E-Alert Case Updates

Plaintiffs Lacked Standing to Sue CareFirst Over Personal Information Stolen in Data Breach

Chantal Attias, et al. v. CareFirst, Inc., et al.
(August 10, 2016) United States District Court for the District of Columbia
by Matthew J. McCloskey, Associate
Semmes, Bowen & Semmes (www.semmes.com)

Available at: https://ecf.dcd.uscourts.gov/cgi-bin/show_public_doc?2015cv0882-40

In a recent opinion, the United States District Court for the District of Columbia held that the named Plaintiffs in a class action lawsuit against CareFirst, Inc. had failed to establish that they had standing to sue for injuries alleged to have occurred as a result of a data breach that involved the theft of Plaintiffs’ personal data.

In June of 2014, CareFirst, a health insurance company, suffered a data breach that led to the dispersal of the personal information of 1.1 million of its policyholders. Subsequently, seven (7) named Plaintiffs brought suit against CareFirst on behalf of themselves and other similarly situated individuals, “alleging that CareFirst violated a host of state laws and legal duties by failing to safeguard their personal information.” The parties agreed that the compromised information included the policyholders’ names, birth dates, email addresses, and subscriber identification numbers. CareFirst further asserted that the policyholders’ social security and credit card numbers were not stolen. Plaintiffs disputed CareFirst’s assertion in this regard, but the Court noted that Plaintiffs’ Complaint did not allege that Plaintiffs’ social security numbers were stolen. CareFirst moved to dismiss Plaintiffs’ Complaint, arguing that Plaintiffs lacked standing to sue because they did not allege that their personal information was actually misused and did not explain how the stolen information could be used to assume their identities.

Judge Christopher R. Cooper, writing for the Court, granted CareFirst’s motion to dismiss. Emphasizing that “[t]he question at issue here is whether the named Plaintiffs have demonstrated an ‘injury in fact’ that is concrete, particularized, and actual or imminent” and “fairly traceable to” CareFirst, the Court noted that only two (2) of the named Plaintiffs had alleged that they suffered actual identity theft. The five (5) other Plaintiffs instead argued that the harm they suffered was the increased likelihood that they will be victims of identity theft at some point in the future. Relying on a prior case addressing similar stolen data, albeit in physical form, the Court concluded that the “series of assumptions required to find concrete harm to Plaintiffs” was too attenuated to be considered an injury in fact. At a minimum, the individuals who stole the data would have to “have the ability to read and understand Plaintiffs’ personal information, the intent to ‘commit future criminal acts by misusing the information,’ and the ability to ‘use such information to the detriment of [Plaintiffs] by making unauthorized transactions in [Plaintiffs’] names.” Moreover, it was even more speculative as to whether the type of data stolen in this case would allow the thieves to actually steal Plaintiffs’ identities. Accordingly, the Court concluded that the five (5) Plaintiffs claiming an increased potential for identity theft had not demonstrated an injury in fact.

As to the two (2) Plaintiffs who claimed they had suffered actual identity theft, in the form of a purported tax-refund fraud, the Court concluded that these Plaintiffs had pled a sufficient injury in fact. Nevertheless, the Court noted that those Plaintiffs still had to demonstrate that their injury was “fairly traceable to” CareFirst. Because their Complaint did not allege that their social security numbers were stolen, and because it was “not plausible” that tax refund fraud could be committed without the two (2) Plaintiffs’ social security numbers, the Court determined that those Plaintiffs had also failed to establish standing.

Finally, the Court rejected four (4) additional contentions regarding Plaintiffs’ injuries. First, Plaintiffs could not show standing through the purported necessity that each purchase credit-monitoring services to prevent identity theft, as Plaintiffs were essentially attempting to create standing by inflicting economic harm upon themselves. Second, Plaintiffs’ alleged overpayment of insurance premiums, under the argument that part of their premium went to CareFirst’s clearly deficient data security, was insufficient, as Plaintiffs made no contention that the money they spent could have purchased an insurance policy from a more secure source. Third, Plaintiffs made no sufficient factual allegations to support the argument that their stolen data contained any intrinsic value. Fourth, Plaintiffs could not find standing through the District of Columbia Consumer Protection Act because, although the Act allows plaintiffs to show a particularized harm, it did not statutorily confer Article III standing. As a result, the Court dismissed Plaintiffs’ complaint for lack of jurisdiction.