U.S. court rules health insurance company can be sued for data breach

data breaches

At the capital of the United States, the District of Columbia Circuit Court of Appeals ruled that customers are permitted to sue CareFirst for a data breach that reportedly compromised 1.1 million of their customers’ personal information.

A relatively small number of customers brought the class action (group action) lawsuit, alleging that the health insurance provider had attributed to the breach for their carelessness and lack of cybersecurity.

The court cases

A lower court originally ruled that the customers lacked legal standing because they were not able to prove a “present injury” or a “likelihood of being injured in the future”.

However, this was revered by the panel of judges at the D.C Court of Appeals.

One of the three panel judges, Judge Thomas Griffith, explained that:

“…the District Court concluded that the plaintiffs had ‘not demonstrated a sufficiently substantial risk of future harm stemming from the breach to establish standing’ in part because they had ‘not suggested, let alone demonstrated, for the CareFirst hackers could steal their identities without access to their Social Security or credit card numbers.'”

However, Judge Griffith pointed out that the District Judge came to a conclusion on an “incorrect premise.” The complaint raised in the lawsuit did in fact point out that Social Security and credit card numbers were stolen in the data breach.

Recognising the damage that can be done…

Although the point in law was more to do with what was alleged, the district Court reportedly failed to recognise that, even without social security numbers and credit card numbers, hackers can still cause a lot of harm to victims of the stolen personal data.

Risk examples can include:

Risks of identity theft: Cybercriminals can attempt to access the victim’s various accounts by providing personal information as a form of verification.
Cybercriminals can use or sell the personal information to obtain further personal data. We have seen a recent rise in impersonation calls where criminals pretend to be a service provider and can ‘verify’ their identity using stolen data.
Exposure to phishing emails: Cybercriminals are getting more and more sophisticated with creating legitimate looking emails to entice users into clicking on hidden malware links. Often posing as a reputable company or a major grocery store, there will often be a link for users to click-on in order to obtain a discount or similar enticement.
Ransomware is an increasing trend in the past few years. Back in May, the WannaCry ransomware threw international governments and public services into chaos as information was held ransom for bitcoins. Health insurance policies can contain sensitive medical information that some individuals would rather pay than have it publicised.
The psychiatric harm stemming from a data breach is often overlooked. A breach of personal data is a breach of someone’s privacy and identity. Victims often feel anxious, stressed, nervous, angry, and paranoid about their data being exposed and exploited. The nature of an intangible data breach means the victim may always be left wondering who has their information and how far will the breach extend.

IMPORTANT: advice on this page is intended to be up-to-date for the 'first published date'.

Request a Callback from our team!

Fill out our quick call back form below and we’ll contact you when you’re ready to talk to us.
All fields marked * are required.

Your privacy is extremely important to us. Information on how we handle your data is in our Privacy Policy.
You have the right to object to the processing of your personal data.