Judge Partially Grants Reconsideration of Claims in Data Breach Suit Against CareFirst


On Friday in the District of Columbia District Court, Judge Christopher Cooper partially granted a motion for reconsideration by the plaintiffs in a class-action brought against health insurer CareFirst Inc. and its affiliates after a data breach disclosed the names, birth dates, contact information, and subscriber identification numbers of more than one million individuals insured by CareFirst.

The named plaintiffs of the putative class originally alleged violations of D.C. tort and contract laws and consumer protection statutes of their respective home states. Specifically, they stated 11 causes of action: breach of contract, negligence, violation of the D.C. Consumer Protection Procedures Act (CPPA), violation of the D.C. Data Breach Notification Act, violation of the Maryland Consumer Protection Act (MCPA), violation of the Virginia Consumer Protection Act (VCPA), fraud, negligence per se, unjust enrichment, breach of the duty of confidentiality, and constructive fraud.

According to the complaint, the data breach presents risks to the plaintiffs through “economic and non-economic loss in the form of mental and emotional pain and suffering” and “years of constant surveillance of their financial and personal records, monitoring, and loss of rights.”

After a dismissal of the original complaint, a reversal, another motion to dismiss by the defendants, a partial grant of that motion, and an appeal by the plaintiffs that was dismissed, the plaintiffs filed a motion for reconsideration of their allegations that had been dismissed for failure to state a claim.

The plaintiffs are now seeking reconsideration pursuant to Federal Rules of Civil Procedure 60(b)(6) and 54(b). Among various reasons, the judge dismissed reconsideration under 60(b)(6) because that rule applies only to final orders; the D.C. Circuit’s ruled dismissal that the plaintiffs are challenging “has declared to be non-final and interlocutory,” the judge explains. However, the judge says that interlocutory appeals may be brought under 54(b).

The plaintiffs argued that reconsideration is warranted because “First, plaintiffs contend that, contrary to the Court’s initial conclusion, actual damages are not required to state a claim for breach of contract under D.C. common law. Second, plaintiffs argue that intervening D.C. Circuit caselaw treats data-breach mitigation expenses as ‘actual damages’ and thereby eliminates the Court’s basis for dismissing nine of their eleven claims. And third, plaintiffs maintain that the Court clearly erred in concluding that CareFirst’s alleged breach of contract is not actionable under the D.C. CPPA,” the court explains.

The court granted reconsideration for the first two elements, but denied reconsideration of the third based on the D.C. appellate court’s reasoning in Velcoff v. Medstar Health Inc. that “matching allegations of the complaint to the corresponding subsections of the CPPA is a straightforward task,” which the judge said “does not purport to implicate whether a breach of contract, intentional or otherwise, is actionable under the CPPA.”

The plaintiffs are represented by Paulson & Nace, Nidel Law, and the Giatras Law Firm. The defendants are represented by Eversheds Sutherland and Grayden, Head & Ritchey.