The D.C. Circuit Court of Appeals ruled the customers of a health insurance company can sue for a cyberattack in which personal information was stolen, according to The Hill.
A three-judge panel reversed a district court decision that dismissed a class action suit which seven customers brought against Baltimore-based insurer CareFirst, alleging the payer's carelessness led to the 2014 breach of 1.1 million customers' data. The plaintiffs said they suffered an increased risk of identity theft as a result of the breach and were owed monetary damages. According to the lower court, however, the plaintiffs failed to show a present injury and therefore lacked standing.
Judge Thomas Griffith, who wrote the opinion for the court, said the lower court gave the complaint an unduly narrow reading and failed to conclude the customers' faced a substantial risk for identity theft.
In his opinion, Mr. Griffith said the district court erroneously concluded the plaintiffs "had 'not suggested, let alone demonstrated, how the CareFirst hackers could steal their identities without access to their Social Security or credit card numbers'."
"[The district court's] conclusion rested on an incorrect premise: that the complaint did not allege the theft of social security or credit card numbers in the data breach. In fact, the complaint did," he wrote in the opinion.
More articles on health IT:
HIMSS: 5 cybersecurity notes from July
Apple revenue grows 7% in Q3: 6 things to know
5 health IT advocacy groups respond to ONC interoperability framework