Carefirst Data Breach Case Moves Forward Following Key Ruling

Appeals Court Says Consumers Can Sue Organizations That Fail to Protect Data

In a case that is likely to have far reaching consequences in privacy law enforcement, the Federal Appeals Court in Washington, DC has ruled that a consumer class action suit seeking compensation for faulty security practices can proceed. The ruling overturned a July 2016 decision by a Maryland district court, which had found that the plaintiffs had failed to demonstrate sufficient standing in their case against healthcare insurers CareFirst Inc. and CareFirst of Maryland Inc.

The case was triggered by a data breach reported in 2015, which affected 1.1 millions current and former members of the healthcare networks.  Originally filed by plaintiffs Pamela Chambliss and Scott Adamson, the lawsuit claims that the insurer should be held responsible for failing to protect their personal data.

The case read as follows: “As customers of CareFirst, Plaintiffs allege that they had a reasonable expectation that their confidential personal information would remain private and confidential. Due to CareFirst’s failure to secure the personal information at issue, Plaintiffs claim that they and the class members ‘have lost or are subject to losing money and property.”

The Maryland ruling was based on a lack of evidence that the data had been misused. In their decision, the justices wrote: “Their theory of harm relies solely on the actions of an unknown independent third party. It is thus not clear ‘whether future harm from a data security breach will materialize,’ but also uncertain ‘when such harm will occur.’”

However, the higher court seemed to indicate the absence of damage did not necessarily mean that the case was invalid.  "No long sequence of uncertain contingencies involving multiple independent actors has to occur before the plaintiffs in this case will suffer any harm," the justices wrote in their opinion.

Class-action lawsuits are often filed after healthcare provider security breaches, but have in the past had a high bar of proof. The latest ruling is significant because it represents a departure from previous cases, which tended to turn on whether any actual damage had occurred.