Class Certification in CareFirst Lawsuit Denied by District Court Judge

The lawsuit concerns a data breach that occurred in April 2014.

By HFT Staff

A U.S. District Court Judge has denied class certification in a long-running legal battle against CareFirst BlueCross BlueShield over its 2014 data breach that affected 1.1 million plan members. The breach in question was due to a spear phishing attack in April 2014, which allowed unauthorized individuals to access a database that contained the names, birthdates, email addresses and subscriber ID numbers of around 1.1 million individuals who were registered to use CareFirst’s websites and online services. 

The lawsuit was initially filed in 2015 but was dismissed by a lower court in 2016 due to lack of injury, but was resurrected by a federal appeals court in 2017. In 2018, the U.S. Supreme Court declined CareFirst’s request for review and the case was returned to the District Court for the District of Columbia and was allowed to proceed. 

The lawsuit alleged CareFirst had failed to implement appropriate security measures and made several errors that allowed hackers to breach its network and access the data of its customers, and as a result of the data breach, class members face an increased risk of fraud and identity theft and have and will continue to have to spend time and money on mitigating measures. The lawsuit alleged breach of contract and violations of consumer protection laws in Maryland and Virginia. 

After completing discovery, in August 2022, the plaintiffs sought to certify three classes for each of the three causes of action – A contract class for residents of Washington D.C., Maryland and Virginia who purchased insurance from the underwriter and who had their information exposed in the breach, and two consumer classes for Maryland and Virginia residents who purchased insurance from CareFirst and were affected by the breach. 

District Court Judge, Christopher R. Cooper, determined that the plaintiffs had satisfied the prerequisites for class certification, “but the Court has serious concerns about whether common issues will predominate over individual inquiries in this case. Specifically, in light of the Supreme Court’s recent decision in TransUnion LLC v. Ramirez (2021), which held that a risk of future harm standing alone does not constitute a concrete Article III injury in damages actions.” As such, the motion for class certification was denied. 

The proposed class definitions would allow claims to be submitted by all affected CareFirst customers, even though many of those customers took no steps to mitigate their exposure to identity theft or medical fraud and therefore suffered no Article III injury. The injury in this case comes from the costs incurred due to the data breach, not the exposure of data due to the data breach. Judge Cooper said in his ruling that the plaintiffs can file a motion with narrowed class definitions to prevent claims from un-injured class members. 

April 6, 2023

Topic Area: Information Technology

Recent Posts

Hospital Websites Too Often Share User Data with Third Parties: Study

User privacy can be compromised by sharing website information with external organizations.

Remote Access Systems Pose Cybersecurity Risk

Attacks can impact a healthcare system’s ability to provide care.

Tampa General Hospital Plans for a Men's Health Center

The plans were made possible through a $6.5 million contribution from the Chivukula family.

How Technology is Evolving Healthcare Design

Emerging technology is changing the way healthcare facilities are designed from the very beginning.

Cedars-Sinai Joins White House AI Consortium

Cedars-Sinai has also joined the TRAIN group, which is led by Microsoft.


FREE Newsletter Signup Form

News & Updates | Webcast Alerts
Building Technologies | & More!


All fields are required. This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.