[BreachExchange] What Precedent Will Be Set in CareFirst Data Breach Case?

Audrey McNeil audrey at riskbasedsecurity.com
Thu Jan 25 19:01:11 EST 2018


The flood gates could potentially be opened for “no-injury class actions
arising from virtually every data breach” if the US Supreme Court does not
reaffirm the Washington DC circuit court’s decision with the CareFirst data
breach case, according to a recently filed reply of petitioners.

CareFirst filed a petition for writ of certiorari in October 2017, asking
for the case to be reviewed by the US Supreme Court. The US Court of
Appeals for the District of Columbia Circuit reversed a circuit court’s
ruling, explaining that it had been a very narrow reading of future harm.

“Their theory of harm relies solely on the actions of an unknown
independent third party,” the decision read, maintaining it was not proven
that the plaintiffs suffered any injury from the reported data breach. “It
is thus not clear ‘whether future harm from a data security breach will
materialize,’ but also uncertain ‘when such harm will occur.’”

Now, CareFirst explained in its reply of petitioners that the DC circuit
court “applied a standard to evaluate Respondents’ alleged threatened
injuries that obviates the requirement that those future injuries be

The Court of Appeals essentially eliminated “the need for a plaintiff to
plead that a threatened injury is imminent to bring a federal case,”
CareFirst maintained.

“Respondents downplay the significance of the D.C. Circuit’s conclusion
despite a rising tide of data breach class actions,” the reply stated.
“Should the Court leave the D.C. Circuit’s opinion undisturbed, any
individual who pleads that her data was exposed in a breach will be able to
maintain a lawsuit against the company that held that data, even if the
plaintiff suffered no harm whatsoever.”

CareFirst added that it wants the Supreme Court to clarify what plaintiffs
must allege “to establish an injury in fact for an allegedly threatened
injury.” This is an increasingly common scenario as the number of data
breaches across the country continue to rise, the healthcare organization

“CareFirst does not ask the Court to establish a new standard, but to
reaffirm that a substantial risk of threatened injury cannot be sufficient
to confer Article III standing unless that risk is indeed actual or
imminent,” CareFirst explained. “This case provides an ideal opportunity to
provide that clarity.”

The reply also contended that the Appeals Court made a statement that held
no legal or factual support.

“A substantial risk of harm exists already, simply by virtue of the hack
and the nature of the data that the plaintiffs allege was taken,” the
Appellate Court said.

The allegation was false, according to CareFirst.

“The court of appeals read into the complaint allegations that the data
breach accessed Respondents’ Social Security numbers,” the healthcare
organization explained. “The district court had concluded otherwise and
noted that even if there were such an allegation, CareFirst submitted a
sworn declaration in support of its motion to dismiss proving that
Respondents’ allegations were untrue.”

The CareFirst data breach case began when the healthcare organization
experienced two separate data breaches. One occurred in June 2014 and
another near May 2015.

CareFirst said it was conducting a risk assessment on April 21, 2015 when
it discovered that “a sophisticated cyberattack occurred.” There was also
“limited unauthorized access to a database on June 19, 2014.”

In the report incidents, member-created user names created by individuals
to access CareFirst’s website, members’ names, dates of birth, email
addresses and subscriber identification numbers were potentially involved.
However, Social Security Numbers, medical claims information, and financial
information were not involved.

In an increasingly digital age, it is more and more difficult to establish
privacy expectations. The Supreme Court’s decision, over what constitutes
reasonable expectations for data privacy and what harm could actually occur
following an incident, will have an impact beyond the healthcare space.

LeClairRyan Partner Chad Mandell noted in a 2017 blog post that it is
tricky to prove proper legal standing “and class certification remains an
obstacle that has yet to be successfully overcome.”

“No organization, no matter how large and no matter what security protocols
are in place, is immune from its systems being compromised,” Mandell wrote.
“Thus, it is reasonable to ask whether alleged damages in a data-breach
case truly can be traced to a given hack of a particular company or whether
they stem from a prior breach or multiple prior breaches of the plaintiff’s
own computer.”

Even when security measures are put in place, it may not be enough to
prevent companies from being held to impossible standards, he added.

Regardless, healthcare providers still need to take steps toward remaining
compliant with all federal and state privacy and security regulations. This
includes ensuring that all staff members are regularly trained on HIPAA
compliance and best practices for maintaining PHI security.

Organizations will also need to have applicable technical, physical, and
administrative safeguards in place.

Cybersecurity threats are continuously evolving, and healthcare
organizations also need to make adjustments to keep pace against those
changing threats. There is no silver bullet against healthcare data
breaches, but entities can take critical steps toward prevention,
detection, and response measures.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180125/f10851bd/attachment.html>

More information about the BreachExchange mailing list