- A Federal appeals court reversed a previous ruling over the CareFirst data breach that took place in 2015 and impacted 1.1 million current and former CareFirst members.
The US Court of Appeals for the District of Columbia Circuit said “the district court gave the complaint an unduly narrow reading,” and that the plaintiffs “cleared the low bar to establish their standing at the pleading stage.”
The Maryland district court ruled that there was a lack of subject matter jurisdiction, and that it was not proven that the plaintiffs suffered any injury from the reported data breach. The plaintiffs also claimed that their personal information had value but they did not state how a hacker would potentially use the data in question to cause harm.
“Their theory of harm relies solely on the actions of an unknown independent third party,” the decision read. “It is thus not clear ‘whether future harm from a data security breach will materialize,’ but also uncertain ‘when such harm will occur.’”
The incident stems from two reported data breaches, one which took place in June 2014 and the second which occurred just before May 2015. CareFirst was conducting a risk assessment on April 21, 2015 when it discovered that “a sophisticated cyberattack occurred.” There was then “limited unauthorized access to a database on June 19, 2014.”
Potentially exposed information included member-created user names created by individuals to access CareFirst’s website, members’ names, dates of birth, email addresses and subscriber identification numbers. Social Security Numbers, medical claims information and financial information were not affected.
The Appellate Court stated that “when a court lacks subject-matter jurisdiction, it has no authority to address the dispute presented.”
“Because the district court in this case dismissed for lack of subject-matter jurisdiction without expressly inviting the plaintiffs to amend their complaint or giving some other equally clear signal that it intended the action to continue, the order under review ended the district court action, and was thus final and appealable,” the Court determined.
A key concern in the case is the injury-in-fact requirement, the Appellate Court said. This is proving whether an injury is “actual or imminent.”
“The plaintiffs here alleged that the data breach at CareFirst exposed them to a heightened risk of identity theft,” the judges wrote. “The principal question, then, is whether the plaintiffs have plausibly alleged a risk of future injury that is substantial enough to create Article III standing. We conclude that they have.”
The court also noted that there is no question that should one of the plaintiffs suffer from identity theft, that it “would constitute a concrete and particularized injury.” However, it is important to review “whether the complaint plausibly alleges that the plaintiffs now face a substantial risk of identity theft as a result of CareFirst’s alleged negligence in the data breach.”
The District Court stated that plaintiffs had not in fact established a sufficient risk of future harm. That conclusion rested on an incorrect premise, according to the Appellate Court.
“[The premise stated] the complaint did not allege the theft of social security or credit card numbers in the data breach,” the judges explained. “In fact, the complaint did…We have specific allegations in the complaint that CareFirst collected and stored ‘PII/PHI/Sensitive Information,’ a category of information that includes credit card and social security numbers; that PII, PHI, and sensitive information were stolen in the breach; and that the data ‘accessed on Defendants’ servers’ place plaintiffs at a high risk of financial fraud.”
Article III Standing does not require that a defendant be the most immediate cause of a plaintiffs’ injuries, the ruling noted. Instead, Article III Standing requires only that those injuries be “fairly traceable” to the defendant.
“Because we assume, for purposes of the standing analysis, that plaintiffs will prevail on the merits of their claim that CareFirst failed to properly secure their data and thereby subjected them to a substantial risk of identity theft…we have little difficulty concluding that their injury in fact is fairly traceable to CareFirst,” the judges determined.
Previous data breach cases had difficulty in establishing fault, potential fault, or proving that possible injury could take place from an incident.
Earlier this year, the US Court of Appeals, Fourth Circuit, dismissed a data breach lawsuit that alleged the William Jennings Bryan Dorn Veterans Affairs Medical Center (Dorn VAMC) had violated the Privacy Act of 1974 and the Administrative Procedure Act (APA).
In that case, Plaintiffs said earlier reported data breaches at Dorn VAMC created an “increased risk of future identity theft,” and that there were costly measures to protect against it. The appeals court disagreed, and sided with the district court’s ruling in that there was a lack of subject-matter jurisdiction.