- The flood gates could potentially be opened for “no-injury class actions arising from virtually every data breach” if the US Supreme Court does not reaffirm the Washington DC circuit court’s decision with the CareFirst data breach case, according to a recently filed reply of petitioners.
CareFirst filed a petition for writ of certiorari in October 2017, asking for the case to be reviewed by the US Supreme Court. The US Court of Appeals for the District of Columbia Circuit reversed a circuit court’s ruling, explaining that it had been a very narrow reading of future harm.
“Their theory of harm relies solely on the actions of an unknown independent third party,” the decision read, maintaining it was not proven that the plaintiffs suffered any injury from the reported data breach. “It is thus not clear ‘whether future harm from a data security breach will materialize,’ but also uncertain ‘when such harm will occur.’”
Now, CareFirst explained in its reply of petitioners that the DC circuit court “applied a standard to evaluate Respondents’ alleged threatened injuries that obviates the requirement that those future injuries be imminent.”
The Court of Appeals essentially eliminated “the need for a plaintiff to plead that a threatened injury is imminent to bring a federal case,” CareFirst maintained.
“Respondents downplay the significance of the D.C. Circuit’s conclusion despite a rising tide of data breach class actions,” the reply stated. “Should the Court leave the D.C. Circuit’s opinion undisturbed, any individual who pleads that her data was exposed in a breach will be able to maintain a lawsuit against the company that held that data, even if the plaintiff suffered no harm whatsoever.”
CareFirst added that it wants the Supreme Court to clarify what plaintiffs must allege “to establish an injury in fact for an allegedly threatened injury.” This is an increasingly common scenario as the number of data breaches across the country continue to rise, the healthcare organization stated.
“CareFirst does not ask the Court to establish a new standard, but to reaffirm that a substantial risk of threatened injury cannot be sufficient to confer Article III standing unless that risk is indeed actual or imminent,” CareFirst explained. “This case provides an ideal opportunity to provide that clarity.”
The reply also contended that the Appeals Court made a statement that held no legal or factual support.
“A substantial risk of harm exists already, simply by virtue of the hack and the nature of the data that the plaintiffs allege was taken,” the Appellate Court said.
The allegation was false, according to CareFirst.
“The court of appeals read into the complaint allegations that the data breach accessed Respondents’ Social Security numbers,” the healthcare organization explained. “The district court had concluded otherwise and noted that even if there were such an allegation, CareFirst submitted a sworn declaration in support of its motion to dismiss proving that Respondents’ allegations were untrue.”
The CareFirst data breach case began when the healthcare organization experienced two separate data breaches. One occurred in June 2014 and another near May 2015.
CareFirst said it was conducting a risk assessment on April 21, 2015 when it discovered that “a sophisticated cyberattack occurred.” There was also “limited unauthorized access to a database on June 19, 2014.”
In the report incidents, member-created user names created by individuals to access CareFirst’s website, members’ names, dates of birth, email addresses and subscriber identification numbers were potentially involved. However, Social Security Numbers, medical claims information, and financial information were not involved.
In an increasingly digital age, it is more and more difficult to establish privacy expectations. The Supreme Court’s decision, over what constitutes reasonable expectations for data privacy and what harm could actually occur following an incident, will have an impact beyond the healthcare space.
LeClairRyan Partner Chad Mandell noted in a 2017 blog post that it is tricky to prove proper legal standing “and class certification remains an obstacle that has yet to be successfully overcome.”
“No organization, no matter how large and no matter what security protocols are in place, is immune from its systems being compromised,” Mandell wrote. “Thus, it is reasonable to ask whether alleged damages in a data-breach case truly can be traced to a given hack of a particular company or whether they stem from a prior breach or multiple prior breaches of the plaintiff’s own computer.”
Even when security measures are put in place, it may not be enough to prevent companies from being held to impossible standards, he added.
Regardless, healthcare providers still need to take steps toward remaining compliant with all federal and state privacy and security regulations. This includes ensuring that all staff members are regularly trained on HIPAA compliance and best practices for maintaining PHI security.
Organizations will also need to have applicable technical, physical, and administrative safeguards in place.
Cybersecurity threats are continuously evolving, and healthcare organizations also need to make adjustments to keep pace against those changing threats. There is no silver bullet against healthcare data breaches, but entities can take critical steps toward prevention, detection, and response measures.