A U.S. District Court Judge has denied class certification in a long-running legal battle against CareFirst BlueCross BlueShield over its 2014 data breach that affected 1.1 million plan members. The breach in question was due to a spear phishing attack in April 2014, which allowed unauthorized individuals to access a database that contained the names, birthdates, email addresses and subscriber ID numbers of around 1.1 million individuals who were registered to use CareFirst’s websites and online services.
The lawsuit was initially filed in 2015 but was dismissed by a lower court in 2016 due to lack of injury, but was resurrected by a federal appeals court in 2017. In 2018, the U.S. Supreme Court declined CareFirst’s request for review and the case was returned to the District Court for the District of Columbia and was allowed to proceed.
The lawsuit alleged CareFirst had failed to implement appropriate security measures and made several errors that allowed hackers to breach its network and access the data of its customers, and as a result of the data breach, class members face an increased risk of fraud and identity theft and have and will continue to have to spend time and money on mitigating measures. The lawsuit alleged breach of contract and violations of consumer protection laws in Maryland and Virginia.
After completing discovery, in August 2022, the plaintiffs sought to certify three classes for each of the three causes of action – A contract class for residents of Washington D.C., Maryland and Virginia who purchased insurance from the underwriter and who had their information exposed in the breach, and two consumer classes for Maryland and Virginia residents who purchased insurance from CareFirst and were affected by the breach.
District Court Judge, Christopher R. Cooper, determined that the plaintiffs had satisfied the prerequisites for class certification, “but the Court has serious concerns about whether common issues will predominate over individual inquiries in this case. Specifically, in light of the Supreme Court’s recent decision in TransUnion LLC v. Ramirez (2021), which held that a risk of future harm standing alone does not constitute a concrete Article III injury in damages actions.” As such, the motion for class certification was denied.
The proposed class definitions would allow claims to be submitted by all affected CareFirst customers, even though many of those customers took no steps to mitigate their exposure to identity theft or medical fraud and therefore suffered no Article III injury. The injury in this case comes from the costs incurred due to the data breach, not the exposure of data due to the data breach. Judge Cooper said in his ruling that the plaintiffs can file a motion with narrowed class definitions to prevent claims from un-injured class members.