CareFirst makes final push for Supreme Court to hear breach case
Maryland-based CareFirst has filed a final appeal to the U.S. Supreme Court to hear its data breach case, arguing that without a high court review, companies in every sector will be hit with a “flood” of data breach lawsuits in the future.
The appeal stems from a decision by the U.S. Court of Appeals in the District of Columbia in August that allowed the 1.1 million members impacted by CareFirst’s data breach in 2014 to pursue a lawsuit against the company.
The judge ruled the risk of injury from the breach warranted the lawsuit. However, CareFirst attorneys argued if the decision is allowed to stand, any victim of data breach could sue a company, “even if the plaintiff suffered no harm whatsoever.”
“That scenario cannot be reconciled with the fundamental principle that an injury in fact must be actual or imminent,” according to the suit. The argument is based on Article III of the U.S. Constitution, requiring plaintiffs to demonstrate injury or harm.
“CareFirst’s position…is that the circuit court lowered the ‘substantial risk’ standard by creating implausible scenarios of possible future harm, most of which do not rely on specific factual allegations in the complaint,” the suit read.
If the August decision is allowed to stand, the attorneys argued it will “eviscerate any workable standard” when courts evaluate breach lawsuits.
The insurer referenced similar circuit court decisions that were staunchly different than the D.C. appellate court’s August decision.
CareFirst first petitioned the Supreme Court in November, failing to determine if the breached customers’ future injuries were pending.
If the Supreme Court agrees to hear the case, it would be the first breach case to reach the high court and could set the precedent for future breach litigation. Given the steady increase in data breaches in the healthcare industry and other sectors, this could set the precedent for future litigation.