The U.S. Court of Appeals for the D.C. Circuit has reinstated a data breach class action filed against CareFirst BlueCross BlueShield (CareFirst). The lawsuit stems from a June 2014 data breach in which hackers infiltrated 22 CareFirst computers and compromised the personal information of more than a million policyholders.

Reversing the district court’s dismissal at the pleadings stage, the D.C. Circuit held that the policyholders’ allegation that the breach exposed them to a substantial risk of identity theft satisfied the Article III standing doctrine.

The court had “little difficulty” concluding that the risk of injury was fairly traceable to CareFirst’s alleged failure to adequately secure its policyholders’ personal information and also that the policyholders’ injuries could be redressed by a damages award.

The circuit court’s decision rests on its conclusion that the district court misapplied standing precedent under the U.S. Supreme Court’s decision in Clapper v. Amnesty Int'l USA and also misread the factual allegations of the complaint regarding the types of personal information at issue.

To establish standing, plaintiffs bear the burden of showing that they have suffered an “injury in fact” that is “fairly traceable” to the defendant’s actions and that the injury is “likely to be redressed” by the relief sought. At the pleadings stage, a plaintiff is only required to state a “plausible claim” as to each element, which the D.C. Circuit characterized as a “low bar.”

The principal focus in this case was on the “injury in fact” requirement. Quoting from the Supreme Court’s recent decision in Spokeo, Inc. v. Robins, the D.C. Circuit noted that this requires a showing that the injury is “concrete, particularized, and, most importantly for our purposes, ‘actual or imminent’ rather than speculative.” An injury is sufficiently imminent when it is “certainly impending” or when there is a “substantial risk” that it will occur.

The key to both the district and circuit court analyses of “substantial risk” of future injury was the types of personal information that were accessed by hackers. Both courts agreed that the complaint alleged that this information included policyholders’ names, birth dates, email addresses, and health insurance policy subscriber identification numbers.

Contrary to the district court decision (read our earlier Alert here), the D.C. Circuit concluded that the complaint also alleged that policyholders’ Social Security and credit card numbers were accessed by hackers. The complaint further alleged that “[i]dentity thieves can use identifying data—including that accessed on Defendants’ servers—to open new financial accounts, incur charges in another person’s name and commit various other financial misdeeds; the CareFirst breach exposed ‘all of the information wrongdoers need’ for appropriation of a victim’s identity.” The court agreed that “experience and common sense” support the conclusion that the theft of Social Security and credit card numbers creates a substantial risk of financial identity theft.

The court separately concluded that the complaint plausibly alleged a substantial risk of “medical identity theft,” based on the exposure of the plaintiffs’ health insurance policy subscriber numbers in combination with their names, birth dates, and email addresses. Even if their Social Security numbers were not stolen, the court concluded, the plaintiffs faced a substantial risk that a fraudster could “impersonate the victim and obtain medical services in her name.” Such “fraud leads to ‘inaccurate entries in [victims’] medical records’ and ‘can potentially cause victims to receive improper care, have their insurance depleted, become ineligible for health or life insurance, or become disqualified from some jobs.’”

A substantial risk of harm exists, the court concluded, “simply by virtue of the hack and the nature of the data that the plaintiffs allege was taken.” The D.C. Circuit quoted the Seventh Circuit’s decision in Remijas v. Neiman Marcus Corp., which found standing plausible in a class action based on another hacking-based data breach of consumer financial information. The D.C. Circuit noted: “Why else would hackers break into a . . . database and steal consumers’ private information? Presumably, the purpose of the hack is, sooner or later, to make fraudulent charges or assume those consumers’ identities.” (Read our Alert about Remijas here.)

The D.C. Circuit now joins the growing circuit split over whether individuals whose personal information is stolen by hackers can satisfy the standing doctrine based solely on allegations of a substantial risk of future injury. In addition to the Seventh Circuit’s Remijas decision, the Third Circuit recently reinstated a data breach class action against Horizon Healthcare Services, Inc., in the wake of the 2013 theft of two laptop computers containing unencrypted personal information of Horizon Healthcare plan members. (Read our Alert on the Horizon case here.) The Ninth Circuit also has upheld standing allegations in similar data breach class actions.

These decisions significantly expand the circumstances under which consumers may pursue class actions against companies victimized by hackers who access highly sensitive personal information, such as Social Security and credit card numbers, as well as health insurance subscriber information. Companies that collect, process, or store such sensitive information should anticipate and prepare for litigation as soon as they discover any cyber incident involving these types of information.