Lack of Damages Dooms Breach Class Against CareFirst

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Jimmy H. Koo

May 31 — Health-care insurance provider CareFirst Inc. won't have to face a class action stemming from a 2015 data breach that potentially compromised approximately 1.1 million consumers' sensitive information, the U.S. District Court for the District of Maryland held May 27 ( Chambliss v. CareFirst, Inc., 2016 BL 169810, D. Md., No. RDB-15-2288, 5/27/16 ).

Judge Richard D. Bennett said that the plaintiffs failed to allege injury stemming from the data breach, and therefore, lacked standing to bring the class claims.

In May 2015, CareFirst announced that hackers gained “limited, unauthorized access” to the company's database, which didn't contain member Social Security numbers, medical claims, employment, credit card or financial information (14 PVLR 940, 5/25/15).

Plaintiffs, who held CareFirst health insurance during the breach, filed suit over the company's alleged failure to protect confidential personal information.

Moving to dismiss, CareFirst argued that the plaintiff failed to allege injury, including increased risk. The court agreed.

Although no courts in this circuit have addressed the standing requirements in the context of data breach litigation, most courts to consider the issue “have agreed that the mere loss of data—without any evidence that it has been either viewed or misused—does not constitute an injury sufficient to confer standing,” the court explained.

The court found that the plaintiffs failed to “cite to a single instance of data misuse even though a significant amount of time has passed since the data breaches.”

Further, it found that plaintiffs offered no factual allegations showing that the data breach diminished the value of their insurance.

Neuberger Quinn Gielen Rubin & Gibber PA and Federman and Sherwood represented the plaintiffs. Sutherland Asbill & Brennan LLP represented CareFirst.

To contact the reporter on this story: Jimmy H. Koo in Washington at

To contact the editor responsible for this story: Donald G. Aplin at

For More Information

Request Bloomberg Law Privacy and Data Security