By Bill Butler
Recently, the D.C. Circuit Court of Appeals ruled in Attias v. CareFirst, Inc., No. 16-7108, that customers had standing to sue a health insurer for a 2014 data breach in which the customers’ information was stolen. In reversing the district court’s dismissal of the class action, the D.C. Circuit held that the customers’ allegations that the hackers accessed and took their Social Security numbers, credit card numbers, and health insurance subscriber ID numbers were each independently sufficient to show actual or imminent injury. The customers’ complaint alleges that CareFirst — which serves approximately 1 million customers in the District of Columbia, Maryland, and Virginia area — was negligent, violated various state-law consumer protection and data breach laws, and breached contracts because CareFirst did not properly encrypt some of the personal information that its customers provided.
The principal question before the D.C. Circuit was whether the customers had plausibly alleged a substantial risk of future harm — i.e., identify theft — by reason of the data breach. The lower court did not read the complaint to allege that customer-plaintiffs’ social security numbers or credit card numbers had been stolen and therefore concluded that the customers failed to identify an “actual or imminent” injury. The D.C. Circuit disagreed. It read the complaint more broadly, finding that social security numbers and credit card information were included in the complaint’s list of information allegedly stolen. The D.C. Circuit found that the theft of social security numbers and credit card information establishes substantial risk of future identify theft.
Notably, the D.C. Circuit also found that the complaint’s allegations of theft of the plaintiffs’ health insurance subscriber ID numbers also were sufficient to allege a substantial risk of future injury sufficient to create standing. The opinion explained that the theft of this information, in conjunction with customers’ names, birth dates, and email addresses, could plausibly result in “medical identify theft” in which a criminal impersonates the identity-theft victim to obtain medical services in her name. Because such fraud could lead to “inaccurate entries in the [victims’] medical records” and “can potentially cause victims to receive improper medical care, have their insurance depleted, become ineligible for health or life insurance, or become disqualified from some jobs,” the theft of health insurance subscriber ID numbers in and of itself established a substantial risk of future injury, even if the defendant had not exposed social security numbers.
The upshot of the D.C. Circuit opinion in CareFirst is that health insurance subscriber ID numbers — or other information that could enable someone to fraudulently obtain medical services — likely fall in the category of personal information that creates a substantial risk of identity theft when stolen. Health insurance companies, healthcare providers, and other companies that possess and store health insurance-related data should be sure to maintain reasonable security measures, including encryption of the data, to prevent theft of the data. Even where reasonable security measures cannot prevent a data breach incident, such security measures may be a critical factor in dismissing a customer lawsuit.