CareFirst BlueCross BlueShield has filed a petition with the U.S. Supreme Court asking the high court to review a case involving a 2014 data breach that exposed nearly 1.1 million records.
If accepted, it would be the first data breach case to reach the Supreme Court, offering a potentially game-changing precedent for future data breach litigation.
CareFirst's petition follows an August ruling by the U.S. Court of Appeals for the District of Columbia that allowed CareFirst customers to proceed with a class-action lawsuit against the insurer. The decision overturned a D.C. district court’s ruling that the plaintiffs had not suffered actual harm. The panel of appellate judges noted that “a substantial risk of harm exists already, simply by virtue of the hack and the nature of the data that the plaintiffs allege was taken.”
That sets a dangerous precedent, CareFirst attorneys argue, and it's inconsistent with other circuit court rulings. The appeal, filed earlier this week, focuses primarily on Article III of the U.S. Constitution, which requires plaintiffs to show they have suffered an actual or threatened injury that can be traced back to the defendant.
CareFirst’s attorneys argue the D.C. Appeals Court erred in its ruling because it did not determine whether the plaintiff’s future injuries were “certainly impending.” Perhaps more importantly, the insurer cites a “growing uncertainty” among circuit courts regarding the level of harm associated with a data breach. The petition pointed to several other lawsuits, including two filed against CareFirst in Illinois and Maryland, that were ultimately dismissed.
Amid a “rising tide of data hacks and the class action lawsuits they inevitably spur,” the case provides an opportunity to provide boundaries for lower courts overseeing future data breach cases, the attorneys argue.
“This case presents an ideal vehicle for the Court to clarify that to satisfy the substantial risk standard, an alleged future injury must be imminent,” CareFirst attorneys wrote in the petition.
The issue of harm has become a growing legal rift in data breach cases spanning multiple industries. Earlier this year, an appellate court overturned a previous court’s decision to dismiss a case against Horizon Blue Cross Blue Shield following a 2013 data breach, arguing the unlawful disclosure violated the Fair Credit Reporting Act. Questions about data breach harm were also in play when the U.S. District Court for D.C. dismissed a lawsuit against the Office of Personnel Management after a breach exposed the personal information of 22 million federal employees.
Alan Butler, senior counsel at the Electronic Privacy Information Center in Washington, D.C, previously told FierceHealthcare that if the Supreme Court grants CareFirst’s petition “it would be one of the most important cybersecurity cases ever heard in the Court.”