Hackers attacked the CareFirst BlueCross BlueShield database in 2014 and accessed the protected health information of 1.1 million members. The information exposed included names, birth dates, email addresses and subscriber ID numbers. Following the breach, plaintiffs filed lawsuits seeking damages for the risk of identity theft and fraud because of the breach.
The U.S. District Court for the District of Columbia dismissed the Chantal Attias vs. Carefirst, Inc. in 2016 for lack of standing. Two federal district courts also dismissed other complaints. But the case was revived on August 1, 2017 when the U.S. District Court for the District of Columbia allowed the case to proceed despite the lack of concrete, identifiable injury to plaintiffs.
Carefirst submitted a motion for a stay to have an appeal filed with the Supreme Court. On the first week of September, the U.S. District Court for the District of Columbia granted a 90-day stay pending the filing of a Petition for Writ of Certiorari with the U.S. Supreme Court, seeing that there was a ‘good cause’ and a need to answer a “substantial question.”
The motion submitted by CareFirst reasoned that the Supreme Court still needs to examine the issue of standing within the context of a data breach. The Supreme Court needs to hear the case to guide the federal district and appellate courts in sorting cases where a cognizable injury-in-fact has been sustained and the plaintiffs are not able to allege real or immediate harm.
The federal district and appellate courts struggled to reach consensus whether the prospect of future injury resulting from a data breach constitutes a substantial risk of actual harm. Should the district court decide to proceed with the case, it would encourage lawsuits following data breaches without allegations of real or immediate harm. Carefirst hopes to get the Supreme Court’s consideration for a grant of certiorari.