Maryland-based CareFirst BlueCross BlueShield filed a petition with the U.S. Supreme Court to ask for a review of its case stemming from a 2014 data breach that exposed almost 1.1 million patient records.
The petition follows a ruling from the U.S. Court of Appeals for the District of Columbia in August that gave the customers the right to pursue its class-action lawsuit against CareFirst. The ruling overturned the district court decision that said the plaintiffs did not suffer actual harm.
The appeals court refuted that reasoning: "At the very least, it is plausible -- to infer that this party has both the intent and the ability to use that data for ill."
In its petition, CareFirst argues that the appeals court failed to determine if its customer's future injuries were "certainly impending." The insurer names other lawsuits to validate its petition, including two cases filed against CareFirst in Maryland and Illinois that were eventually dismissed.
"The rising tide of data hacks and the class action lawsuits they inevitably spur increasingly test the boundaries of federal court jurisdiction," the attorneys wrote.
"Without guidance, courts, litigants, cybersecurity insurers and corporate America will remain uncertain as to when a federal court can hear such claims," they continued. "This case presents an ideal vehicle for the court to clarify that to satisfy the substantial risk standard, an alleged future injury must be imminent."
If the high court chooses to review the case, it would be the first data breach case to reach the Supreme Court, which could set the precedent for future breach litigation. Given the number of healthcare breaches in the last two years, it could be big.
The definition of harm as it relates to data breaches has been placed front-and-center in legal cases this year.
An appellate court overturned a lower court's decision to dismiss the case against Horizon Blue Cross Blue Shield, stemming from a 2013 data breach. The court argued the breach violated the Fair Credit Reporting Act.
And the U.S. District Court for D.C. dismissed a lawsuit against the Office of Personnel Management following a breach that exposed the personal information of 22 million of its employees.
CareFirst announced it suffered a breach in May 2015, which compromised not only the data of former and current customers, but also any individual who conducted online business with CareFirst. It was discovered in April of that year, but hackers first gained access to a CareFirst database in June 2014.
The stolen data included a wide range of customer information from subscriber identification numbers to birthdates. Social Security information and financial information was not part of the breach. And passwords weren't compromised.