United States Supreme Court Denies Certiorari in CareFirst, Inc. v. Attias.

Private - United States Supreme Court Denies Certiorari in CareFirst, Inc. v. Attias.

Last week the United States Supreme Court denied certiorari in CareFirst, Inc. v. Attias, No: 17-241. The denial of certiorari leaves in place the D.C. Circuit’s August 1, 2017 decision which found that victims of the 2014 CareFirst Data Breach had standing to sue the company for the increased risk of harm associated with the disclosure of their private information.  

The D.C. Circuit separately analyzed two types of information which Plaintiffs alleged that CareFirst collected, and failed to adequately secure: (1) financial information, which included social security numbers and credit card numbers; and (2) other Private information which included the combination of members’ names, birth dates, email addresses and subscriber identification numbers.  The Circuit Court found that the disclosure of both types of information independently created a substantial risk of future harm sufficient to satisfy Article III standing.   

With regard to the financial information the court noted “The complaint…plausibly alleges that the CareFirst data breach exposed customers’ social security and credit card numbers.  CareFirst does not seriously dispute that plaintiffs would face a substantial risk of identity theft if their social security and credit card numbers were accessed by a network intruder, and, drawing on ‘experience and common sense,’ we agree.”

With regard to whether the disclosure of a combination of members’ names, birth dates, email addresses and subscriber identification numbers created a material risk of identity theft, the court also found that Article III was satisfied.  The Circuit Court noted: “This allegation of risk based solely on theft of health insurance subscriber ID numbers is plausible when taken in conjunction with the complaint’s description of a form of ‘medical identity theft’ in which a fraudster impersonates the victim and obtains medical services in her name. That sort of fraud leads to ‘inaccurate entries in [victims’] medical records’ and ‘can potentially cause victims to receive improper medical care, have their insurance depleted, become ineligible for health or life insurance, or become disqualified from some jobs.’ These portions of the complaint would make up, at the very least, a plausible allegation that plaintiffs face a substantial risk of identity fraud, even if their social security numbers were never exposed to the data thief.”

The D.C. Circuit’s ruling is important as it recognizes that companies which fail to secure customer’s information and which subsequently suffer a data breach have created a significant risk of future harm for their customers.  Those customers must therefore be permitted to present claims for compensation arising out of the increased risk of future harm caused by the company’s negligence.  

Tell Us About Your Case

If you can read this, please avoid filling the following input field or your submission may be marked as spam.
Thank you for contacting us! We will be in touch with you shortly.

Recent Entries


Locks Law Firm only provides legal advice after having entered into an attorney client relationship, which our website specifically does not create. Conversations that originate from website messaging, chat or other two way web based engagement  do not create an attorney client relationship. It is imperative that any action taken be done on the advice of counsel. Because every case is different, the description of awards and cases previously handled do not guarantee a similar outcome in current or future cases. The firm practices law in Pennsylvania, New Jersey & New York as Locks Law Firm. Super Lawyers, Best Lawyers in America and other organizations that rate attorneys are not designations that have been approved by the State Supreme Courts or the American Bar Association.