- Plaintiffs in a class action lawsuit filed after the CareFirst data breach from last year failed to demonstrate sufficient standing, according to a Maryland district court.
Pamela Chambliss and Scott Adamson claimed in their case against CareFirst Inc. and CareFirst of Maryland Inc. that the insurer should be held responsible following the healthcare data breach that was reported in 2015. In that case, CareFirst announced that approximately 1.1 million current and former members potentially had their information accessed through a cybersecurity attack.
Two data breaches reportedly occurred. The first happened in June 2014, and the second took place just before May 2015. On April 21, 2015, CareFirst was conducting a risk assessment when it was discovered that “a sophisticated cyberattack occurred.” The attack likely led to “limited unauthorized access to a database on June 19, 2014.”
Potentially exposed information included member-created user names created by individuals to access CareFirst’s website, members’ names, dates of birth, email addresses and subscriber identification numbers. Social Security Numbers, medical claims information and financial information were not affected.
According to the case, CareFirst “knew or should have known earlier of both breaches, as the information stolen is allegedly ‘highly coveted by and a frequent target of hackers.’”
“As customers of CareFirst, Plaintiffs allege that they had a reasonable expectation that their confidential personal information would remain private and confidential,” the case explained. “Due to CareFirst’s failure to secure the personal information at issue, Plaintiffs claim that they and the class members ‘have lost or are subject to losing money and property.’”
However, the Maryland district court ruled that there was a lack of subject matter jurisdiction, and that it was not proven that the plaintiffs suffered any injury from the reported data breach.
Furthermore, while the plaintiffs claimed that their personal information had value, they did not state how a hacker would potentially use the data in question to cause harm.
“Their theory of harm relies solely on the actions of an unknown independent third party,” the decision reads. “It is thus not clear ‘whether future harm from a data security breach will materialize,’ but also uncertain ‘when such harm will occur.’”
No actual instances of the data being misused were cited, even though a significant amount of time had passed since the data breaches were first reported.
The court also cited the U.S. Supreme Court’s 2013 decision in Clapper v. Amnesty International USA, and explained that the fear of “hypothetical future harm” is not enough to create sufficient standing for a case.
“The harm must thus be ‘certainly impending’ before mitigation expenses may be considered as further proof of a cognizable injury,” the case maintained.
The lawsuit also claimed that the plaintiffs were “harmed by the lost benefit of their bargain with CareFirst.” However, the court also dismissed this claim by explaining that there was not sufficient proof that the data breaches did in fact decrease the value of their CareFirst health insurance.
“Even further, they offer no factual allegations indicating that the prices they paid for health insurance included a sum to be used for data security, and that both parties understood that the sum would be used for that purpose,” the decision explained. “Indeed, when pressed at the May 19 hearing, Plaintiffs could not even quantify this alleged loss.”
Class-action lawsuits are common following reported healthcare data breaches, but it can be difficult for plaintiffs to prove that an insurance company or provider should be held liable.
Earlier this year, a Pennsylvania court dismissed claims in a healthcare data breach class action lawsuit. The ruling stated that the trial court needs to review the plaintiff’s claim under the Uniform Trade Practices and Consumer Protection Law (UTPCPL).
Plaintiffs in that case filed a class action lawsuit against Keystone Mercy Health Plan and Amerihealth Mercy Health Plan for a missing USB flash drive that allegedly contained PHI. The lawsuit claimed that the health plans had performed deceptive practices under UTPCPL. However, the judge ruled that justifiable reliance is necessary for deceptive practice claims under UTPCPL.