A lawsuit against a New Jersey insurance company sought damages for a November 2013 data breach that reportedly resulted in the theft of personal information of hundreds of thousands of policyholders. The plaintiffs sought to certify the suit as a class action on behalf of other policyholders whose information was compromised. They asserted causes of action for breach of contract, negligence, and violations of the Fair Credit Reporting Act (FCRA), 15 U.S.C. § 1681 et seq., and the New Jersey Consumer Fraud Act (CFA), N.J. Rev. Stat. § 56:8-1 et seq. In March 2015, however, the district court dismissed the lawsuit, holding that the plaintiffs lacked standing to sue under the FCRA. In re Horizon Healthcare Services Inc. Data Breach Litigation, No. 2:13-cv-07418, opinion (D.N.J., Mar. 31, 2015).
The defendant is a New Jersey-based health insurance company that provides services to about 3.7 million individuals. At some point over the weekend of November 1-3, 2013, an unknown individual stole two laptop computers from the defendant's office in Newark. The laptops, which were protected by passwords, contained the personal information of over 839,000 policyholders, including names, dates of birth, member numbers, and addresses. The computers also contained Social Security numbers and clinical information for some policyholders.
The defendant issued a press release several days after the theft describing the extent of the data breach. It stated that it was not clear if the thief or thieves would be able to break the password protection to access the information on the laptops. It individually notified the policyholders whose information was contained on the laptops, and it offered free identity theft protection and credit monitoring services to policyholders whose Social Security numbers might have been compromised.