846 F.3d 625 (3rd Cir. 2017), 15-2309, In re Horizon Healthcare Services Inc. Data Breach Litigation

Docket Nº:15-2309
Citation:846 F.3d 625
Opinion Judge:JORDAN, Circuit Judge.
Party Name:In Re: HORIZON HEALTHCARE SERVICES INC. DATA BREACH LITIGATION; Courtney Diana; Mark Meisel; Karen Pekelney; Mitchell Rindner, Appellants
Attorney:For Appellants: Ben Barnow, Erich P. Schork [ARGUED], Barnow & Associates, P.C., Chicago, IL; Joseph J. DePalma, Jeffrey A. Shooman, Lite DePalma Greenberg, LLC, Newark, NJ; Robert N. Kaplan, David A. Straite, Kaplan Fox & Kilsheimer LLP, New York, NY; Laurence D. King, Kaplan Fox & Kilsheimer LL...
Judge Panel:Before: JORDAN, VANASKIE, and SHWARTZ, Circuit Judges. SHWARTZ, Circuit Judge, concurring in the judgment. SHWARTZ, Circuit Judge, concurring in the judgment.
Case Date:January 20, 2017
Court:United States Courts of Appeals, Court of Appeals for the Third Circuit

Page 625

846 F.3d 625 (3rd Cir. 2017)

In Re: HORIZON HEALTHCARE SERVICES INC. DATA BREACH LITIGATION; Courtney Diana; Mark Meisel; Karen Pekelney; Mitchell Rindner, Appellants

No. 15-2309

United States Court of Appeals, Third Circuit

January 20, 2017

Argued July 12, 2016

Page 626

[Copyrighted Material Omitted]

Page 627

[Copyrighted Material Omitted]

Page 628

On Appeal from the United States District Court for the District of New Jersey. (D.N.J. No. 2-13-cv-07418). District Judge: Honorable Claire C. Cecchi.

For Appellants: Ben Barnow, Erich P. Schork [ARGUED], Barnow & Associates, P.C., Chicago, IL; Joseph J. DePalma, Jeffrey A. Shooman, Lite DePalma Greenberg, LLC, Newark, NJ; Robert N. Kaplan, David A. Straite, Kaplan Fox & Kilsheimer LLP, New York, NY; Laurence D. King, Kaplan Fox & Kilsheimer LLP, San Francisco, CA; Philip A. Tortoreti, Wilentz, Goldman & Spitzer, PA, Woodbridge, NJ.

For Appellee: Kenneth L. Chernof [ARGUED], Arthur Luk, Arnold & Porter LLP, Washington, DC; David Jay, Philip R. Sellinger, Greenberg Traurig, Florham Park, NJ.

Before: JORDAN, VANASKIE, and SHWARTZ, Circuit Judges. SHWARTZ, Circuit Judge, concurring in the judgment.


Page 629

JORDAN, Circuit Judge.

The dispute at the bottom of this putative class action began when two laptops, containing sensitive personal information, were stolen from health insurer Horizon Healthcare Services, Inc. The four named Plaintiffs filed suit on behalf of themselves and other Horizon customers whose personal information was stored on those laptops. They allege willful and negligent violations of the Fair Credit Reporting Act (" FCRA" ), 15 U.S.C. § 1681, et seq., as well as numerous violations of state law. Essentially, they say that Horizon inadequately protected their personal information. The District Court dismissed the suit under Federal Rule of Civil Procedure 12(b)(1) for lack of Article III standing. According to the Court, none of the Plaintiffs had claimed a cognizable injury because, although their personal information had been stolen, none of them had adequately alleged that the information was actually used to their detriment.

We will vacate and remand. In light of the congressional decision to create a remedy for the unauthorized transfer of personal information, a violation of FCRA gives rise to an injury sufficient for Article III standing purposes. Even without evidence that the Plaintiffs' information was in fact used improperly, the alleged disclosure of their personal information created a de facto injury. Accordingly, all of the Plaintiffs suffered a cognizable injury, and the Complaint should not have been dismissed under Rule 12(b)(1).


A. Factual Background 1

Horizon Healthcare Services, Inc., d/b/a Horizon Blue Cross Blue Shield of New Jersey (" Horizon" ) is a New Jersey-based company that provides health insurance products and services to approximately 3.7 million members. In the regular course of its business, Horizon collects and maintains personally identifiable information ( e.g., names, dates of birth, social security numbers, and addresses) and protected health information ( e.g., demographic information, medical histories, test and lab results, insurance information, and other care-related data) on its customers and potential customers. The named Plaintiffs -- Courtney Diana, Mark Meisel, Karen Pekelney, and Mitchell Rindner2 - and other class members are or were participants in, or as Horizon puts it, members of Horizon insurance plans. They entrusted Horizon with their personal information.3

Horizon's privacy policy states that the company " maintain[s] appropriate administrative, technical and physical safeguards

Page 630

to reasonably protect [members'] Private Information." (App. at 29.) The policy also provides that, any time Horizon relies on a third party to perform a business service using personal information, it requires the third party to " safeguard [members'] Private Information" and " agree to use it only as required to perform its functions for [Horizon] and as otherwise permitted by ... contract and the law." (App. at 29.) Through the policy, Horizon pledges to " notify [members of its insurance plans] without unreasonable delay" of any breach of privacy. (App. at 29.)

