Appellate court ruling sets the stage for CareFirst to take its data breach case to the Supreme Court

View of the Supreme Court building
The latest twist in the CareFirst data breach case sets the stage for what could be the first data breach case to reach the Supreme Court. (Credit: sframephoto/iStock/Getty Images Plus/Getty Images)

A healthcare data breach case could be on its way to the Supreme Court.

A month after ruling that members impacted by a 2015 data breach at CareFirst could move forward with a class-action lawsuit, a D.C. appeals court granted the insurer’s request to pause the ruling to file an appeal with the Supreme Court.

RELATED: D.C. appeals court allows members to proceed with data breach lawsuit against CareFirst

The court’s decision marks a critical initial step in what could be the first data breach case to reach the high court.

“If the [Supreme] Court were to grant review in CareFirst or another one of the data breach standing cases, it would be one of the most important cybersecurity cases ever heard in the Court,” Alan Butler, senior counsel at the Electronic Privacy Information Center in Washington D.C., said in an email to FierceHealthcare, noting that some courts have refused to hear data breach cases based on a lack of standing. 

CareFirst filed its appeal (PDF) on Aug. 31, arguing that the case presents a “substantial question” about whether a data breach and the prospect of future harm is substantial enough to warrant legal action. Courts have differed on their interpretation of substantial harm tied to a data breach. The D.C. appeals court ruling overturned a district court’s decision to dismiss the case. Similarly, in January, the United States Court of Appeals for the Third Circuit overturned a district court’s decision to dismiss a class-action lawsuit against Horizon Blue Cross Blue Shield following  2013 breach that exposed more than 800,000 patient records.

The CareFirst breach exposed about 1.1 million records after the company was targeted by a cyberattack.

RELATED: CareFirst data breach ruling increases liability risks for insurers in future lawsuits

Although the Supreme Court has addressed the issue of what constitutes substantial injury, CareFirst’s attorneys argue that the court has yet to decide on the definition of an injury in relation to a data breach. Several months ago, Anthem agreed to a $115 million settlement to resolve a class-action lawsuit following a breach that exposed nearly 80 million records. 

“The Supreme Court needs to address this area of the law to provide more guidance to federal district and appellate courts, especially given that federal courts have struggled to reach consensus as to when the prospect of future injury resulting from stolen information truly presents a 'substantial risk' of actual harm,” the motion reads.

Whether the Supreme Court decides to take on the case remains to be seen. Although facts of the case revolve around the new and rapidly developing concern about data breaches, the Supreme Court typically lets the lower courts hash out these cases until there’s a clear disagreement that requires them to weigh in. Although there has been some discrepancy, in the lower courts, it may not be enough for the justices to hear this particular appeal, Matthew Fisher, a partner at Mirick, O’Connell, DeMallie & Lougee, LLP, told FierceHealthcare.

“My gut feeling is it's fairly low,” he said of the odds the Supreme Court takes the case. “It doesn’t sound like there’s a big split in the circuit courts yet.”