Legal Newsline

Wednesday, February 19, 2020

Md. federal judge says possible future injuries not enough in data breach class action

By Jessica Karmasek | Jul 13, 2016


BALTIMORE (Legal Newsline) - A Maryland federal court, joining a handful of other federal courts, recently dismissed a data breach class action for lack of standing.

Judge Richard Bennett for the U.S. District Court for the District Court of Maryland nixed the putative class action brought against CareFirst Inc. and CareFirst of Maryland Inc.

The plaintiffs, Pamela Chambliss and Scott Adamson, who held health insurance issued by CareFirst, alleged various tort, negligence and statutory claims arising under Maryland law.

Specifically, they claimed CareFirst failed to adequately secure the computer hardware storing their customers’ personal information, including names, birthdates, email addresses and subscriber identification numbers.

CareFirst filed a motion to dismiss the class action. The court, after a May 19 hearing on the motion, agreed that the plaintiffs failed to allege facts sufficient to establish standing.

Citing the U.S. Supreme Court’s 2013 decision in Clapper v. Amnesty International USA, the Maryland federal court explained that when the plaintiff alleges an injury based on future harm, “the threatened injury must be certainly impending to constitute an injury in fact.”

Mere allegations of possible future injury are not sufficient.

“Where the alleged injury requires a lengthy chain of assumptions, including ‘guesswork as to how independent decisionmakers will exercise their judgment,’ the injury is too speculative to be ‘certainly impending,’” Bennett wrote in the 13-page ruling.

The case came about after a data breach at CareFirst, a health insurance provider operating in Maryland, Virginia and the District of Columbia.

On May 20, 2015, CareFirst announced it had discovered a data breach that allegedly compromised the confidential personal information of about 1.1 million individuals.

Two data breaches allegedly occurred: the first in June 2014 and the second just before CareFirst’s announcement in May 2015.

The insurer denied that any confidential medical records were implicated in the breaches.

Bennett noted that although no courts in the circuit have addressed the standing requirements in the context of data breach litigation, most courts to consider the issue have agreed that the mere loss of data, “without any evidence that it has been either viewed or misused,” does not constitute an injury sufficient to confer standing.

“Indeed, since Clapper… courts have been even more emphatic in rejecting ‘increased risk’ as a theory of standing in data-breach cases,” the judge wrote.

As he noted, the reliance on the actions of an unknown independent third party creates a theory of injury that only amounts to an “objectively reasonable likelihood of harm.”

“In this case, Plaintiffs do not allege that their data has been misused in any way thus far,” Bennett wrote, pointing out that the breach compromised only the plaintiffs’ names, birthdates, email addresses and subscriber identification numbers, and not their social security numbers, credit card information or any other “similarly sensitive data” that could heighten the risk of harm.

“Plaintiffs contend that their personal information has value, but have not alleged how a hacker would use the particular information stolen to harm the Plaintiffs,” Bennett wrote.

And to this day, the judge noted, neither plaintiff has suffered any fraudulent charges or other evidence of misuse.

“The imminence of the asserted harm thus becomes ever less likely as the breaches fade further into the past,” Bennett wrote.

The Maryland federal court, in its opinion, rejected the plaintiffs’ reliance on rulings in the Neiman Marcus and Target data breach cases.

“Indeed, the cases upon which they rely do not contradict this Court’s conclusion, but rather demonstrate the factual allegations necessary to establish standing in data breach litigation,” Bennett wrote.

In Remijas v. Neiman Marcus Group LLC, for example, more than 9,200 customers had experienced fraudulent charges, thus “there was no need to speculate” as to whether the harm was imminent, the judge pointed out.

In re Target Corp. Data Security Breach Litigation, the harm was not speculative, as the plaintiffs had alleged unlawful charges, restricted or blocked access to bank accounts, inability to pay other bills, and late payment charges or new card fees, Bennett noted.

“Plaintiffs do not cite a single instance of data misuse even though a significant amount of time has passed since the data breaches,” the judge wrote. “They even acknowledged at the May 19 hearing that any amended complaint would not include new allegations of misuse.”

In addition, the federal court shot down the plaintiffs’ arguments that they have suffered harm in the form of mitigation costs -- specifically, expenses incurred from obtaining credit-monitoring services -- and by the lost benefit of their bargain with CareFirst.

The court also declined to decide whether the plaintiffs’ personal information has a monetary value. The plaintiffs, in their complaints, argued their personal information has an “intrinsic” value that was diminished as a result of the data breach.

From Legal Newsline: Reach Jessica Karmasek by email at

Want to get notified whenever we write about CareFirst BlueCross BlueShield ?

Sign-up Next time we write about CareFirst BlueCross BlueShield, we'll email you a link to the story. You may edit your settings or unsubscribe at any time.

Organizations in this Story

CareFirst BlueCross BlueShield