An appellate court ruling has breathed new life into a class-action lawsuit against Horizon Blue Cross Blue Shield over a healthcare data breach in 2013 that exposed more than 800,000 patient records.
The United States Court of Appeals for the Third Circuit vacated a district court’s 2015 dismissal and remanded the case, arguing that although the four plaintiffs had not presented evidence that their information was used improperly, the fact that their personal information was stolen was enough to warrant a potential injury under federal law.
The breach occurred in November 2013, when two laptops housing unencrypted personal health data were stolen from the insurer’s headquarters in Newark, New Jersey. The four plaintiffs alleged willful and negligent violations of the Fair Credit Reporting Act (FCRA), noting that thieves fraudulently filed an income tax return on behalf of one of the plaintiffs.
Although the district court dismissed the case on the grounds that the plaintiffs had not suffered a “cognizable injury,” the appellate court pointed to two recent cases where it found that unlawful disclosure of information was considered a violation of FCRA. The judges added that the law’s intent was to protect patient information without having to wait for a tangible injury to occur.
“With the passage of FCRA, Congress established that the unauthorized dissemination of personal information by a credit reporting agency causes an injury in and of itself—whether or not the disclosure of that information increased the risk of identity theft or some other future harm,” the court wrote.
Cybersecurity continues to be a major theme heading into 2017 as the healthcare industry struggles to keep pace with threats. Lawsuits have been an ongoing battle for CIOs across several industries in the fallout of data breaches.