During the weekend of November 1st to 3rd, 2013, two laptop computers containing the unencrypted personal information of the named Plaintiffs and more than 839,000 other Horizon members were stolen from Horizon's headquarters in Newark, New Jersey. The Complaint alleges that " [t]he facts surrounding the Data Breach demonstrate that the stolen laptop computers were targeted due to the storage of Plaintiffs' and Class Members' highly sensitive and private [personal information] on them." (App. at 32.) Horizon discovered the theft the following Monday, and notified the Newark Police Department that day. It alerted potentially affected members by letter and a press release a month later, on December 6. The press release concerning the incident noted that the computers " may have contained files with differing amounts of member information, including name and demographic information (e.g., address, member identification number, date of birth), and in some instances, a Social Security number and/or limited clinical information." (App. at 33.)

Horizon offered one year of credit monitoring and identity theft protection services to those affected, which the Plaintiffs allege was inadequate to remedy the effects of the data breach. At a January 2014 New Jersey Senate hearing, " Horizon confirmed that it had not encrypted all of its computers that contained [personal information]." (App. at 35.) Thereafter, " Horizon allegedly established safeguards to prevent a similar incident in the future--including tougher policies and stronger encryption processes that could have been implemented prior to the Data Breach and prevented it." (App. at 35.)

Some personal history about the named Plaintiffs is included in the Complaint. Diana, Meisel, and Pekelney are all citizens and residents of New Jersey who were Horizon members who received letters from Horizon indicating that their personal information was on the stolen laptops. The Complaint does not include any allegation that their identities were stolen as a result of the data breach. Plaintiff Rindner is a citizen and resident of New York. He was a Horizon member but was not initially notified of the data breach. After Rindner contacted Horizon in February 2014, the company confirmed that his personal information was on the stolen computers. The Plaintiffs allege that, " [a]s a result of the Data Breach, a thief or thieves submitted to the [IRS] a fraudulent Income Tax Return for 2013 in Rindner's and his wife's names and stole their 2013 income tax refund." (App. at 27.) Rindner eventually did receive the refund, but " spent time working with the IRS and law enforcement ... to remedy the effects" of the fraud, " incurred other out-of-pocket expenses to remedy the identity theft[,]" and was " damaged financially by the related delay in receiving his tax refund." (App. at 27, 41.) After that fraudulent tax return, someone also fraudulently attempted to use Rindner's credit card number in an online transaction. Rindner was also " recently denied retail credit because his social security number has been associated with identity theft." (App. at 27.)

Page 631

B. Procedural Background

The Plaintiffs filed suit on June 27, 2014. Count I of the Complaint claims that Horizon committed a willful violation of FCRA; Count II alleges a negligent violation of FCRA; and the remaining counts allege various violations of state law.4 FCRA was enacted in 1970 " to ensure fair and accurate credit reporting, promote efficiency in the banking system, and protect consumer privacy." Safeco Ins. Co. of Am. v. Burr, 551 U.S. 47, 52, 127 S.Ct. 2201, 167 L.Ed.2d 1045 (2007). With respect to consumer privacy, the statute imposes certain requirements on any " consumer reporting agency" that " regularly ... assembl[es] or evaluat[es] consumer credit information ... for the purpose of furnishing consumer reports to third parties." 15 U.S.C. § 1681a(f). Any such agency that either willfully or negligently " fails to comply with any requirement imposed under [FCRA] with respect to any consumer is liable to that consumer." Id. § § 1681n(a) (willful violations); 1681o(a) (negligent violations).

In their Complaint, the Plaintiffs assert that Horizon is a consumer reporting agency and that it violated FCRA in several respects. They say that Horizon " furnish[ed]" their information in an unauthorized fashion by allowing it to fall into the hands of thieves. (App. at 48.) They also allege that Horizon fell short of its FCRA responsibility to adopt reasonable procedures5 to keep sensitive information confidential.6 According to the Plaintiffs, Horizon's failure to protect their personal information violated the company's responsibility under FCRA to maintain the confidentiality of their personal information.7

Page 632

The Plaintiffs seek statutory,8 actual, and punitive damages, an injunction to prevent Horizon from continuing to store personal information in an unencrypted manner, reimbursement for ascertainable losses, pre-and post-judgment interest, attorneys' fees and costs, and " such other and further relief as this Court may deem just and proper." (App. at 64.)

Horizon moved to dismiss the Complaint for lack of subject matter jurisdiction under Federal Rule of Civil Procedure 12(b)(1) and for failure to state a claim upon which relief can be granted under Rule 12(b)(6). The District Court granted dismissal under Rule 12(b)(1), ruling that the Plaintiffs lack...

To continue reading