Data Breach , Litigation

CareFirst Asks Supreme Court to Review Data Breach Case

Health Insurer Claims Case Lacks Evidence of Harm
CareFirst Asks Supreme Court to Review Data Breach Case

CareFirst BlueCross BlueShield has filed a petition asking the Supreme Court to review a case filed against the health insurer in the wake of a 2014 cyberattack that impacted 1.1 million individuals, potentially becoming the first health data breach case to reach the high court. The breach involved the hacking of a database.

See Also: Addressing the Identity Risk Factor in the Age of 'Need It Now'

In the Oct. 30 petition asking the Supreme Court for a "writ of certiorari," or a review of the case, CareFirst asks the high court to examine "whether a plaintiff has Article III standing based on a substantial risk of harm that is not imminent and where the alleged future harm requires speculation about the choices of third-party actors not before the court."

"Article III standing" means a plaintiff has the legal right to initiate a lawsuit if three requirements are met, including the plaintiff has suffered a concrete injury; the injury is fairly traceable to actions of the defendant; and it must be likely - not merely speculative - that the injury will be redressed by a favorable decision.

CareFirst's petition to the Supreme Court comes after the U.S. Court of Appeals for the District of Columbia on Sept. 6 granted CareFirst's request for a "stay" or pause on that court's Aug. 1 ruling allowing plaintiffs in the CareFirst case to proceed with their punitive class action lawsuit against the insurer (see Could CareFirst Data Breach Care Be Headed to Supreme Court?).

That August decision by the appeals court overturned a lower court's dismissal of the CareFirst case. In its ruling, the appellate court noted that a group of CareFirst health plan members "attributed the breach to the company's carelessness." The lower district court had dismissed the case for lack of standing, finding the risk of future injury to the plaintiffs too speculative to establish injury in fact.

The appellate court disagreed with the lower court's reasoning: "We conclude that the district court gave the complaint an unduly narrow reading. Plaintiffs have cleared the low bar to establish their standing at the pleading stage. We accordingly reverse."

Heightened Risk?

In its ruling, the appellate court noted that the plaintiffs in the CareFirst lawsuit alleged that the data breach exposed them to a heightened risk of identity theft.

"The principal question, then, is whether the plaintiffs have plausibly alleged a risk of future injury that is substantial enough to create ... standing. We conclude that they have," the appellate court wrote.

In CareFirst's Supreme Court petition, the insurer says: "Federal courts are bound by the principle that Article III standing does not exist for an injury that requires an 'attenuated chain of inferences necessary to find harm' or 'speculation about the unfettered choices of independent actors not before the court.'"

Attorney Jonathan Nace, of the law firm Nidel & Nace, which is representing plaintiffs in the class action suit against CareFirst, says his legal team plans to file a response to CareFirst's petition by the Nov. 31 deadline. He declined further comment on the case.

Groundbreaking Case?

Attorney Steven Teppler of the law firm Abbott Group - which is not involved in the CareFirst lawsuit - says that if the Supreme Court grants CareFirst's request for a review, it would be the first Supreme Court case to address this particular facet of data breaches - cases involving protected health information.

"This is a chance for the Supreme Court to sharpen its decision in Spokeo," Teppler says, referring to a case against website search engine company Spokeo in which the Supreme Court said that in order for a lawsuit to move forward, a plaintiff must show "concrete" damage that was "actual or imminent, not conjectural or hypothetical."

In that case, the plaintiff Thomas Robins filed suit after he read his online profile on the Spokeo website that contained numerous mistakes, including incorrectly listing his age and inaccurately stating that he holds a graduate degree, is wealthy and is married with children. When he filed the suit, Robins was unemployed and seeking work, and he claimed the incorrect information harmed his job prospects.

In that case, the high court, in a 6 to 2 decision, remanded the case to the Ninth Circuit Court of Appeals to examine the issue of whether the plaintiff had been harmed when Spokeo published incorrect information about him online.

But in the CareFirst case, "the fact that this is healthcare information ... it looks like there's a more concrete and particularized harm because of the nature of the information," Teppler says. "It's not a credit card or debit card, or email address and password [that was breached] ... In a healthcare breach, the constellation of information is so huge, it makes it much easier to commit identity fraud or identity compromise because you have all the points that exist digitally for a person for [a fraudster] to impersonate, recreate or compromise."

If the Supreme Court ultimately decides not to hear the CareFirst case, Teppler says, it could be an indication that the high court "could be waiting for a better [data breach] case" to consider, Teppler says.


About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity

Marianne Kolbasuk McGee is executive editor of Information Security Media Group's HealthcareInfoSecurity.com media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site, and played a lead role in the launch of InformationWeek's healthcare IT media site.




Around the Network