Insurer Sued Over Data BreachExpert Predicts Healthcare Breach Suits Will Be Common in 2014
A class action lawsuit has been filed against insurer Horizon Blue Cross Blue Shield of New Jersey in the wake of data breach late last year involving the theft of two unencrypted laptop computers that affected nearly 840,000 of its members.
See Also: Ransomware: The Look at Future Trends
Privacy and security attorney David Navetta of the Information Law Group, who is not involved in the case, says the Horizon lawsuit is likely the first of many breach-related suits in healthcare and other industries that will be filed this year.
"2014 is potentially the year of the data and privacy lawsuit," he says. "Small wins" in lawsuits in other industries, such as retail, are fueling the filing of more cases in all sectors, Navetta says.
Dozens of lawsuits have already been filed in the wake of the Target breach, he notes. "There are little chinks in the armor, and it's creating an atmosphere that didn't exist in 2011, or 2012, and was starting in 2013," he says.
The plaintiffs in the Horizon case, Karen Pekelney and Mark Meisel, are suing the insurer for failing to adequately secure and safeguard its members' sensitive personally identifiable information, which includes names, dates of birth, Social Security numbers, addresses, medical histories, test and laboratory results, and insurance information.
Horizon notified almost 840,000 members about the incident when it occurred. Those members whose Social Security numbers may have been exposed are being offered free credit monitoring and identity theft protection for one year, the company said (see: Unencrypted Laptops Lead to Mega-Breach).
The plaintiffs allege Horizon acted negligently in safeguarding members' information and violated the Fair Credit Reporting Act and the New Jersey Consumer Fraud Act. They are seeking unspecified damages.
A Horizon spokesman tells Information Security Media Group: "This lawsuit is without merit and Horizon BCBSNJ intends to vigorously defend itself."
Navetta notes that many breach-related lawsuits, including healthcare cases, have been dismissed early in the discovery phase, while others have been settled out of court. But for many plaintiffs in these breach cases, settlements can be substantial "wins," Navetta says.
"There's blood in the water, and the floodgates are open," he says.
Navetta points to the 2011 court ruling in favor of payment card breach victims affected by a 2007 incident involving Hannaford, a northeastern U.S. grocery chain. A court decision partially overturned a district court ruling that dismissed 26 individual lawsuits against Hannaford (see Hannaford Breach Ruling: What it Means). The ruling meant victims of the Hannaford payment card breach can sue for damages resulting from the costs of card replacement, theft insurance and other "reasonable" mitigation efforts.
Litigation and government enforcement actions related to breaches are heating up in healthcare, he points out.
Breach cases like those targeting Horizon, as well as a recent complaint filed against medical testing firm LabMD by the Federal Trade Commission, are putting a spotlight on the importance of data protection and prompt breach notification, Navetta says. They also are calling attention to the need for cyber-insurance.
"These cases are very expensive for companies to fight, and these situations can potentially put smaller healthcare organizations out of business," he says.
LabMD's CEO Michael Daugherty announced on Jan 28. that his Atlanta-based medical testing laboratory would be winding down operations due to the cost of its battle with the FTC over the agency's security breach case against the company (see: Lab Shutting Down in Wake of FTC Case).
(News writer Jeffrey Roman contributed to this story.)