Every time there’s a big breach that has consumers or patients outraged, I see rumblings in the Comments section of posts about class-action lawsuits. An article by John Devine, Edward McAndrew, and Gregory Szewczy of Ballard Spahr about a recent opinion in District Court for the D.C. Circuit is a timely reminder of the uphill battle plaintiffs may face in any such litigation.
The court’s reasoning in dismissing the claims [against CareFirst BlueCross BlueShield] is yet another step in defining which data breaches are actionable—a significant question in an environment where every major breach seems to give rise to a class action lawsuit. In keeping with the current trend among federal courts, the court in CareFirst found that data breach plaintiffs cannot bring lawsuits without evidence that sensitive data has been—or will be—misused in a harmful manner.
Simply having your personal information stolen in a data breach isn’t enough.
Read more on JD Supra.
While the facts of the CareFirst breach are different than the Athens Orthopedic Clinic case, and the cases are in different jurisdictions, I always encourage site readers to realize that just because there’s a breach, it doesn’t mean you can sue successfully – and even if you prevail, you generally do not win much.