Class Certification in CareFirst Lawsuit Denied by District Court Judge

The lawsuit concerns a data breach that occurred in April 2014.

By HFT Staff
April 6, 2023

A U.S. District Court Judge has denied class certification in a long-running legal battle against CareFirst BlueCross BlueShield over its 2014 data breach that affected 1.1 million plan members. The breach in question was due to a spear phishing attack in April 2014, which allowed unauthorized individuals to access a database that contained the names, birthdates, email addresses and subscriber ID numbers of around 1.1 million individuals who were registered to use CareFirst’s websites and online services. 

The lawsuit was initially filed in 2015 but was dismissed by a lower court in 2016 due to lack of injury, but was resurrected by a federal appeals court in 2017. In 2018, the U.S. Supreme Court declined CareFirst’s request for review and the case was returned to the District Court for the District of Columbia and was allowed to proceed. 

The lawsuit alleged CareFirst had failed to implement appropriate security measures and made several errors that allowed hackers to breach its network and access the data of its customers, and as a result of the data breach, class members face an increased risk of fraud and identity theft and have and will continue to have to spend time and money on mitigating measures. The lawsuit alleged breach of contract and violations of consumer protection laws in Maryland and Virginia. 

After completing discovery, in August 2022, the plaintiffs sought to certify three classes for each of the three causes of action – A contract class for residents of Washington D.C., Maryland and Virginia who purchased insurance from the underwriter and who had their information exposed in the breach, and two consumer classes for Maryland and Virginia residents who purchased insurance from CareFirst and were affected by the breach. 

District Court Judge, Christopher R. Cooper, determined that the plaintiffs had satisfied the prerequisites for class certification, “but the Court has serious concerns about whether common issues will predominate over individual inquiries in this case. Specifically, in light of the Supreme Court’s recent decision in TransUnion LLC v. Ramirez (2021), which held that a risk of future harm standing alone does not constitute a concrete Article III injury in damages actions.” As such, the motion for class certification was denied. 

The proposed class definitions would allow claims to be submitted by all affected CareFirst customers, even though many of those customers took no steps to mitigate their exposure to identity theft or medical fraud and therefore suffered no Article III injury. The injury in this case comes from the costs incurred due to the data breach, not the exposure of data due to the data breach. Judge Cooper said in his ruling that the plaintiffs can file a motion with narrowed class definitions to prevent claims from un-injured class members. 

See the latest posts on our homepage Share

Topic Area: Information Technology

Recent Posts
Recent Posts

Heat Pump Installation Reduces Costs, Improves Efficiencies

University Health Network’s Bickle Center finds success with heat recovery alternative.


Man Dies After Falling Out of Hospital Window

A man fell out of a hospital window after threatening hospital staff and a police officer.


CommonSpirit Health Updates Estimated Cost from Ransomware Attack

The cost of the October 2022 attack is expected to increase to $160 million.


Workplace Violence in Healthcare: Making Safety the Norm

As instances of violence rise, OSHA and the Joint Commission take steps to make healthcare facilities safer.


OSHA Cites Hospital for Failing to Keep Employees Safe from Patients

Staff members of Big Lots Behavioral Health Pavilion reportedly suffered concussions, lacerations and sprains from patients.



News & Updates • Webcast Alerts • Building Technologies

All fields are required.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

You Might Like