CareFirst lawsuit victory – National Consumers League

gavel_icon.jpgWritten by NCL Intern Trang Nguyen

We recently celebrated a legal victory—NCL filed the only amicus curiae brief in the case—that recognized harm to consumers whose health plans’ websites are hacked and personal information is stolen because the plan failed to provide adequate security measures to protect its insurees’ data.

The class action suit was brought in the U.S. District Court of District of Columbia involving CareFirst BlueCross BlueShield. The plaintiffs alleged that the company’s negligence allowed hackers to access 1.1 million customers’ personal information. The incident happened in June 2014, when an unknown intruder hacked 22 CareFirst computers and reached the database containing its customers’ personal information. The company only discovered the breach after 11 months and finally notified its customers in May 2015. Chantal Attias and six other plaintiffs, on behalf of CareFirst’s customers, sued the company for the negligence that exposed the plaintiffs to substantially heightened risk of identity theft. U.S. District Judge Christopher R. Cooper dismissed the case, holding that the plaintiffs lacked standing to proceed by failing to claim how they have suffered substantial risk or impending injury fairly traceable to the actions of the defendant. 

In a decision handed down last week, DC Federal Circuit Court of Appeals Court Judge Thomas B. Griffith reversed the lower court’s decision, ordering that the plaintiff had demonstrated substantial risk of future harm stemming from the breach. As CareFirst collects and stores its customers’ personal identification information, personal health information and other sensitive information, including patient credit card and Social Security numbers, the cyberattack in 2014 exposed a great deal of the information to wrongdoers, allowing them to appropriate a victim’s identity. CareFirst claimed that hackers could only access customers’ names, dates of birth, email address, and subscriber identification—not Social Security numbers or credit card information. Judge Griffith granted that, even if such was the case, the compromised information was enough to increase the risk of identity theft, which can cause “victims to receive improper medical care, have their insurance depleted, become ineligible for health or life insurance, or become disqualified from some jobs.”

Judge Griffith agreed that, while the hackers were the immediate cause of plaintiff’s injuries, CareFirst’s failure to properly secure customers’ data contributed to the breach, and thereby subjected them to a substantial risk of identity theft. Therefore, under the standards of Article III, the plaintiffs’ injury was in fact fairly traceable to CareFirst.

Finally, the court recognized that since the plaintiffs would have to expend a large amount of money to mitigate and protect themselves from the substantial risk of identity theft, they are justified in demanding monetary damages.