In re Horizon Healthcare Servs. Inc. Data Breach Litig.

Decision Date20 January 2017
Docket NumberNo. 15-2309,15-2309
Citation846 F.3d 625
Parties IN RE: HORIZON HEALTHCARE SERVICES INC. DATA BREACH LITIGATION Courtney Diana; Mark Meisel ; Karen Pekelney; Mitchell Rindner, Appellants
CourtU.S. Court of Appeals — Third Circuit

Ben Barnow, Erich P. Schork [ARGUED], Barnow & Associates, P.C., One North LaSalle Street, Suite 4600, Chicago, IL 60602

Joseph J. DePalma, Jeffrey A. Shooman, Lite DePalma Greenberg, LLC, 570 Broad Street, Suite 1201, Newark, NJ 07102

Robert N. Kaplan, David A. Straite, Kaplan Fox & Kilsheimer LLP, 850 Third Avenue, 14th Floor, New York, NY 10022

Laurence D. King, Kaplan Fox & Kilsheimer LLP, 350 Sansome Street, Suite 400, San Francisco, CA 94104

Philip A. Tortoreti, Wilentz, Goldman & Spitzer, PA, 90 Woodbridge Center Drive, Suite 900, Woodbridge, NJ 07095, Counsel for Appellants

Kenneth L. Chernof [ARGUED], Arthur Luk, Arnold & Porter LLP, 601 Massachusetts Avenue, NW, Washington, DC 20001

David Jay, Philip R. Sellinger, Greenberg Traurig, 500 Campus Drive, Suite 400, Florham Park, NJ 07932, Counsel for Appellee

Before: JORDAN, VANASKIE, and SHWARTZ, Circuit Judges.

OPINION

JORDAN, Circuit Judge.

The dispute at the bottom of this putative class action began when two laptops, containing sensitive personal information, were stolen from health insurer Horizon Healthcare Services, Inc. The four named Plaintiffs filed suit on behalf of themselves and other Horizon customers whose personal information was stored on those laptops. They allege willful and negligent violations of the Fair Credit Reporting Act ("FCRA"), 15 U.S.C. § 1681, et seq. , as well as numerous violations of state law. Essentially, they say that Horizon inadequately protected their personal information. The District Court dismissed the suit under Federal Rule of Civil Procedure 12(b)(1) for lack of Article III standing. According to the Court, none of the Plaintiffs had claimed a cognizable injury because, although their personal information had been stolen, none of them had adequately alleged that the information was actually used to their detriment.

We will vacate and remand. In light of the congressional decision to create a remedy for the unauthorized transfer of personal information, a violation of FCRA gives rise to an injury sufficient for Article III standing purposes. Even without evidence that the Plaintiffs' information was in fact used improperly, the alleged disclosure of their personal information created a de facto injury. Accordingly, all of the Plaintiffs suffered a cognizable injury, and the Complaint should not have been dismissed under Rule 12(b)(1).

I. BACKGROUND
A. Factual Background1

Horizon Healthcare Services, Inc., d/b/a Horizon Blue Cross Blue Shield of New Jersey ("Horizon") is a New Jersey-based company that provides health insurance products and services to approximately 3.7 million members. In the regular course of its business, Horizon collects and maintains personally identifiable information (e.g. , names, dates of birth, social security numbers, and addresses) and protected health information (e.g. , demographic information, medical histories, test and lab results, insurance information, and other care-related data) on its customers and potential customers. The named PlaintiffsCourtney Diana, Mark Meisel, Karen Pekelney, and Mitchell Rindner2 —and other class members are or were participants in, or as Horizon puts it, members of Horizon insurance plans. They entrusted Horizon with their personal information.3

Horizon's privacy policy states that the company "maintain[s] appropriate administrative, technical and physical safeguards to reasonably protect [members'] Private Information." (App. at 29.) The policy also provides that, any time Horizon relies on a third party to perform a business service using personal information, it requires the third party to "safeguard [members'] Private Information" and "agree to use it only as required to perform its functions for [Horizon] and as otherwise permitted by ... contract and the law." (App. at 29.) Through the policy, Horizon pledges to "notify [members of its insurance plans] without unreasonable delay" of any breach of privacy. (App. at 29.)

During the weekend of November 1st to 3rd, 2013, two laptop computers containing the unencrypted personal information of the named Plaintiffs and more than 839,000 other Horizon members were stolen from Horizon's headquarters in Newark, New Jersey. The Complaint alleges that "[t]he facts surrounding the Data Breach demonstrate that the stolen laptop computers were targeted due to the storage of Plaintiffs' and Class Members' highly sensitive and private [personal information] on them." (App. at 32.) Horizon discovered the theft the following Monday, and notified the Newark Police Department that day. It alerted potentially affected members by letter and a press release a month later, on December 6. The press release concerning the incident noted that the computers "may have contained files with differing amounts of member information, including name and demographic information (e.g., address, member identification number, date of birth), and in some instances, a Social Security number and/or limited clinical information." (App. at 33.)

