Dive Brief:
- A D.C. appeals court granted CareFirst’s request to put a class-action lawsuit on hold while it appeals a data breach case to the U.S. Supreme Court, FierceHealthcare reports.
- The decision follows the same court’s Aug. 1 ruling that a group of plaintiffs suing the insurer over a 2014 data breach could proceed with litigation.
- If accepted, CareFirst’s would be the first data breach case to be heard by the high court.
Dive Insight:
CareFirst filed the appeal on Aug. 31, maintaining its case presents a “substantial question” about when claims of injury from a data breach are substantial enough to warrant legal recourse.
“The Supreme Court needs to address this area of the law to provide more guidance to federal district and appellate courts, especially given that federal courts have struggled to reach consensus as to when the prospect of future injury resulting from stolen information truly presents a ‘substantial risk’ of actual harm,” the motion says.
Allowing the class-action suit to move forward without guidance from the high court will encourage others to sue following data breaches without a show of actual harm, the motion adds.
Cyber criminals hacked into a single database of CareFirst BlueCross BlueShield, a nonprofit payer serving Maryland, northern Virginia and the District of Columbia, in June 2014, exposing the names, birth dates, email addresses and subscriber identification numbers of 1.1 million members. In 2015, a number of victims brought a class-action lawsuit against the company in D.C. federal court.
Healthcare organizations have been a prime target of hackers in recent years due to the wealth of personal information they collect from patients. Health insurance information is particularly lucrative on the dark web because it be sold and then used to commit healthcare fraud.
A report earlier this year by Protenus counted 31 health data breaches affecting 388,307 patient records during the month of January — on average, one a day. Of those, 59.2% were the result of insiders.
In July, Anthem reported a breach involving 18,500 members’ information to HHS. The breach occurred after a contractor emailed a file with the members’ data to his personal email address in July 2016. The incident was discovered after the contractor, an employee of LaunchPoint Ventures, was linked to another case of identify theft.
News of that breach came just weeks after Anthem agreed to pay a record $115 million to settle a class-action lawsuit stemming from a 2015 data breach compromising the personal information of nearly 80 million members and employees.
In August 2016, HHS’ Office for Civil Rights directed its regional offices to ramp up investigations of smaller breaches involving personal health data — with the aim of better understanding compliance issues in HIPAA-regulated organizations. OCR routinely investigates breaches involving the personal data of 500 or more individuals, but has typically tied investigations of smaller breaches to resource availability.