What’s inside this issue? In the complimentary spring 2022 issue, you will find articles that address the… Continue Reading
New Jersey Federal Court Dismisses Data Breach Lawsuit against Horizon BCBS
POSTED MAY 5, 2015
A special to USLAW NETWORK and USLAW DigiKnow
By Karen Painter Randall, Connell Foley LLP, Roseland, New Jersey
On March 31, 2015, a class action data breach lawsuit against Horizon Blue Cross Blue Shield of New Jersey was dismissed due to the Plaintiff’s failure to allege an injury sufficient to confer standing. In In Re Horizon Healthcare Services, Inc. Data Breach Litigation, Civil Case No. 2:13-cv-07418-CCC-JBC, U.S. District Judge Claire C. Cecchi, held that the plaintiffs were unable to prove that because a violation of statutory rights took place, that hypothetical future injuries could potentially occur.
The following matter arose out of a 2013 incident wherein laptops containing the PHI of approximately 840,000 Horizon BCBS members were stolen. The information stored on the laptops included names, addresses, dates of birth, clinical information, and Social Security numbers. At the time of the theft, Horizon stated that there was no reason to believe that the stolen information had been inappropriately used.
Thereafter, four individual plaintiffs claimed on behalf of themselves and other similarly situated that as “a direct and proximate result of Horizon’s wrongful actions and inaction”, they “have been placed at an imminent, immediate, and continuing increased risk of harm from identity theft, identity fraud, and medical fraud, requiring them to take the time and effort to mitigate the actual and potential impact of the Data Breach on their lives.”
In dismissing the lawsuit, Judge Cecchi explained that three of the individual plaintiffs could not point to any harm suffered. In particular, Judge Cecchi stated that these plaintiffs did not “allege that they were careful in guarding their sensitive information, that they suffered any monetary losses, or that they have sustained any other injuries such as identity theft, identity fraud, medical fraud, or phishing.” With regard to these plaintiffs’ claims that there was “violation of common law and statutory rights,” Judge Cecchi held that there were no examples of “specific harm” that had happened to them because of the data breach. Thus, Judge Cecchi held that “merely asserting violations of certain statutes is not sufficient to demonstrate an injury-in-fact for purposes of establishing standing under Article III.”
Judge Cecchi also dismissed the claims of the fourth individual despite the fact that this plaintiff asserted that a fraudulent tax return was filed on behalf himself and his wife, as well as reported the fraudulent use of his credit card. Judge Cecchi found this plaintiff’s circumstances to be singular, unique, and particular to him. Moreover, even if his theory was adequate to support standing in the abstract, the facts of this case demonstrated the remote possibility, rather than the plausibility, that the fraudulent tax return was connected to the Horizon laptop theft. Thus, Judge Cecchi held that his tax fraud injury was not “fairly traceable” to Horizon to assert standing. Furthermore, even if the Court were to find that his injury was “fairly traceable” to Horizon, his claim failed as to the third element of standing, redressability, as he admitted receiving his tax refund. Judge Cecchi also dismissed his claim regarding the fraudulent use of his credit card as there was no dispute that the information stolen from the Horizon laptops did not contain same.
The above demonstrates the difficulty in bringing a class action lawsuit arising out of a data breach. In particular, although a claimant’s information has been stolen, he cannot sufficiently allege an injury-in-fact to confer standing. Furthermore, even a claimant who can point to an actual injury, such as the plaintiff above who suffered a fraudulent tax return and fraudulent use of his credit card, still may not have standing as the alleged injury must be “fairly traceable” to the alleged data breach.