CareFirst customers granted right to sue over 2014 cyberattack

The second-most-powerful court in America has ruled that customers of Health Insurance provider CareFirst can sue the company for a breach that revealed personal identifiable information in 2014.

A three-judge panel on the D.C. Circuit Court of Appeals found on Tuesday that CareFirst, which serves over a million people in the D.C, Maryland and Virginia area, placed its customers at an increased risk of identity theft in 2014 when personally identifiable information was stolen from the company by cybercriminals. 

This decision reversed a district court decision from August 2016 that had dismissed a class action suit against CareFirst on the grounds that “merely having one’s personal information stolen in a data breach is insufficient to establish standing to sue the entity from whom the information was taken,” and declaring that the customers “have not made the required showing, the Court lacks subject matter jurisdiction over the case and will grant CareFirst’s motion to dismiss.”

Judge Thomas Griffith read the appeals court’s opinion on Tuesday.

“The District Court concluded that the plaintiffs had ‘not demonstrated a sufficiently substantial risk of future harm stemming from the breach to establish standing,’ in part because they had ‘not suggested, let alone demonstrated, how the CareFirst hackers could steal their identities without access to their Social Security or credit card numbers,’” Griffith said.

“But that conclusion rested on an incorrect premise: that the complaint did not allege the theft of Social Security or credit card numbers in the data breach,” he added. “In fact, the complaint did.”