Horizon BCBS Breach Suit DismissedJudge Determines Plaintiffs Failed to Show Injury
A federal judge has dismissed a consolidated class action lawsuit filed against Horizon Blue Cross Blue Shield in the wake of a 2013 data breach. The incident, which involved the theft of two unencrypted laptop computers, exposed information on nearly 840,000 individuals (see Insurer Sued Over Data Breach).
See Also: The Power and Scale of XDR
Similar to court decisions in many other data breach cases, a judge dismissed the Horizon case because the plaintiffs did not demonstrate they had suffered harm as a result of the breach.
Attorney Brad Rostolsky of law firm Reed Smith says that plaintiffs in similar breach lawsuits will often have an uphill battle. "The Horizon decision further illustrates that courts will likely look to actual injury as a prerequisite for standing. In this case, it seems that the court viewed the plaintiffs' claims of damages as too tenuously connected to the breach."
Privacy attorney Scot Ganow of the law firm Faruki Ireland & Cox PLL says the judge's analysis in the Horizon case "demonstrates courts are still seeking standing to be established and for that, a harm ... has to result from the alleged breach."
The plaintiffs in the Horizon case sued the insurer for failing to adequately secure and safeguard its members' information, including names, dates of birth, Social Security numbers, addresses, medical histories, test and laboratory results, and insurance information.
According to court documents, the plaintiffs argued that as "a direct and proximate result of Horizon's wrongful actions and inaction" they had "been placed at an imminent, immediate, and continuing increased risk of harm from identity theft, identity fraud and medical fraud, requiring them to take the time and effort to mitigate the actual and potential impact of the data breach on their lives."
The plaintiffs claimed to have sustained "economic damages" and other actual harm for which they are entitled to compensation, and also asserted federal causes of action under the Fair Credit Reporting Act and several state law causes of action.
But in dismissing the case, U.S. District Judge Claire Cecchi of the District of New Jersey said the plaintiffs failed to demonstrate "an injury-in-fact." In her ruling, the judge said the plaintiffs "cannot rely on their increased likelihood of future harm as a basis for their case."
Comparisons to AvMed
Cecchi also noted that the plaintiffs in the Horizon case cited the decision in a breach lawsuit case against health plan AvMed, which resulted in a $3 million settlement. In that breach case, stemming from the 2009 theft of two unencrypted laptops containing data on 1.2 million individuals, the court approved a settlement in which 460,000 AvMed members received $10 for every year they paid premiums prior to the theft, with a maximum payment of $30. The settlement amount represents what AvMed should have spent on protecting data, so it amounts to a refund of premium overpayment.
Additionally, individuals in the AvMed case who were victims of identity theft as a result of the breach were allowed to submit claims to be reimbursed for their monetary losses.
In her decision, Cecchi noted that the plaintiffs in the Horizon case, like the plaintiffs in the AvMed suit, argued that they suffered "economic injury ... claim[ing] that they 'received less than they bargained for' because they paid insurance premiums to the defendant that were, at least in part, 'allocated' for data protection and the defendant 'did not encrypt all computers.'"
But the plaintiffs in the Horizon case "in stark contrast, [did not] allege that they were careful in guarding their sensitive information, that they suffered any monetary losses like those alleged in [Avmed case], or that they have sustained any other injuries such as identity theft, identity fraud, medical fraud or phishing," the judge said.
Attorney Ron Raether of the law firm Faruki Ireland & Cox PLL, notes that in the Horizon case, "the court's treatment of causation is interesting as how she distinguished [it from] Avmed. ... On the causation issue, it will be nearly impossible for the plaintiffs to establish that any identity theft was caused by the event. While other cases have given the plaintiff the benefit of the doubt, the court here put a higher burden on the plaintiffs."
Ganow doesn't believe there will be much of a shift anytime soon in how these cases are being treated by the courts. "Honestly, I do not expect a lot of change from what we have already seen as a result of this [Horizon] case," Ganow says. "Courts across the country have been generating case law with differing standards for harm and standing ... for years. "In doing so, they continue to provide attorneys a challenge - or opportunity - on both sides of the litigation battle line."
Horizon BCBS did not respond to Information Security Media Group's request for comment.
Advocate Case Resurfaces
In other health data breach-related legal developments, attorneys representing plaintiffs in another class action lawsuit are back in court.
Attorneys for plaintiffs in a suit against Advocate Health and Hospitals Corp. that was dismissed last year for reasons similar to the Horizon dismissal are looking to revive the case by appealing to the Seventh Circuit Court in Illinois.
The appeal argues that Advocate was in violation of the Fair Credit Reporting Act by failing to protect health data. The breach involved the theft of four unencrypted computers from an Advocate office in 2013, compromising information of about 4 million patients.