Class Certification in CareFirst Lawsuit Denied by District Court Judge

The lawsuit concerns a data breach that occurred in April 2014.

By HFT Staff


A U.S. District Court Judge has denied class certification in a long-running legal battle against CareFirst BlueCross BlueShield over its 2014 data breach that affected 1.1 million plan members. The breach in question was due to a spear phishing attack in April 2014, which allowed unauthorized individuals to access a database that contained the names, birthdates, email addresses and subscriber ID numbers of around 1.1 million individuals who were registered to use CareFirst’s websites and online services. 

The lawsuit was initially filed in 2015 but was dismissed by a lower court in 2016 due to lack of injury, but was resurrected by a federal appeals court in 2017. In 2018, the U.S. Supreme Court declined CareFirst’s request for review and the case was returned to the District Court for the District of Columbia and was allowed to proceed. 

The lawsuit alleged CareFirst had failed to implement appropriate security measures and made several errors that allowed hackers to breach its network and access the data of its customers, and as a result of the data breach, class members face an increased risk of fraud and identity theft and have and will continue to have to spend time and money on mitigating measures. The lawsuit alleged breach of contract and violations of consumer protection laws in Maryland and Virginia. 

After completing discovery, in August 2022, the plaintiffs sought to certify three classes for each of the three causes of action – A contract class for residents of Washington D.C., Maryland and Virginia who purchased insurance from the underwriter and who had their information exposed in the breach, and two consumer classes for Maryland and Virginia residents who purchased insurance from CareFirst and were affected by the breach. 

District Court Judge, Christopher R. Cooper, determined that the plaintiffs had satisfied the prerequisites for class certification, “but the Court has serious concerns about whether common issues will predominate over individual inquiries in this case. Specifically, in light of the Supreme Court’s recent decision in TransUnion LLC v. Ramirez (2021), which held that a risk of future harm standing alone does not constitute a concrete Article III injury in damages actions.” As such, the motion for class certification was denied. 

The proposed class definitions would allow claims to be submitted by all affected CareFirst customers, even though many of those customers took no steps to mitigate their exposure to identity theft or medical fraud and therefore suffered no Article III injury. The injury in this case comes from the costs incurred due to the data breach, not the exposure of data due to the data breach. Judge Cooper said in his ruling that the plaintiffs can file a motion with narrowed class definitions to prevent claims from un-injured class members. 



April 6, 2023


Topic Area: Information Technology


Recent Posts

Disinfectant Dispensers in Healthcare Facilities Often Fail to Deliver Safe Concentrations: Study

Study of 10 hospitals finds 90 percent have at least one dispenser delivering disinfectants at incorrect concentrations.


Duke University Health System Receives $50 Million for Proton Beam Therapy Center

The donation is the largest philanthropic gift received by Duke University Health System.


UT Southwestern Experiences Data Breach Through Calendar Tool

The incident occurred in October.


Protecting Patient Data: Strategies and Tactics

As cyber threats and breaches grow, healthcare organizations and facilities need a better approach to cybersecurity.


Duke Health to Acquire Lake Norman Regional Medical Center

The closing is projected for the first quarter of 2025.


 
 


FREE Newsletter Signup Form

News & Updates | Webcast Alerts
Building Technologies | & More!

 
 
 


All fields are required. This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

 
 
 
 

Healthcare Facilities Today membership includes free email newsletters from our facility-industry brands.

Facebook   Twitter   LinkedIn   Posts

Copyright © 2023 TradePress. All rights reserved.