Supreme Court Punts on CareFirst Data Breach Lawsuit

Tucked into the “Certiorari Declined” sectioned of today’s Supreme Court Order List was the petition CareFirst BlueCross Blue Shield raised over a class action lawsuit brought against it for a 2014 data breach. The Court provided no public reasoning for its decision not to consider the cast, which CareFirst argued could lead to a “flood of no-injury class actions arising from virtually every data breach.”

The company filed petition in November of last year after a US appeals court ruled that the company’s customers could proceed with their lawsuit, which alleges the insurer failed to properly encrypt important patient data.

Plaintiffs in the case claim to have suffered loss of intrinsic value of their personal information; violation of statutory rights under consumer protection acts; financial loss from paying for credit monitoring; and even financial loss from overpaying CareFirst for insurance, “the cost of which they maintain should have covered prophylactic measures against hacking.”

A pair of plaintiffs in the case claim they suffered tax refund fraud as a direct result of the breach, which occurred in June 2014 and resulted in over 1 million patient records being accessed. The company claimed at the time, and has continued to claim in subsequent legal filings, that no social security or credit card numbers were compromised in the cyberattack.

The case will remain in the hands of lower courts, which have had a mixed record on data breach lawsuits. In 2017, a district court dismissed a lawsuit against the US Office of personnel Management, which suffered a massive data breach in 2015 that may have compromised information on over 20 million current and former federal employees. On the other hand, a data breach suit stemming from 2013 against Horizon Blue Cross Blue Shield of New Jersey—which stemmed from a 2013 incident and was at one point dismissed—was revived early last year by an appellate court.

Last week, Horizon Blue Cross Blue Shield settled yet another data breach case with the New Jersey Division of Consumer Affairs for $1.1 million. The case focused on a 2008 data breach that exposed the data of nearly 690,000 customers whose information had been stored on laptops stolen from the company’s headquarters.

“Protecting the personal information of policyholders must be a top priority of every company. Customers deserve it and the law demands it,” Steve Lee, Director of the Division of Consumer Affairs, said of the settlement. Horizon Blue Cross Blue Shield has also agreed to undergo third-party consultation on its cybersecurity practices and to update its systems accordingly.

Related Coverage:

January's Health Data Breaches Affected 400,813 Patients

Florida Judge Throws Out False Claims Lawsuit Against Epic

Aetna and KCC Spar in 2 Lawsuits Over HIV Data Breach