- Disclosure of personal information, even without demonstration of misuse of the information, creates de facto injury under FCRA
- Court vacates and remands
Justia provides a summary of an opinion issued by the Court of Appeals for the Third Circuit that revives a potential class action lawsuit again a New Jersey health insurer.
The litigation stemmed from a breach in November, 2013 when two laptops with almost 840,000 members’ personally identifiable information were stolen from Horizon’s offices in New Jersey.
In addition to spawning litigation, the breach also contributed to the enactment of legislation in New Jersey requiring encryption of protected health information.
Not surprisingly for the time, in 2015, the lower court dismissed litigation against Horizon, finding that the plaintiffs had not established standing solely by virtue of their data having been stolen. The plaintiffs, who had sued under the Fair Credit Reporting Act (FCRA) and state laws, appealed.
Now, the Court of Appeals holds that the plaintiffs have demonstrated an injury sufficient for Article III standing under FCRA, and vacates the dismissal and remands.
In re: Horizon Healthcare Inc. Data Breach Litigation, No. 15-2309 (3d Cir. 2017)
Horizon Blue Cross Blue Shield provides health insurance products and services to approximately 3.7 million members. Two laptop computers, containing sensitive personal information about members, were stolen from Horizon. Four plaintiffs filed suit on behalf of themselves and other Horizon customers whose personal information was stored on those laptops, alleging willful and negligent violations of the Fair Credit Reporting Act (FCRA), 15 U.S.C. 1681, and numerous violations of state law. The district court dismissed the suit for lack of Article III standing. According to the court, none of the plaintiffs had claimed a cognizable injury because, although their personal information had been stolen, none of them had adequately alleged that the information was actually used to their detriment. The Third Circuit vacated. In light of the congressional decision to create a remedy for the unauthorized transfer of personal information, a violation of FCRA gives rise to an injury sufficient for Article III standing purposes. Even without evidence that the plaintiffs’ information was in fact used improperly, the alleged disclosure of their personal information created a de facto injury.
You can access the full opinion on Justia.