Customers from a medical insurance provider have filed a class action complaint in the District Court of Nebraska against the provider. The complaint alleges the insurance provider exposed personally identifiable information (PII) to unauthorized individuals. The PII involved could lead to a wide range of identity fraud.
The complaint states that the Plaintiff had purchased a policy of dental insurance from the Defendant but the Defendant’s information systems were breached by cybercriminals. This led to the Plaintiff’s PII being accessed along with the information of at least 39,675 other individuals. The information that was compromised in the data breach included:
- Names
- Addresses
- Email addresses
- Dates of birth
- Social Security numbers
- Member identification numbers
- Policyholder names and numbers
- Identification of the insured’s employers
Plaintiff Argument
Since the data breach, the Plaintiff alleges that she has had to deal with situations that can only be linked to the data breach. This includes:
- Losing $280 due to fraudulent activity on her Amazon account
- Two email accounts compromised
- Replacement of credit cards 5 times
- Received targeted advertising for credit monitoring services
Defendant Argument
The Defendant argued that the Plaintiff failed to demonstrate that the injuries are traceable to its conduct. They argue that the categories of PII that were accessed by hackers are not connected to the specific harms she suffered. The unauthorized charges and replacement credit cards are not linked as no credit card information was accessed. This also applies to the email accounts as no passwords were accessed in the breach.
Court Conclusion
It was agreed that the data that was compromised is information that can lead to a wide range of identity fraud. With access to the information above a hacker could gain access to credit records and credit card accounts. There is also a plausible risk that the Plaintiff will suffer harm from identity theft in the future. This is due to the sensitive nature of the information and allegations the PII will be made available on the dark web.
The medical insurance company had a legal duty under Nebraska law to protect the Plaintiff’s information once they had collected it. However there is not a special confidential relationship between the two which would give rise to a fiduciary duty.
The Plaintiff had failed to allege that the Defendant acted deceptively, therefore violating the Nebraska Uniform Deceptive Trade Practices Act. So the court granted the Defendant’s motion to dismiss in part and dismissed Plaintiff’s breach of fiduciary duty and violation of the Nebraska Uniform Deceptive Trade Practices Act.
Not sure if your business is prepared for a cyberattack? Contact us today and our experts can you tell how we can make sure you’re protected.