CareFirst Petitions Supreme Court Over Data Breach Lawsuit

If the Supreme Court hears the case, it could have major implications for future hacking incidents.

In August, a US appeals court ruled that CareFirst BlueCross BlueShield insurance customers could proceed with a class-action lawsuit regarding a 2014 data breach that resulted in more than 1 million compromised patient records. Now, the company is petitioning the Supreme Court to review that decision.

The case rests on whether CareFirst patients have standing under Article III of the Constitution. The petition states that plaintiffs must prove they “suffered an ‘injury in fact’ that is concrete and particularized and actual or imminent, not conjectural or hypothetical.” Damages must also be traceable to the hack and the company.

The customers argue that their increased risk of identity theft represents injury, and 2 of the named plaintiffs allege that they suffered tax refund fraud as a direct result of the breach. Other claims of harm include loss of intrinsic value of their personal information; violation of statutory rights under consumer protection acts; financial loss from paying for credit monitoring; and even financial loss from overpaying CareFirst for insurance, “the cost of which they maintain should have covered prophylactic measures against hacking.”

CareFirst’s petition alleges that those injuries are conjectural and not imminent. “Even the court of appeals noted that any threat to respondents is based entirely on future possible acts of unknown third parties,” the insurer’s attorneys write.

They claim that the circuit court’s threshold for threatened injury is irreconcilable with precedent, citing other cases that ruled in favor of companies that had been hacked.

The case may set new precedents, as high-profile cyberattacks continue to compromise consumer and patient data by the millions. No consensus has been established yet. This year, a district court prevented a class-action suit against the US Office of Personnel Management, which suffered a breach of 22 million federal employee records. An appellate court, however, allowed a suit to proceed against Horizon Blue Cross Blue Shield.

“The Court should provide guidance to the lower courts on the boundaries of federal court jurisdiction to hear these claims,” CareFirst’s attorneys urge in the petition.