Santa Clara, CA: CareFirst BlueCross BlueShield is facing a proposed data breach class action lawsuit filed by customers who allege their personal data held by the health insurance provider was hacked and that CareFirst failed to prevent that cyberattack. Approximately 1.1 million plan members were affected.
In the lawsuit, named plaintiffs Pamela Chambliss and Scott Adamson claim that the hack was a result of CareFirst's negligence which left their personal information vulnerable to identity thieves.
"Plaintiffs and the class members had and have a reasonable expectation that their confidential PI and confidential health information would remain private and confidential," the plaintiffs' attorneys assert. "As a result of CareFirst's deficient practices, plaintiffs and the class members have been damaged, and have lost or are subject to losing money and property as a result of CareFirst's substandard security practices."
It was in late May 2015 that CareFirst announced an unauthorized access to a single database had occurred in June 2014 which enabled unknown parties to potentially obtain names, dates of birth, email addresses and subscriber identification numbers of members who signed up before that date. CareFirst claimed information such as Social Security numbers or credit card information was not accessed.
CareFirst allegedly claims that the data breach was discovered after the company had hired Mandiant Inc. to conduct a review of its information technology systems in light of data breaches recently reported by other health insurers. CareFirst did provide two free years of credit monitoring for people whose data was compromised.
According to the complaint, Chambliss and Adamson allege they received letters notifying them of the cyberattack but only after they had learned of the data breach through media accounts. They claimed that CareFirst failed to adequately secure the computers storing customers' personal information, despite becoming aware of an attempted data breach last year. CareFirst serves 3.4 million people and groups in Maryland, the District of Columbia and Virginia.
"The ramifications of CareFirst's failure to keep plaintiffs' and class members' personal information secure are severe," the complaint states. "Identity thieves can use PI such as that pertaining to plaintiffs and the class members, which CareFirst failed to keep secure, to perpetuate a variety of crimes that harm the victims."
The named plaintiffs are asserting common-law claims for negligence, breach of implied contract and unjust enrichment and are seeking to represent a nationwide class of all CareFirst customers whose personal information was compromised in the cyberattack.
The plaintiffs are represented by Price O. Gielen of Neuberger Quinn Gielen Rubin & Gibber PA, William B. Federman of Federman & Sherwood and Cornelius P. Dukelow of Abington Cole & Ellery.
The case is Chambliss et al v. CareFirst, Inc. et al., case number 1:15-cv-02288, in the U.S. District Court for the District of Maryland.