[BreachExchange] Maryland Court Dismisses CareFirst Data Breach Lawsuit

Audrey McNeil audrey at riskbasedsecurity.com
Tue Jul 19 10:40:26 EDT 2016


http://healthitsecurity.com/news/maryland-court-dismisses-carefirst-data-breach-lawsuit

Plaintiffs in a class action lawsuit filed after the CareFirst data breach
from last year failed to demonstrate sufficient standing, according to a
Maryland district court.

Pamela Chambliss and Scott Adamson claimed in their case against CareFirst
Inc. and CareFirst of Maryland Inc. that the insurer should be held
responsible following the healthcare data breach that was reported in 2015.
In that case, CareFirst announced that approximately 1.1 million current
and former members potentially had their information accessed through a
cybersecurity attack.

Two data breaches reportedly occurred. The first happened in June 2014, and
the second took place just before May 2015. On April 21, 2015, CareFirst
was conducting a risk assessment when it was discovered that “a
sophisticated cyberattack occurred.” The attack likely led to “limited
unauthorized access to a database on June 19, 2014.”

Potentially exposed information included member-created user names created
by individuals to access CareFirst’s website, members’ names, dates of
birth, email addresses and subscriber identification numbers. Social
Security Numbers, medical claims information and financial information were
not affected.

According to the case, CareFirst “knew or should have known earlier of both
breaches, as the information stolen is allegedly ‘highly coveted by and a
frequent target of hackers.’”

“As customers of CareFirst, Plaintiffs allege that they had a reasonable
expectation that their confidential personal information would remain
private and confidential,” the case explained. “Due to CareFirst’s failure
to secure the personal information at issue, Plaintiffs claim that they and
the class members ‘have lost or are subject to losing money and property.’”

However, the Maryland district court ruled that there was a lack of subject
matter jurisdiction, and that it was not proven that the plaintiffs
suffered any injury from the reported data breach.

Furthermore, while the plaintiffs claimed that their personal information
had value, they did not state how a hacker would potentially use the data
in question to cause harm.

“Their theory of harm relies solely on the actions of an unknown
independent third party,” the decision reads. “It is thus not clear
‘whether future harm from a data security breach will materialize,’ but
also uncertain ‘when such harm will occur.’”

No actual instances of the data being misused were cited, even though a
significant amount of time had passed since the data breaches were first
reported.

The court also cited the U.S. Supreme Court’s 2013 decision in Clapper v.
Amnesty International USA, and explained that the fear of “hypothetical
future harm” is not enough to create sufficient standing for a case.

“The harm must thus be ‘certainly impending’ before mitigation expenses may
be considered as further proof of a cognizable injury,” the case maintained.

The lawsuit also claimed that the plaintiffs were “harmed by the lost
benefit of their bargain with CareFirst.” However, the court also dismissed
this claim by explaining that there was not sufficient proof that the data
breaches did in fact decrease the value of their CareFirst health insurance.

“Even further, they offer no factual allegations indicating that the prices
they paid for health insurance included a sum to be used for data security,
and that both parties understood that the sum would be used for that
purpose,” the decision explained. “Indeed, when pressed at the May 19
hearing, Plaintiffs could not even quantify this alleged loss.”

Class-action lawsuits are common following reported healthcare data
breaches, but it can be difficult for plaintiffs to prove that an insurance
company or provider should be held liable.

Earlier this year, a Pennsylvania court dismissed claims in a healthcare
data breach class action lawsuit. The ruling stated that the trial court
needs to review the plaintiff’s claim under the Uniform Trade Practices and
Consumer Protection Law (UTPCPL).

Plaintiffs in that case filed a class action lawsuit against Keystone Mercy
Health Plan and Amerihealth Mercy Health Plan for a missing USB flash drive
that allegedly contained PHI. The lawsuit claimed that the health plans had
performed deceptive practices under UTPCPL. However, the judge ruled that
justifiable reliance is necessary for deceptive practice claims under
UTPCPL.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160719/56a565f7/attachment.html>


More information about the BreachExchange mailing list