[BreachExchange] Appeals Court Vacates Horizon BCBS Data Breach Case

Tue Jan 24 20:45:23 EST 2017

http://healthitsecurity.com/news/appeals-court-vacates-
horizon-bcbs-data-breach-case

The previously dismissed data breach case against Horizon Blue Cross Blue
Shield (BCBS) of New Jersey was recently revived, as the Court of Appeals
for the Third Circuit vacated the dismissal and remands.

The Court determined that the plaintiffs demonstrated an injury sufficient
for Article III standing under the Fair Credit Reporting Act (FCRA).

“In light of the congressional decision to create a remedy for the
unauthorized transfer of personal information, a violation of FCRA gives
rise to an injury sufficient for Article III standing purposes,” the
judges’ statement read. “Even without evidence that the Plaintiffs’
information was in fact used improperly, the alleged disclosure of their
personal information created a de facto injury.”

The original incident occurred in 2013, when two laptops containing the
unencrypted PHI of approximately 840,000 Horizon BCBS members were stolen.

Horizon stated at the time of the theft that there was no reason to believe
that the stolen information had been inappropriately used. The information
stored on the devices included names, addresses, dates of birth, clinical
information, and Social Security numbers.

Plaintiffs Courtney Diana, Karen Pekelney, Mark Meisel, and Mitchell
Rindner claimed that as “a direct and proximate result of Horizon’s
wrongful actions and inaction”, they “have been placed at an imminent,
immediate, and continuing increased risk of harm from identity theft,
identity fraud, and medical fraud, requiring them to take the time and
effort to mitigate the actual and potential impact of the Data Breach on
their lives.”

New Jersey U.S. District Judge Claire Cecchi dismissed the lawsuit in March
2015. Cecchi stated that the plaintiffs were unable to prove that
hypothetical future injuries might take place because a violation of
statutory rights occurred.

However, the appeals court explained that the plaintiffs’ argument their
rights were violated under FCRA did in fact have standing.

The judges cited recent cases that determined the breach of a statute was
“enough to cause a cognizable injury – even without economic or other
tangible harm.”

“Those cases have been decidedly in favor of allowing individuals to sue to
remedy violations of their statutory rights, even without additional
injury,” the ruling explained.

The appeals court noted that Horizon’s actions did not necessarily “give
rise to a cause of action under common law” as there is not a common law
tort that information being released “is not harmful to one’s reputation or
otherwise offensive.”

“But with the passage of FCRA, Congress established that the unauthorized
dissemination of personal information by a credit reporting agency causes
an injury in and of itself – whether or not the disclosure of that
information increased the risk of identity theft or some other future
harm,” the judges wrote.

The plaintiffs maintain that FCRA is meant to prevent unauthorized
disclosure of private information, which is what happened to them with
Horizon BCBS, the appeals court statement read.

“Our precedent and congressional action lead us to conclude that the
improper disclosure of one’s personal data in violation of FCRA is a
cognizable injury for Article III standing purposes,” explained the judges.
“We will therefore vacate the District Court’s order of dismissal and
remand for further proceedings consistent with this opinion.”

It is not an easy task for individuals to prove their cases in lawsuits
stemming from alleged healthcare data breaches.

In April 2016, the Pennsylvania Superior Court dismissed claims against
Keystone Mercy Health Plan and Amerihealth Mercy Health Plan. Plaintiffs
alleged that the health plans had been negligent with their personal
information, and that the organizations had violated the Uniform Trade
Practices and Consumer Protection Law (UTPCPL).

The Superior Court judge determined that the UTPCPL violation claims needed
to be reviewed by the trial court.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170124/bb9f0fa3/attachment.html>