An appeals court has ruled that CareFirst customers can proceed with a class-action lawsuit against the insurance company seeking damages following a 2014 data breach involving more than 1 million records.
Three judges with the U.S. Court of Appeals in the District of Columbia overturned a district court’s decision to dismiss the case, ruling that the risk of future injury alleged by CareFirst members was substantial enough to move forward.
The decision (PDF) adds a new twist to the case after the district court ruled the plaintiffs had not suffered any actual harm from the breach and that any increased risk of identity theft was too speculative.
But the appeals court shot down that reasoning, arguing that it is plausible to infer that the hackers that accessed CareFirst systems would use the information acquired to commit fraud using personal health information and Social Security Numbers. Furthermore, the court indicated the potential for injury was “fairly traceable” based on the insurer’s failure to secure member data.
“No long sequence of uncertain contingencies involving multiple independent actors has to occur before the plaintiffs in this case will suffer any harm; a substantial risk of harm exists already, simply by virtue of the hack and the nature of the data that the plaintiffs allege was taken,” the judges wrote in their decision.
The case against CareFirst mirrors a separate class-action lawsuit against Horizon Blue Cross Blue Shield following a 2013 breach that exposed more than 800,000 patient records. In January, an appeals court overturned a district court’s dismissal of that case, arguing that although the plaintiffs had not presented evidence their information was used improperly, the stolen information was enough to warrant potential injury.