.S. District Court for the District of Columbia.

"This ruling is significant because now the D.C. circuit, along with some other courts, have taken a more modern stand on the kind of damage you can expect in data breaches," says attorney Steven Teppler of the Abbott Law Group.

Privacy attorney Adam Greene, of the law firm Davis Wright Tremaine agrees the ruling is important.

"The court held that the theft of personally identifiable information/protected health information/sensitive information, if true, creates enough of a risk of identity theft that could be traceable to CareFirst's negligence in not securing the data," he says.

"This does not mean that the plaintiffs will win, but it significantly increases the risk to CareFirst and the costs of defending the case, and sets precedent for other cases to similarly proceed. "

Shifting Tide?

The dismissal of the CareFirst lawsuit last year by the lower court had followed a common trend in data breach litigation where most courts do not find standing to proceed without concrete, identifiable injury to plaintiffs, some experts note.

However, while many data breach lawsuits previously have ended in dismissals, courts appear to be "turning a little more plaintiff-friendly," Teppler says. "The winds are-a-changing. Not a total 180 [degree turn], but slowly there's a strong shift in the attitude of courts."

In its ruling, the appellate court notes that a group of CareFirst health plan members "attributed the breach to the company's carelessness." The lower district court dismissed the case for lack of standing, finding the risk of future injury to the plaintiffs too speculative to establish injury in fact.

However, the appellate court appears to disagree with that reasoning. "We conclude that the district court gave the complaint an unduly narrow reading. Plaintiffs have cleared the low bar to establish their standing at the pleading stage. We accordingly reverse."

But not everyone agrees that CareFirst ruling foreshadows a dramatic change of course in breach related lawsuits.

"It remains extremely challenging for individuals whose information was disclosed in a breach to bring a legal action seeking damages that will survive a motion to dismiss," says attorney David Holtzman, vice president of compliance at security consultancy CynergisTek.

"Most courts have adopted a standard that the individual must show that they have suffered actual harm in order to bring the case to trial."

He adds: "It would be difficult to look at this ruling as a bellwether for future litigation brought by consumers alleging they suffered harm as a result of a data breach."

Still, the "plaintiffs cleared the low bar" to allow for their complaint to move past first base," he notes.Case Details

CareFirst disclosed in May 2015 that an "unauthorized intrusion" into a database dating back to June 2014 resulted in a breach affecting 1.1 million individuals.

As is often the case in the wake of large data breaches, a class action lawsuit was filed on behalf of individuals whose data was impacted by the breach.

However, a federal court judge ruled in 2016 that the plaintiffs had not shown incidents of harm or data misuse resulting from the security breach, "even though a significant amount of time has passed" since the data breach.

In dismissing the case last year, the lower court said it "found missing the requirement that the plaintiffs' injury [stemming from the data breach] be 'actual or imminent.'"

However, the appellate court noted in its ruling this week that the plaintiffs in the CareFirst lawsuit alleged that the CareFirst data breach exposed them to a heightened risk of identity theft.

"The principal question, then, is whether the plaintiffs have plausibly alleged a risk of future injury that is substantial enough to create ... standing. We conclude that they have."

Pending Cases

Teppler says the ruling by the federal appellate court could also have potential impact on future and pending class action lawsuits involving data breaches.

That includes the case filed against the Office of Personnel Management related to a cyberattack that resulted in a breach impacting the data of 4.2 million federal worker and retirees, and background-check records for more than 20 million individuals.

"There is a pending motion to dismiss the OPM lawsuit. And so now this [appellate court] decision likely changes the reasoning metrics of the district court considering that motion," Teppler says.

Nonetheless, "it's also possible that the court will say, 'that [CareFirst] decision is not this [OPM] case - but it's going to be hard to see how that happens," Teppler adds.

Higher Breach Costs?

Greene says the CareFirst case also sets a precedent that could result in higher settlement amounts or more costly litigation defense.

However, he says not all breach cases are alike. "Note that this case involved a theft of data, rather than a theft of hardware that included data on it. Courts hearing cases involving lost or stolen unencrypted laptops might not follow this precedent because it is less clear in such other cases whether the data itself was accessed in a manner that creates an increased risk of identity theft."

However, there are some lessons that other breached entities can learn from the CareFirst case so far, Greene says.

"The more cases like this that are successful, the higher the costs of a data breach become. This is because a successful class action lawsuit can far surpass the cost of regulatory fines," he notes.

"Unfortunately, there is not much that entities can do after the breach, other than offering identity theft services to reduce any potential injury to affected individuals. Rather, the most important steps are putting in place reasonable safeguards before a breach, to prevent a breach or strengthen any case that a breach did not occur due to the entity's negligence."

Parties Respond

In a statement to Information Security Media Group, attorney Jonathan Nace of Nidel & Nace, PLLC, one of the law firms representing plaintiffs in the CareFirst litigation, says his clients are "pleased" with the appellate court ruling.

Nace says the appellate court's opinion is significant for several reasons, including his clients' ability to now pursue their case "on the merits in the U.S. District Court for the District of Columbia, pending a potential petition to the Supreme Court."

Nace notes, "the law is always trying to keep up with the fast-pace of technology, and we have hope that this opinion will persuade other circuits confronted with this question too. More specifically, the Court found that the risk of future harm that flows from a data breach such as this one is not a 'speculative harm,' but a real, concrete harm that the law recognizes."

CareFirst declined ISMG's request for comment on the ruling.