Attias v. Carefirst, Inc.
199 F. Supp. 3d 193
D.D.C.2016Background
- In June 2014 CareFirst suffered a data breach affecting ~1.1 million policyholders; stolen fields included names, birth dates, email addresses, and subscriber IDs (no social security or credit card numbers alleged in the complaint).
- Seven named plaintiffs sued CareFirst in federal court asserting state-law claims and alleging failures to safeguard personal information; a related class action was filed in Maryland.
- CareFirst moved to dismiss under Rule 12(b)(1) (lack of subject-matter jurisdiction/standing) and 12(b)(6); the court addressed only jurisdictional (standing) issues.
- Most plaintiffs alleged only an increased risk of future identity theft and out-of-pocket mitigation expenses; two plaintiffs (the Tringlers) alleged tax-refund fraud (actual identity-theft harm).
- The court applied Article III standing doctrine (injury-in-fact, causation, redressability) and recent Supreme Court precedents requiring a concrete and particularized injury that is actual or imminent (Clapper, Spokeo).
- The court concluded plaintiffs failed to show a substantial risk of imminent harm or a plausible causal link to the breach, and dismissed the complaint for lack of subject-matter jurisdiction.
Issues
| Issue | Plaintiff's Argument | Defendant's Argument | Held |
|---|---|---|---|
| Whether theft of personal data (names, birth dates, emails, subscriber IDs) creates Article III injury via increased risk of identity theft | Increased likelihood of identity theft from breach is a cognizable, imminent injury | Mere loss of data without evidence of misuse is speculative and insufficient for standing | Denied: increased-risk allegations were too speculative to confer standing under Clapper |
| Whether alleged tax-refund fraud experienced by two plaintiffs is fairly traceable to the CareFirst breach | Tringlers say their tax refund was stolen after the breach, constituting concrete harm | Defendants note complaint does not allege stolen SSNs and challenge causal link | Denied: plaintiffs did not plausibly allege that breach included SSNs or that fraud is traceable to breach |
| Whether expenses for credit-monitoring or other mitigation confer standing | Plaintiffs incurred out-of-pocket costs to mitigate risk, creating injury | Plaintiffs cannot manufacture standing by spending to avoid a speculative future harm | Denied: mitigation costs cannot create standing when underlying future harm is not certainly impending |
| Whether statutory consumer-protection violations alone confer Article III standing | Violation of consumer-protection statutes supplies standing | Statutory violations cannot substitute for a concrete Article III injury | Denied: statutory violation without concrete injury insufficient after Spokeo |
Key Cases Cited
- Clapper v. Amnesty Int’l USA, 133 S. Ct. 1138 (2013) (future harms must be certainly impending; speculative chain of events insufficient for standing)
- Lujan v. Defenders of Wildlife, 504 U.S. 555 (1992) (Article III standing requires injury-in-fact, causation, redressability)
- Spokeo, Inc. v. Robins, 136 S. Ct. 1540 (2016) (statutory violations do not automatically satisfy Article III; injury must be concrete and particularized)
- Remijas v. Neiman Marcus Group, 794 F.3d 688 (7th Cir. 2015) (where many victims suffered actual fraudulent charges, increased risk can support standing)
- In re Sci. Applications Int’l Corp., 45 F. Supp. 3d 14 (D.D.C. 2014) (data-theft plaintiffs failed to show substantial risk of imminent misuse; similar application of Clapper)