A federal judge has approved the certification of a “contract class” in a proposed class action lawsuit against CareFirst stemming from a 2014 cyberattack affecting approximately 1.1 million individuals. U.S. District Court Judge Christopher Cooper’s ruling allows over a million people to pursue claims that CareFirst breached its contractual duty to protect their data, despite any anticipated recovery being limited to nominal damages. This decision follows a series of legal developments since the lawsuit’s initial filing in 2015, with previous dismissals and appeals, ultimately leading to this recent certification.
The “contract class” comprises individuals residing in the District of Columbia, Maryland, and Virginia who purchased or possessed health insurance from CareFirst and had their personal, health, or financial information breached in the 2014 cyberattack. Judge Cooper’s decision was informed by the finding that all putative class members have standing to pursue their breach of contract claim, resolving a previous hurdle that prevented class certification. Despite previous dismissals and appeals, the case has persevered, culminating in the recent ruling certifying the contract class.
The cyberattack on CareFirst in April 2014 resulted from hackers infiltrating the company’s internal data system through a spear-phishing email. Despite initial identification of the phishing attempt, one employee inadvertently granted hackers access to CareFirst’s systems by downloading a backdoor. As a consequence, customer information such as names, birthdates, email addresses, and usernames was compromised. CareFirst responded by sending breach notifications to affected customers in May 2015 and offering two years of credit monitoring and identity theft protection.
This ruling marks a significant development in the ongoing legal battle between CareFirst and affected individuals seeking recourse for the breach of their personal data. Despite the challenges faced in the legal process, the certification of the contract class represents a step forward in holding organizations accountable for safeguarding sensitive information and ensuring legal redress for individuals impacted by cybersecurity incidents.
