Customers’ allegations that they face a substantial risk of identity theft as a result of a 2014 data breach are sufficiently plausible to allow their suit against health insurer CareFirst to proceed, the U.S. Court of Appeals for the D.C. Circuit held in an August 1 decision.

CareFirst discovered in April 2015 — and announced a month later — that an unknown intruder had gained access in June 2014 to a database containing personal information about CareFirst’s customers.  Seven customers then brought a class-action lawsuit against CareFirst in the federal district court in Washington, D.C., alleging among other things that CareFirst was negligent in protecting customer data, and that customers as a result faced an increased risk of identity theft.

The district court dismissed the suit, finding that the plaintiffs had not alleged that hackers had accessed the plaintiffs’ social security numbers or credit card information, and that the risk of hackers stealing the plaintiffs’ identities without such information was too speculative to satisfy the requirements of Article III of the U.S. Constitution, which requires that federal courts hear only actual “cases or controversies.”  The Supreme Court has held that this requirement bars lawsuits where the plaintiffs have not alleged that they have suffered or imminently will suffer a concrete injury.

A unanimous panel of the D.C. Circuit reversed the district court’s ruling.  The D.C. Circuit held that, because the case is only at the pleading stage, the complaint can satisfy the standing requirement if it “plausibly alleges that the plaintiffs now face a substantial risk of identity theft as a result of CareFirst’s alleged negligence in the data breach.”  The court held the CareFirst plaintiffs met this standard.

First, the court found the plaintiffs’ complaint did allege that their social security and credit card numbers had been exposed, and the court said there was no serious dispute that “plaintiffs would face a substantial risk of identity theft” if a network intruder accessed such information.

In addition, the court held that the complaint plausibly alleged that even the exposure of customers’ names, birth dates, email addresses and subscriber identification numbers alone created a material risk that customers could suffer “medical identity theft,” which could distort customers’ medical records, deplete their insurance, or affect their ability to obtain other insurance if fraudsters obtain medical services in the victim’s name.  Citing a 2015 Seventh Circuit ruling in a similar case, the D.C. Circuit concluded that “a substantial risk of harm exists already, simply by virtue of the hack and the nature of the data that the plaintiffs allege was taken.”