- The previously dismissed data breach case against Horizon Blue Cross Blue Shield (BCBS) of New Jersey was recently revived, as the Court of Appeals for the Third Circuit vacated the dismissal and remands.
The Court determined that the plaintiffs demonstrated an injury sufficient for Article III standing under the Fair Credit Reporting Act (FCRA).
“In light of the congressional decision to create a remedy for the unauthorized transfer of personal information, a violation of FCRA gives rise to an injury sufficient for Article III standing purposes,” the judges’ statement read. “Even without evidence that the Plaintiffs’ information was in fact used improperly, the alleged disclosure of their personal information created a de facto injury.”
The original incident occurred in 2013, when two laptops containing the unencrypted PHI of approximately 840,000 Horizon BCBS members were stolen.
Horizon stated at the time of the theft that there was no reason to believe that the stolen information had been inappropriately used. The information stored on the devices included names, addresses, dates of birth, clinical information, and Social Security numbers.
Plaintiffs Courtney Diana, Karen Pekelney, Mark Meisel, and Mitchell Rindner claimed that as “a direct and proximate result of Horizon’s wrongful actions and inaction”, they “have been placed at an imminent, immediate, and continuing increased risk of harm from identity theft, identity fraud, and medical fraud, requiring them to take the time and effort to mitigate the actual and potential impact of the Data Breach on their lives.”
New Jersey U.S. District Judge Claire Cecchi dismissed the lawsuit in March 2015. Cecchi stated that the plaintiffs were unable to prove that hypothetical future injuries might take place because a violation of statutory rights occurred.
However, the appeals court explained that the plaintiffs’ argument their rights were violated under FCRA did in fact have standing.
The judges cited recent cases that determined the breach of a statute was “enough to cause a cognizable injury – even without economic or other tangible harm.”
“Those cases have been decidedly in favor of allowing individuals to sue to remedy violations of their statutory rights, even without additional injury,” the ruling explained.
The appeals court noted that Horizon’s actions did not necessarily “give rise to a cause of action under common law” as there is not a common law tort that information being released “is not harmful to one’s reputation or otherwise offensive.”
“But with the passage of FCRA, Congress established that the unauthorized dissemination of personal information by a credit reporting agency causes an injury in and of itself – whether or not the disclosure of that information increased the risk of identity theft or some other future harm,” the judges wrote.
The plaintiffs maintain that FCRA is meant to prevent unauthorized disclosure of private information, which is what happened to them with Horizon BCBS, the appeals court statement read.
“Our precedent and congressional action lead us to conclude that the improper disclosure of one’s personal data in violation of FCRA is a cognizable injury for Article III standing purposes,” explained the judges. “We will therefore vacate the District Court’s order of dismissal and remand for further proceedings consistent with this opinion.”
It is not an easy task for individuals to prove their cases in lawsuits stemming from alleged healthcare data breaches.
In April 2016, the Pennsylvania Superior Court dismissed claims against Keystone Mercy Health Plan and Amerihealth Mercy Health Plan. Plaintiffs alleged that the health plans had been negligent with their personal information, and that the organizations had violated the Uniform Trade Practices and Consumer Protection Law (UTPCPL).
The Superior Court judge determined that the UTPCPL violation claims needed to be reviewed by the trial court.