Horizon offered one year of credit monitoring and identity theft protection services to those affected, which the Plaintiffs allege was inadequate to remedy the effects of the data breach. At a January 2014 New Jersey Senate hearing, "Horizon confirmed that it had not encrypted all of its computers that contained [personal information]." (App. at 35.) Thereafter, "Horizon allegedly established safeguards to prevent a similar incident in the future—including tougher policies and stronger encryption processes that could have been implemented prior to the Data Breach and prevented it." (App. at 35.)

Some personal history about the named Plaintiffs is included in the Complaint. Diana, Meisel, and Pekelney are all citizens and residents of New Jersey who were Horizon members who received letters from Horizon indicating that their personal information was on the stolen laptops. The Complaint does not include any allegation that their identities were stolen as a result of the data breach. Plaintiff Rindner is a citizen and resident of New York. He was a Horizon member but was not initially notified of the data breach. After Rindner contacted Horizon in February 2014, the company confirmed that his personal information was on the stolen computers. The Plaintiffs allege that, "[a]s a result of the Data Breach, a thief or thieves submitted to the [IRS] a fraudulent Income Tax Return for 2013 in Rindner's and his wife's names and stole their 2013 income tax refund." (App. at 27.) Rindner eventually did receive the refund, but "spent time working with the IRS and law enforcement ... to remedy the effects" of the fraud, "incurred other out-of-pocket expenses to remedy the identity theft[,]" and was "damaged financially by the related delay in receiving his tax refund." (App. at 27, 41.) After that fraudulent tax return, someone also fraudulently attempted to use Rindner's credit card number in an online transaction. Rindner was also "recently denied retail credit because his social security number has been associated with identity theft." (App. at 27.)

B. Procedural Background

The Plaintiffs filed suit on June 27, 2014. Count I of the Complaint claims that Horizon committed a willful violation of FCRA; Count II alleges a negligent violation of FCRA; and the remaining counts allege various violations of state law.4 FCRA was enacted in 1970 "to ensure fair and accurate credit reporting, promote efficiency in the banking system, and protect consumer privacy." Safeco Ins. Co. of Am. v. Burr , 551 U.S. 47, 52, 127 S.Ct. 2201, 167 L.Ed.2d 1045 (2007). With respect to consumer privacy, the statute imposes certain requirements on any "consumer reporting agency" that "regularly ... assembl[es] or evaluat[es] consumer credit information ... for the purpose of furnishing consumer reports to third parties." 15 U.S.C. § 1681a(f). Any such agency that either willfully or negligently "fails to comply with any requirement imposed under [FCRA] with respect to any consumer is liable to that consumer." Id . §§ 1681n(a) (willful violations); 1681o(a) (negligent violations).

In their Complaint, the Plaintiffs assert that Horizon is a consumer reporting agency and that it violated FCRA in several respects. They say that Horizon "furnish[ed]" their information in an unauthorized fashion by allowing it to fall into the hands of thieves. (App. at 48.) They also allege that Horizon fell short of its FCRA responsibility to adopt reasonable procedures5 to keep sensitive information confidential.6 According to the Plaintiffs, Horizon's failure to protect their personal information violated the company's responsibility under FCRA to maintain the confidentiality of their personal information.7

The Plaintiffs seek statutory,8 actual, and punitive damages, an injunction to prevent Horizon from continuing to store personal information in an unencrypted manner, reimbursement for ascertainable losses, pre- and post-judgment interest, attorneys' fees and costs, and "such other and further relief as this Court may deem just and proper." (App. at 64.)

Horizon moved to dismiss the Complaint for lack of subject matter jurisdiction under Federal Rule of Civil Procedure 12(b)(1) and for failure to state a claim upon which relief can be granted under Rule 12(b)(6). The District Court granted dismissal under Rule 12(b)(1), ruling that the Plaintiffs lack Article III standing. The Court concluded that, even taking the Plaintiffs' allegations as true, they did not have standing because they had not suffered a cognizable injury. Because the Court granted Horizon's Rule 12(b)(1) motion, it did not address Horizon's Rule 12(b)(6) arguments and declined to exercise supplemental jurisdiction over the remaining state law...

