Please ensure Javascript is enabled for purposes of website accessibility
The Carefirst Building in Owings Mills. (file)

CareFirst faces potential class-action suit over data breach

Federal court filing alleges company knew about security problems prior to May incident

Following a May data hack that may have compromised the personal information of as many as 1.1 million people, CareFirst Inc. and CareFirst BlueCross BlueShield have now been hit with a proposed class-action lawsuit over the data breach.

The lawsuit, filed in U.S. District Court in Baltimore last week, alleges the health insurance company was negligent when it failed to secure computer hardware that stored CareFirst customers’ personal information, including names, birth dates, email addresses and subscriber identification numbers. CareFirst announced the breach May 20.

Identity thieves could use the information to “perpetuate a variety of crimes … such as immigration fraud, obtaining a driver’s license or identification card in the victim’s name but with another’s picture, using the victim’s information to obtain government benefits, or filing a fraudulent tax return using the victim’s information,” the complaint states. “… The United States government and privacy experts acknowledge that it may take years for identity theft to come to light and be detected.”

CareFirst said in May that Social Security numbers, medical claims, employment information and credit card numbers were not part of the database that was hacked. The company said at the time it would be offering two years of free credit monitoring and identity theft protection for those affected by the attack.

A CareFirst spokeswoman said on Thursday that the company does not comment on pending litigation.

Other recent, high-profile data breaches have resulted in similar lawsuits against Target, Home Depot and Children’s National Health System, among other businesses.

Target Corp. in March agreed to pay $10 million to settle a lawsuit with individual credit card holders whose data was compromised in a 2013 hack. A class-action lawsuit filed against Home Depot Inc. in May accuses the company of employing “willfully dismissive” data security practices. Children’s National Health System is facing a federal class-action lawsuit in Maryland alleging up to 18,000 patients’ private health information may have been compromised.

Security lapses

The lawsuit against CareFirst alleges the company knew about its own security problems since last year, when a security consulting company discovered an attempted data breach. But CareFirst failed to correct its lapses in security, leading to the hack in May, the complaint states.

Named plaintiffs Phyllis Chambliss and Scott Adamson had both been longtime CareFirst customers; Chambliss since 2005 and Adamson since 1975, according to the suit. Both plaintiffs said they received notice of the data breach from CareFirst after they heard about the incident in the media.

Potential class members include “hundreds of thousands” of consumers who purchased health insurance from CareFirst with the expectation that a portion of their payments would be used to pay for the cost of data security, according to the complaint. The lawsuit seeks unspecified damages for the class of plaintiffs.

“Plaintiffs were harmed by having their personal information compromised and they face the imminent and certainly impending threat of future additional harm from the increased threat of identity theft and fraud due to their personal information potentially being sold on the Internet black market and/or misused by criminals,” the lawsuit states.

Price Gielen, an attorney for the proposed plaintiff class, was out of the office Thursday and unavailable for additional comment on the case. Gielen is with Neuberger, Quinn, Gielen, Rubin & Gibber P.A. in Baltimore.

The case is Pamela Chambliss and Scott Adamson v. CareFirst, Inc. et al., 1:15-cv-02288-RDB.


About Lauren Kirkwood

Lauren Kirkwood covers the business of law beat at The Daily Record.