A federal appeals court has ruled that an insurance company’s customers can sue the company over a cyberattack in which customer information was stolen.
On Tuesday, the DC Circuit Court of Appeals reversed a lower court’s decision dismissing a class-action lawsuit brought against CareFirst, a health insurer that serves one million customers in the District of Columbia, Maryland and Virginia.
The customers suing CareFirst attributed a 2014 data breach to the company’s carelessness. It was originally ruled that the plaintiffs lacked standing because they failed to show a present injury or likelihood of being injured in the future, according to a report by The Hill.
Celebrate excellence in insurance. Nominate a worthy colleague for the Insurance Business Awards!
However, Judge Thomas Griffith, of the appeals court, said that the district court had read the complaint too narrowly.
“The District Court concluded that the plaintiffs ‘had not demonstrated a sufficiently substantial risk of future harm stemming from the breach to establish standing,’ in part because they had ‘not suggested, let alone determined, how the CareFirst hackers could steal their identities without access to their Social Security or credit card numbers,” Griffith, a member of a three-judge panel, wrote in the panel’s ruling. “But that conclusion rested on an incorrect premise: that the complaint did not allege the theft of Social Security or credit card numbers in the data breach. In fact, the complaint did.”
Related stories:
Anthem data breach could expose personal data of thousands
Judge orders federal insurance to pay up $4.8 million claim