365 F. Supp. 3d 1
D.C. Cir.2019Background
- In 2014 CareFirst suffered a data breach disclosed in May 2015 that accessed personal information of millions of insureds; plaintiffs are seven insureds from D.C., Maryland, and Virginia.
- Plaintiffs filed a putative class action asserting 11 claims under D.C., Maryland, and Virginia law (contract, multiple torts, unjust enrichment, and state consumer-protection and breach-notification statutes).
- Most plaintiffs alleged only increased risk of identity theft and prophylactic mitigation expenses (credit monitoring); only the Tringlers alleged actual misuse (tax-refund fraud).
- The district court initially dismissed for lack of Article III standing; the D.C. Circuit reversed, holding plaintiffs plausibly alleged a substantial risk of identity theft for standing, and remanded.
- On remand CareFirst moved to dismiss under Rule 12(b)(6); the district court (Judge Cooper) applied D.C. substantive law (with state-law issues for MD/VA statutes) and dismissed most claims, leaving only the Tringlers’ breach of contract and MCPA claims.
Issues
| Issue | Plaintiff's Argument | Defendant's Argument | Held |
|---|---|---|---|
| Adequacy of alleged "actual damages" for nine claims (contract, negligence, negligence per se, fraud, constructive fraud, breach of confidentiality, MD & VA consumer acts, D.C. breach-notification) | Plaintiffs say standing ruling proves sufficient injury; allege heightened risk, mitigation expenditures, benefit-of-the-bargain loss, and emotional distress as damages | CareFirst says state-law causes require actual damages (not speculative risk); prophylactic expenses and alleged overpayment are insufficient | Court: Except for the Tringlers (who alleged actual misuse), plaintiffs fail to plead actual damages for these nine claims; risk and prophylactic costs are generally not recoverable under D.C. law; emotional distress alone insufficient. |
| Whether insurer–insured contractual relationship bars tort claims (independent-duty / economic-loss concerns; fiduciary duty) | Plaintiffs: privacy policies and promises (incl. HIPAA/privacy statements) create duties independent of contract; may plead torts too | CareFirst: duties arise from contract—no separate common-law duty alleged; economic loss rule and lack of fiduciary/special relationship bar tort recovery | Court: Plaintiffs did not plead a duty independent of the contract; insurer–insured relationship here is contractual, not fiduciary; tort claims dismissed. |
| Unjust enrichment (pleaded in alternative) | Plaintiffs seek unjust enrichment in the alternative in case contract is unenforceable | CareFirst: valid contract exists; cannot recover both; plaintiffs have not alleged contract invalidity | Court: Unjust enrichment dismissed—plaintiffs did not allege invalid/unenforceable contract to justify alternative pleading. |
| D.C. Consumer Protection Procedures Act (DCCPPA) claim | D.C. plaintiffs allege CareFirst’s privacy-policy misrepresentations and breach are unlawful trade practices | CareFirst: DCCPPA cannot be based on mere breach of contract; intentional breach is not per se an unlawful trade practice | Court: DCCPPA claim dismissed as duplicative of contract and not a distinct unlawful trade practice under D.C. law. |
| Whether insurers are exempt from MCPA liability for data-security conduct under the MCPA professional-services exemption | CareFirst: MCPA exempts insurance companies’ "professional services," so MCPA claims must be dismissed | Plaintiffs: data-security practices are ancillary/commercial, not professional medical services | Court: Professional-services exemption does not cover insurer data-security practices here; Tringlers’ MCPA claim survives. |
Key Cases Cited
- Attias v. CareFirst, Inc., 865 F.3d 620 (D.C. Cir. 2017) (plaintiffs plausibly alleged substantial risk of identity theft for Article III standing)
- Randolph v. ING Life Ins. & Annuity Co., 973 A.2d 702 (D.C. 2009) (D.C. Court of Appeals: increased risk of future identity theft and prophylactic expenses do not constitute actionable damages for negligence/fiduciary claims)
- Choharis v. State Farm Fire & Cas. Co., 961 A.2d 1080 (D.C. 2008) (tort claims based on contractual duties require an independent duty separate from the contract)
- Cahn v. Antioch Univ., 482 A.2d 120 (D.C. 1984) (actual loss or damage is an essential element of breach of contract under D.C. law)
- Pisciotta v. Old Nat'l Bancorp, 499 F.3d 629 (7th Cir. 2007) (increased risk of identity theft alone does not support recovery for credit-monitoring expenses)
- In re Yahoo! Inc. Customer Data Sec. Breach Litig., 313 F. Supp. 3d 1113 (N.D. Cal. 2018) (court recognized benefit-of-the-bargain damages theory on 12(b)(6) facts showing specific value paid for enhanced privacy)
- In re Anthem, Inc. Data Breach Litig., 162 F. Supp. 3d 953 (N.D. Cal. 2016) (adopted loss-of-benefit-of-the-bargain theory for plaintiffs who alleged Anthem contracted for security measures it failed to deliver)
- Kitt v. Capital Concerts, Inc., 742 A.2d 856 (D.C. 1999) (fraud requires provable pecuniary damages)
- Scull v. Groover, Christie & Merritt, P.C., 76 A.3d 1186 (Md. 2013) (professional-services exemption under MCPA interpreted narrowly; commercial/ancillary billing practices were not exempt)