(CN) – The Third Circuit revived a federal class action by customers of Horizon Blue Cross Blue Shield whose personal information was compromised from the theft of two laptops from the insurer’s New Jersey offices.
Though the prospective class members cannot yet prove that the theft of their data has harmed them personally, the Philadelphia-based federal appeals court found Friday that the disclosure of their personal information alone is enough to demonstrate standing.
“With the passage of FCRA, Congress established that the unauthorized dissemination of personal information by a credit reporting agency causes an injury in and of itself – whether or not the disclosure of that information increased the risk of identity theft or some other future harm,” U.S. Circuit Judge Kent Jordan wrote for a three-judge panel, abbreviating the Fair Credit Reporting Act.
Jordan added in a footnote that Congress may have been motivated to make disclosure alone a concrete injury since obtaining proof of identity theft could take significant time, and would give defendants wide latitude to distinguish their data breach from distant abuses.
“Plaintiffs here do not allege a mere technical or procedural violation of FCRA,” Jordan said. “They allege instead the unauthorized dissemination of their own private information – the very injury that FCRA is intended to prevent.”
Horizon suffered the laptop thefts at its Newark headquarters over an early November weekend in 2013. The two laptop computers that were stolen contained the unencrypted personal information of more than 839,000 Horizon Healthcare members.
The circumstances surrounding the theft suggest that the thieves targeted the computers for the information they contained, not the value of the laptops alone. The files on the laptops contained files with member addresses, policy number, date of birth, and in some instances, Social Security numbers.
Horizon notified affected members immediately, and offered them one year of identity theft protection services for free. It also promised to implement stronger encryption processes in the future.
Two months ago, Horizon reported another privacy breach. It accidentally mailed benefits letters to 170,000 New Jersey members with the names, policy numbers and physician information of other policyholders. The information disclosed did not include Social Security numbers, addresses, or dates of birth.