Court Won't Certify Class Action Lawsuit in CareFirst HackLegal Saga Has Included Many Ups and Downs for Plaintiffs and Company Since 2015
A U.S. federal court ruling this week is the latest setback for plaintiffs in an 8-year-old proposed class action litigation against health insurer CareFirst BlueCross BlueShield in the aftermath of a 2014 cyberattack that affected more than 1.1 million individuals.
The case has had its ups and downs for plaintiffs and CareFirst since the proposed class action was first filed in 2015.
In the ruling on Tuesday, District Judge Christopher Cooper, of the U.S. District Court for the District of Columbia, denied the plaintiffs' motion filed last August to certify three classes.
The court ruling left open the possibility for the case to proceed with certain modifications, such as a class of individuals who spent time on responding to the risk presented by the breach.
The suit is still active, only due to a federal appeals court ruling in 2017 that overturned a lower court's decision in 2016 dismissing the proposed class action (see: Appeals Court Allows CareFirst Breach Class Action Lawsuit to Proceed).
The U.S. Supreme Court in 2018 declined CareFirst’s request for review, bouncing the suit back to the U.S. District Court for the District of Columbia to proceed (see: Supreme Court Won't Review CareFirst Data Breach Case).
The core claims of the plaintiffs' lawsuit are that the CareFirst data breach exposed millions to "an increased risk of fraud and identity theft, requiring them to spend time and money on mitigating measures, such as purchasing credit monitoring services and the like," Cooper wrote in his ruling.
"The court has serious concerns about whether common issues will predominate over individual inquiries in this case," he wrote.
Cooper wrote that in light of the Supreme Court’s recent decision in the landmark case TransUnion v. Ramirez restricting actionable injuries to "concrete harm," he suspects that the proposed class "would impermissibly sweep in large numbers of uninjured class members."
The plaintiffs in their motion for class certification proposed three classes.
The first is the "contract class," or all persons who reside in Washington, D.C; Maryland and Virginia - areas where CareFirst offers insurance - who purchased or possessed health insurance from the underwriter and whose information was breached as a result of the data breach announced by the company in May 2015.
The other two classes are separate "consumer classes" for residents of Maryland or Virginia who purchased or possessed health insurance from CareFirst and were affected by the data breach.
“Plaintiffs may yet be able to demonstrate that narrowing their class definitions in light of TransUnion (if necessary) will not overwhelm this case with individualized inquiries," Cooper wrote.
The court's ruling demonstrates ongoing grappling with the effects of the Ramirez ruling, said attorney Steven Teppler, partner and chief cybersecurity legal officer at law firm Mandelbaum Barrett, who is not involved in the CareFirst case.
"At this point, we’re seeing fairly disparate interpretations of the term 'concrete' injury," he said.
"If we are to assume that a cybersecurity incident will almost always involve a PHI/PII exfiltration, the real question is: For what purpose - if not for sale to use in an ID compromise or extortion - would a threat actor even bother?"
Plaintiffs could possibly clear the test for "concrete harm" by limiting the class "only to CareFirst customers affected by the breach "who have spent time or money undertaking mitigation measures," Teppler said.
Neither CareFirst's attorneys nor attorneys representing plaintiffs in the lawsuit immediately responded to Information Security Media Group's requests for comment on the ruling.
Approximately 1.1 million current and former CareFirst members and individuals who do business with CareFirst online and who registered to use CareFirst's websites prior to June 20, 2014, were affected by the breach, the company said (see: CareFirst BlueCross BlueShield Hacked).
The incident involved an April 2014 spear-phishing campaign. A review of the incident determined that attackers gained access to a single database in which CareFirst stores data that members and other individuals enter to access CareFirst’s websites and online services, CareFirst said in its breach notice.
Information compromised in the incident includes CareFirst members’ names, birthdates, email addresses and subscriber identification numbers.