In December, 2013, Horizon Blue Cross Blue Shield of New Jersey notified almost 840,000 members that their protected health information was on laptops stolen from the insurer’s Newark headquarters on November 1, 2013.
At the time, Horizon BCBS reported that the laptops were password-protected, but the data were unencrypted, and
After a detailed review with outside computer forensic experts, we have confirmed that the laptops may have contained files with differing amounts of member information, including name and demographic information (e.g., address, date of birth, Horizon BCBSNJ identification number), and in some instances, a Social Security number and/or limited clinical information. Due to the way the stolen laptops were configured, we are not certain that all of the member information contained on the laptops is accessible.
That breach was the impetus for a new law in New Jersey that requires encryption of PHI. The law went into effect January 9th.
But the breach was also the impetus for some lawsuits by aggrieved members who alleged that the breach placed them at “imminent” and “immediate” risk of harm from identity theft, medical fraud, and other woes. They sought compensation under FCRA and state laws.
On March 31, however, the court dismissed their lawsuits over the breach, holding that the plaintiffs had failed to establish standing via the “economic injury” prong. As other courts have held, this court, too, also held that simple violation of a statutory rights is not sufficient to demonstrate injury-in-fact to establish standing. Finally, citing the Third Circuit’s decision in Reilly, the court held that “allegations of hypothetical, future injury are insufficient to establish standing” because plaintiffs had “not suffered any injury” and would not sustain an injury and until these conjectures come true”.
There’s more, and you can read it all here (pdf), but you get the drift by now. Another one bites the dust over standing.