To continue reading

Request your trial
340 cases
  • Taylor v. Fred's, Inc.
    • United States
    • U.S. District Court — Northern District of Alabama
    • February 2, 2018
    ...Circuit summarized its post-Spokeo holding in the FCRA case of In re Horizon Healthcare Services Inc. Data Breach Litigation , 846 F.3d 625 (3d Cir. 2017) :We summarize Horizon 's rule as follows. When one sues under a statute alleging "the very injury [the statute] is intended to prevent,"......
  • Mazo v. Way
    • United States
    • U.S. District Court — District of New Jersey
    • July 30, 2021
    ...Const. Party of Pennsylvania v. Aichele , 757 F.3d 347, 357 (3d Cir. 2014) (citations omitted); In re Horizon Healthcare Servs. Inc. Data Breach Litig. , 846 F.3d 625, 632 (3d Cir. 2017). On a facial attack, courts "only consider the allegations of the complaint and documents referenced the......
  • Statee., Inc. v. Hammer ex rel. Situated
    • United States
    • West Virginia Supreme Court
    • November 19, 2021
    ...of the hack and the nature of the data that the plaintiffs allege was taken."); Third Circuit (In re Horizon Healthcare Serv. Inc. Data Breach Litig ., 846 F.3d 625, 641 (3d Cir. 2017) (noting the injury-in-fact requirement is not insurmountable, thus finding a violation of the Fair Credit ......
  • Diamond v. Pa. State Educ. Ass'n
    • United States
    • U.S. District Court — Western District of Pennsylvania
    • July 8, 2019
    ...884, 891 (3d Cir. 1977) ). There are two types of Rule 12(b)(1) challenges: facial and factual. In re Horizon Healthcare Servs. Inc. Data Breach Litig. , 846 F.3d 625, 632-33 (3d Cir. 2017) ; Hartig Drug Co. Inc. v. Senju Pharm. Co. Ltd. , 836 F.3d 261, 268 (3d Cir. 2016). A facial challeng......
  • Request a trial to view additional results
2 firm's commentaries
  • First There Was Litigation; And Then There Was Standing
    • United States
    • Mondaq United States
    • August 27, 2021
    ...of harm arguments for common law claims. This is demonstrated by the court in In re Horizon Healthcare Servs. Inc. Data Breach Litig., 846 F.3d 625, 641 (3d Cir. 2017), which found standing when personal data was breached in violation of the Fair Credit Reporting Act. The court did not delv......
  • First There Was Litigation; And Then There Was Standing
    • United States
    • Mondaq United States
    • August 27, 2021
    ...of harm arguments for common law claims. This is demonstrated by the court in In re Horizon Healthcare Servs. Inc. Data Breach Litig., 846 F.3d 625, 641 (3d Cir. 2017), which found standing when personal data was breached in violation of the Fair Credit Reporting Act. The court did not delv......
5 books & journal articles
  • Making the Intangible Concrete: Litigating Intangible Privacy Harms in a Post-spokeo World
    • United States
    • California Lawyers Association Competition: Antitrust, UCL and Privacy (CLA) No. 26-1, March 2017
    • Invalid date
    ...of private information without permission Invasion of Privacy In re Horizon Healthcare Servs., Inc. Data Breach Litig., 846 F.3d 625 (3d Cir. 2017) Emotional Distress Larson v. Trans Union, LLC, 201 F. Supp. 3d 1103 (N.D. Cal. 2016) Informational Injury Larson v. Trans Union, LLC, 201 F. Su......
  • Fishy Class Certification: A Packaged Tuna Antitrust Case and a Shift in Class Certification Standards.
    • United States
    • Missouri Law Review Vol. 88 No. 2, March 2023
    • March 22, 2023
    ...(8th Cir. 2013). (92) Denney, 443 F.3d at 264; Halvorson, 718 F.3d at 778. (93) In re Horizon Healthcare Servs. Inc. Data Breach Litig., 846 F.3d 625, 634 (3d Cir. 2017) (adopting the "representative plaintiff rule in which only one named plaintiff must establish injury-in-fact); In re Deep......
  • "questions Involving National Peace and Harmony" or "injured Plaintiff Litigation"? the Original Meaning of "cases" in Article Iii of the Constitution
    • United States
    • Georgia State University College of Law Georgia State Law Reviews No. 36-5, July 2020
    • Invalid date
    ...Scott Crossley, Eric Friginal, and Ute Römer) specialize in this area.30. Compare In re Horizon Healthcare Servs. Inc. Data Breach Litig., 846 F.3d 625 (3d Cir. 2017) (holding that Article III standing is established from the unauthorized dissemination of private information as a de facto i......
  • GETTING INTO COURT WHEN THE DATA HAS GOTTEN OUT: A TWO-PART FRAMEWORK.
    • United States
    • Washington University Law Review Vol. 98 No. 4, April 2021
    • April 1, 2021
    ...in English and American tort law. Id. at *8 (emphasis in original) (quoting In re Horizon Healthcare Servs. Inc. Data Breach Litig., 846 F.3d 625, 638 (3d Cir. (126.) Id. at *8 (quoting In re Horizon Healthcare, 846 F.3d at 639). (127.) Larson v. Trans Union, LLC, 201 F. Supp. 3d 1103 (N.D.......
  • Request a trial to view additional results

VLEX uses login cookies to provide you with a better browsing experience. If you click on 'Accept' or continue browsing this site we consider that you accept our cookie policy. ACCEPT