Incident Response, Breach, Email security

CareFirst decision cites ‘actual harm’ requirement in data breach lawsuits

Share
Wooden judges gavel on wooden table, close up

Three ongoing data breach lawsuits against insurance giant CareFirst will not be consolidated into a class action filing. A D.C. Circuit Court judge declined the effort to adjoin the cases, as “it would impermissibly sweep” individuals into the suit who’ve not faced actual harm.

The District Court decision filed March 28 revives the oft-overlooked Supreme Court's June 2021 decision in TransUnion LLC v. Ramirez, which concluded only those “concretely harmed” by a breach have standing to seek damages against an entity.

Despite the Supreme Court ruling, there has been a surge in healthcare data breach lawsuits in the last year — many of which do not include evidence of harm faced by individuals whose data is caught up in a cyber incident.

As noted in this week’s memorandum, the individuals who’ve been suing CareFirst since June 2015 “do not at this stage contend” ... “nor does the record suggest as much” that threat actors accessed any sensitive patient data during a security incident reported in May 2015.

The ongoing litigation stems from an April 2014 hack of CareFirst’s internal data system, brought on by an email-based spear-phishing campaign that aimed to install a backdoor into the network. One employee fell for the scam and gave the attackers access to the system. At the time, 1.1 million patients were notified of the potential data impact.

It should be noted that the reported incident occurred a full two years before healthcare data breaches became commonplace, raising overall cyber awareness for the industry.

These lawsuits assert that “CareFirst committed a host of errors that allowed the hackers to access the company’s data and remain undetected for a prolonged period of time, including failing to reset passwords on certain company accounts, disable local administrator accounts, perform a password reset… install two-factor authentication,” and other missteps.

As a result of these failures, the actors may have accessed subscriber ID numbers, dates of birth, email addresses, and usernames for CareFirst’s online member portal. CareFirst offered all impacted individuals two free years of credit monitoring and identity-theft protection.

The lawsuits soon trickled in and were later amended to include causes of action, including how CareFirst handled the incident, as well as breach of contract and violations of the Maryland and Virginia Consumer Protection Acts. Much of the accusations stemmed around possible risks of identity theft and other recovery needs for possible fraud attempts.

As a result of the hypothetical risks, a 2016 court granted CareFirst’s motion to dismiss the lawsuits for lack of standing, as the breach victims “had pleaded only a speculative risk of identity theft stemming from the breach.”

“On remand, CareFirst filed a motion to dismiss for failure to state a claim under Federal Rule of Civil Procedure,” according to the new filing. The court agreed to do so as the individuals “had failed to allege actual damages necessary for their breach of contract and consumer protection claims.”

The case was dismissed for all except two named plaintiffs, Kurt and Connie Tringler, who did provide evidence of harm.

This week’s decision reaffirms the need to demonstrate concrete harm, explained as “an alleged injury” that “must bear a ‘close relationship’ to a harm ‘traditionally’ recognized for the basis of a lawsuit in U.S. courts. As such, any plaintiffs “must identify ‘a close historical or common-law analogue for their asserted injury,’ according to the filing.

As the Supreme Court found in its 2021 decision, only the class members whose “injury was sufficiently analogous to ‘the reputational harm associated with the tort of defamation’” constituted a concrete injury. Although “a person exposed to a risk of future harm may pursue forward-looking, injunctive relief to prevent the harm from occurring,” they must present evidence that the “risk of harm is sufficiently imminent and substantial” to pursue damages.

The decision noted these lawsuits don’t explain how the compromised data could lead to identity theft.

While the data tied to the incident “could conceivably lead to a risk of a particular form of medical identity theft,” the lawsuits don’t explain how the mitigation measures class members might take “would relate to combatting the much narrower form of medical identity theft potentially implicated here.”

The named plaintiffs in this case indeed have an alleged concrete injury from the incident. But
“unfortunately for plaintiffs, the court has some unresolved questions concerning predominance in this case that, at least for now, preclude class certification.”

The court does believe the plaintiffs have standing “because they have spent at least some amount of time or money protecting against the risk of future identity theft or medical fraud. [But] the proposed classes — as presently defined — would appear to sweep in significant numbers of people who have suffered no injury in fact, in light of TransUnion.”

As a result, “that state of affairs may pose a serious predominance problem.”

“The problem is not that some individualized inquiry would be necessary to determine the extent of each class member’s damages, measured by the amount of time spent on mitigation, but the current class definitions would yield a high number of ‘false positives’: CareFirst customers who have spent no time on mitigation.”

In its current state, the lawsuit does not address these concerns, thus “risk of harm is insufficient to create injury in fact.”

Jessica Davis

The voice of healthcare cybersecurity and policy for SC Media, CyberRisk Alliance, driving industry-specific coverage of what matters most to healthcare and continuing to build relationships with industry stakeholders.