Attias v. CareFirst, Inc., 2019 WL 367984 (D. D.C. 2019)
A federal district court has dismissed most state-law claims stemming from a data breach affecting millions of health insurance policyholders. In an earlier decision, the court had dismissed the claims because the claimants had not demonstrated a sufficiently substantial risk of future harm to establish standing to sue. An appellate court reversed that ruling, holding that the claimants had asserted adequate harm based on the type of data alleged to have been taken (names; birth dates; email addresses; and subscriber, credit card, and Social Security numbers) and the presumed ill intent of the unauthorized party accessing the information.
Considering another motion by the insurer, the district court has now dismissed claims for breach of contract, negligence, negligence per se, fraud, constructive fraud, and breach of duty of confidentiality for nearly all the claimants, ruling that they did not adequately allege damages under the applicable laws. The court explained that the mere threat of future misuse of personal information is not sufficient to state claims for economic injuries. The court further decided that benefit-of-the-bargain damages—the notion that the policyholders overpaid for their health insurance because part of their premium should have been earmarked for better information security—are too indeterminate. In addition, the court held that the time and expense of credit monitoring and other “prophylactic” mitigation measures are not injuries that the law is prepared to remedy for individuals whose information has been exposed but not misused. And, in the absence of economic damages or physical injury, the court refused to recognize claims for emotional distress. The court left in place only the claims for breach of contract brought by individuals who alleged that their personal information had actually been misused, in this case to commit tax-refund fraud.
EBIA Comment: Even when liability for a breach is clear, individuals may face an uphill battle to obtain a recovery. Most courts have held that HIPAA does not establish a private right of action for damages. In addition, many courts are skeptical of claims for damages unless individuals can show that their personal information was actually misused with adverse financial consequences. Still, health plans and their business associates cannot afford to let their guard down—HHS’s Office for Civil Rights and state attorneys general have broad enforcement authority, and multimillion dollar settlements are announced regularly. For more information, see EBIA’s HIPAA Portability, Privacy & Security manual at Sections XX.D (“Resolution Agreements”), XX.H (“No Direct Private Cause of Action in the Statute or Regulations”), and XXI.D.3 (“Litigation Based on State-Law Claims”). You may also be interested in our recorded webinar, “Learning the Ropes: An Introduction to HIPAA Privacy & Security” (recorded on 2/20/19).
Contributing Editors: EBIA Staff.