Healthcare

Court says health insurance company can be sued for data breach

The nation’s second most powerful court ruled Tuesday that a health insurance company’s customers can sue the provider for a 2014 cyberattack in which their personal information was stolen.

A three-judge panel on the D.C. Circuit Court of Appeals reversed a district court’s decision dismissing the class action suit that seven customers brought against CareFirst, which serves 1 million customers in the District of Columbia, Maryland and Virginia.

{mosads}The customers attributed the breach to the company’s carelessness and argued that they suffered an increased risk of identity theft as a result. But the lower court said the customers lacked standing because they failed to show a present injury or a likelihood of being injured in the future.

Delivering the opinion of the appeals court on Tuesday, Judge Thomas Griffith said the district court gave the complaint an unduly narrow reading.

“The District Court concluded that the plaintiffs had ‘not demonstrated a sufficiently substantial risk of future harm stemming from the breach to establish standing,’ in part because they had ‘not suggested, let alone demonstrated, how the CareFirst hackers could steal their identities without access to their Social Security or credit card numbers,’” Griffith said.

“But that conclusion rested on an incorrect premise: that the complaint did not allege the theft of Social Security or credit card numbers in the data breach,” he added. “In fact, the complaint did.”