A Victory for the Victims: D.C. Appeals Court Allows Class Action Lawsuit against CareFirst to Proceed

Back in 2014, CareFirst BlueCross BlueShield was hacked, and the personal information of more than a million patients was potentially stolen. When the time came to file a class action lawsuit against CareFirst, those victims trusted Paulson & Nace, PLLC to fight for them in court.

On August 1, 2017, the U.S. Court of Appeals for the District of Columbia overturned an earlier dismissal of the case, and ruled that the previous court had “given the complaint an unduly narrow reading,” and the “conclusion [by the judge] rested on an incorrect premise: that the complaint did not allege the theft of Social Security or credit card numbers in the data breach.”  This is an important win for the victims of the security hack, many of whom face the risk of having their identities stolen.

Chris Nace told Bloomberg BNA, via email, “that Spokeo did not create a higher bar for victims of data theft than exists for others who bring negligence cases is important. Today’s opinion affirms that our courts will provide a venue for victims of data breach to have their cases heard and resolved.”

What is Spokeo, and how does it apply?

In 2016, Thomas Robins claimed that Spokeo, a “people” search engine, had his information incorrect, and because of these errors, he might lose out on job opportunities. He filed a class action suit against the company on behalf of anyone else who might have sustained a loss because of Spokeo’s practices, claiming the company violated the Fair Credit Reporting Act. As SCOTUSblog explains, “The district court dismissed Robins’ case on the ground that he lacked ‘standing’ – the legal right to bring a case – because he could not show any actual harm from Spokeo’s publication of inaccurate information about him.” The case, Spokeo, Inc. v. Robins, went to the Supreme Court, but they sent it back to the lower courts to review.

The “actual harm” was the hang up in Spokeo: did Mr. Robins sustain any real harm, or just the potential for harm?

Why the case against CareFirst is different

This is the crux against the class action filed against CareFirst, as well. More than a million people could be harmed by the data breach – but did that harm occur?

The U.S. Court of Appeals for the District of Columbia agrees that it did. As CareFirst acknowledged, “attackers could have potentially acquired member-created user names created by individuals to access CareFirst’s website, as well as members’ names, birth dates, email addresses and subscriber identification number.” While passwords and Social Security Numbers were stored elsewhere, and therefore not part of the hacked data, it is still plausible that this information could have been found – and that the whole point of the hack was, indeed, to find this type of personal information.

At its heart, this is what the class action lawsuit against CareFirst was about: the company failed to take the right steps to protect their customers, therefore putting those customers’ sensitive information at risk of a hack. Because cyber hacks like these are designed to steal people’s information for the purposes of identity theft, all 1.1 million CareFirst users were at substantial risk of harm – or, as Marc Rotenberg, president and executive director of the D.C. privacy rights group EPIC, puts it, “The claims are concrete, particularized and actual violations of their legally protected interests.”

Paulson & Nace, PLLC is based in Washington, DC, and serves clients in the greater Metro area, West Virginia, and the surrounding regions. To learn more about our services, please call 202-463-1999 or fill out this contact form.