Many courts have dismissed class action lawsuits involving data breaches due to a lack of evidence of harm to plaintiffs whose data was compromised.
That was the initial legal outcome in a consolidated class action data breach lawsuit against Horizon Blue Cross Blue Shield, which was tossed out back in April 2015 due to lack of proof of harm. At the center of the case was the 2013 theft of two unencrypted laptops containing information on nearly 840,000 individuals.
But in a significant decision, the U.S. Court of Appeals for the Third Circuit on Jan. 20 vacated the lower court's decision, saying tangible proof of harm was not necessary in order for the case to proceed, attorney Steven Teppler explains in an interview with Information Security Media Group. Teppler has represented plaintiffs in several breach-related cases but is not involved in the Horizon case.
A Different View
The decision to vacate the district court's ruling to dismiss the case was based on the breach of information being "a violation of Fair Credit Reporting Act - which is a statute that provides for both statutory damages, as well as injunctive relief or non-compensatory damages," Teppler says. The breach amounts to unauthorized dissemination of personal information, a violation of the Act, the appellate court concluded.
The statutory violations of the Fair Credit Reporting Act, the appellate court found, "placed the plaintiffs at immediate continuing risk of harm, identity theft, medical fraud - all the things that could happen when your medical records get leaked out into the public and are marketed and used by criminals."
The case will now return back to the lower court, Teppler says. But in the meantime, he says the appellate court ruling in the Horizon case means that "moving forward, any courts in the third circuit will have to follow that decision," including federal courts in New Jersey, Pennsylvania, Delaware and the U.S. Virgin Islands. "This becomes binding precedent on all federal district courts in that circuit."
In the interview, Teppler also discusses:
- What's likely to come next in the Horizon breach case as it returns to the lower court;
- What else makes the Horizon case different than many other class action lawsuits involving data breaches;
- Lessons that healthcare organizations should learn from the case about breach prevention practices.
Teppler is a partner at the Abbott Law Group in Jacksonville, Fla., where he leads the electronic discovery and technology-related litigation practice. He was also one of the attorneys who represented plaintiffs in a data breach class action lawsuit against health plan AvMed that ended in a $3 million settlement in 2013. Teppler is an adjunct professor at Nova Southeastern University Law School.