A recent appellate court decision to allow a class-action lawsuit over a 2014 data breach at CareFirst to move forward could pave the way for future lawsuits, according to several privacy attorneys.
Last week a D.C. appeals court overturned a circuit court's dismissal of a lawsuit brought by members of CareFirst claiming a breach that compromised more than 1 million records put them at risk for identity theft. A trio of judges ruled that a “substantial risk of harm” exists because their information was hacked, even if there had been no actual harm as a result of the breach.
That nuanced ruling offers a new wrinkle in the legal risks that insurers face following a data breach, according to two attorneys at Sidley Austin LLP. Courts have struggled to identify concrete harm when it comes to data breaches, and although previous rulings have indicated courts are reluctant to move forward in cases where a hack compromises credit card information, medical data may be held to a higher standard.
“The D.C. Circuit’s decision may have significant implications for future data breach litigation, and in particular, litigation over data breaches involving insurance information,” they wrote.
Earlier this year, an appeals court made a similar move by vacating the dismissal of a lawsuit against Horizon Blue Cross Blue Shield over a 2013 data breach.
The CareFirst decision comes in the wake of Anthem’s $115 million settlement to resolve a class-action lawsuit regarding a 2015 breach that exposed nearly 80 million patient records. Overall, the discrepancies at the circuit court level regarding data breach harm will likely increase the costs of litigation along with the potential liability for insurers facing a class-action lawsuit, the attorneys added.