Attias v. Carefirst, Inc.

• Court: District Court, District of Columbia
• Decided: September 13, 2023
• Docket: Civil Action No. 2015-0882
• Status: Published

Opinion

UNITED STATES DISTRICT COURT FOR THE DISTRICT OF COLUMBIA

CHANTAL ATTIAS, et al.,

Plaintiffs,

v. Case No. 15-cv-882 (CRC)

CAREFIRST, INC., et al.,

Defendants.

MEMORANDUM OPINION AND ORDER

In April 2014, a cyberattack executed through an email spear phishing campaign gave

hackers unauthorized access to the internal computer systems of Defendant CareFirst, Inc., a

health insurance company. Unbeknownst to CareFirst, the hackers secretly remained on the

company’s systems for months, eventually exfiltrating certain personal identifying information

of CareFirst’s customers. With the help of an outside investigation, CareFirst eventually

uncovered the mischief, but it was too late to stop the breach. Plaintiffs in this case, a group of

those customers whose information was exposed in the breach, filed a class action lawsuit

against CareFirst. Eight years, several motions, and thousands of documents later, only three of

Plaintiffs’ claims remain. CareFirst now has filed a motion for summary judgment on those

claims, which are for breach of contract and violations of consumer protection statutes in both

Maryland and Virginia.

For the reasons detailed in this opinion, the Court will deny CareFirst’s motion as to

Plaintiffs’ breach of contract claim but will grant summary judgment for CareFirst as to the

Maryland and Virginia consumer protection claims. Although the evidence on which Plaintiffs

rely is thin, the Court finds that a reasonable jury could conclude that CareFirst breached an

implied promise to take reasonable steps to safeguard their personal information. Under the Maryland Consumer Protection Act, however, Plaintiffs have failed to show a triable issue of

fact on a key element—reliance on CareFirst’s alleged misrepresentations about the company’s

data security practices. And Plaintiff’s Virginia Consumer Protection Act claim is foreclosed

because CareFirst falls within an exemption in the statute for insurance companies regulated by

the state’s corporation commission.

I. Background

Plaintiffs are District of Columbia, Maryland, and Virginia residents who had health

insurance provided by Defendant CareFirst, Inc.1 during the time relevant to this lawsuit. In

April 2014, hackers gained access into CareFirst’s computer system through an email-based

spear phishing campaign, using an email designed to resemble an official message from

CareFirst. The email was targeted to reach 48 CareFirst employees. Mot. for Summ. J. (“MSJ”),

Ex. Q at 3; MSJ, Ex. C at 105–06. About half a dozen CareFirst employees accessed a malicious

URL linked in the email, and five downloaded and ran the malicious software accessed via the

link. MSJ, Ex. Q at 3. CareFirst took immediate steps to remedy the hacking attempt, including

resetting those employees’ passwords and taking their computers offline, examining the

computers, and reimaging them. MSJ, Ex. C at 193–94; MSJ, Ex. Q at 3–4. But another

CareFirst Employee, Wesley Doyle, who worked in the IT department and had special

administrator credentials which provided deeper access into CareFirst’s computers, also clicked

on the malicious link and thereby gave the hackers broader, undetected access to CareFirst’s

systems. MSJ, Ex. A (Moore Decl.) ¶ 15. Doyle told CareFirst that he was not using his

1 Defendants in this case include various related corporate entities—CareFirst, Inc., Group Hospitalization and Medical Services, Inc., CareFirst of Maryland, Inc., and CareFirst Bluechoice. See Second Amended Compl. (“SAC”) ¶¶ 5–8. Unless otherwise indicated, the Court will refer to all these entities collectively as “CareFirst.”

2 administrator account when he clicked the malware link, but it turned out that the hackers

nonetheless gained administrator credentials. Id.; MSJ, Ex. C at 141–49, 164–69.

Sometime after the April incident, in light of reports from other Blue Cross licensees

Anthem and Premera that their computer systems had been attacked, CareFirst retained external

counsel and hired a cybersecurity firm, Mandiant, to conduct a forensic investigation into

whether CareFirst had also been attacked. Defendants’ Statement of Undisputed Facts

(“DSUF”) ¶¶ 37–39. Mandiant conducted an assessment between March 20, 2015 and May 4,

2015 and, on its 70th and final scan of the CareFirst computer systems, detected evidence that

CareFirst’s systems had been compromised by hackers. Id. ¶¶ 41–42.

As discussed further below, Plaintiffs maintain that CareFirst and its employees

committed several errors that allowed the hackers to gain access to CareFirst’s systems, to

remain in those systems undetected, and to purloin certain personally identifying information

(“PII”) of CareFirst customers. SAC ¶¶ 64–75. Specifically, due to the breach, hackers accessed

a database containing the following information of Plaintiffs and the class they seek to represent:

their names, subscriber ID numbers, dates of birth, e-mail addresses, and usernames chosen for

access to CareFirst’s online member portal (but not their Social Security numbers or any

financial information). MSJ at 4; DSUF ¶ 2; MSJ, Ex. Q at 4; SAC ¶ 94. The breach of this

information affected more than one million CareFirst customers. MSJ at 4; DSUF ¶ 1. After

discovering the exfiltration of this data, in May 2015, CareFirst sent letters to members whose

PII might have been affected, notifying them of the data breach, advising them to reset their

online portal credentials, and offering them two years of free credit monitoring and identity theft

protection services through an Experian product called ProtectMyID. MSJ, Ex. R.

3 A few weeks later, in June 2015, Plaintiffs brought this class action lawsuit, originally

consisting of eleven claims including breach of contract, negligence, violation of D.C.,

Maryland, and Virginia consumer protection laws, violation of the D.C. Data Breach Notification

Act, negligence per se, unjust enrichment, breach of duty of confidentiality, fraud, and

constructive fraud. SAC ¶¶ 64–154. As relevant here, Plaintiffs’ breach of contract claims are

premised on the privacy statements contained in CareFirst’s health insurance agreements, which

provided, with some variation, that CareFirst would “comply with State, Federal and local laws

pertaining to the dissemination or distribution of non-public personally identifiable medical or

health-related data” and, to that end, would “not provide . . . unauthorized third parties any

personally identifiable medical information without the prior written authorization of the

patient.” DSUF ¶¶ 13, 17, 20, 24; MSJ, Ex. B ¶¶ 18, 22, 25, 29. Plaintiffs’ Maryland and

Virginia consumer protection act claims are premised on CareFirst’s Notice of Privacy

Practices—a document describing the company’s privacy policies and practices to consumers—

which stated, among other things, that CareFirst “maintain[ed] physical, electronic and

procedural safeguards in accordance with federal and state standards to protect your health

information.” MSJ, Ex. Z at 1.

In 2016, the Court dismissed the case for lack of standing, explaining that Plaintiffs’

theory of injury was too speculative. The D.C. Circuit reversed, holding that Plaintiffs had

pleaded that information such as credit card and Social Security numbers had been accessed and

that, even if the breached data was more limited, Plaintiffs had pleaded a risk of “‘medical

identity theft,’ in which a fraudster impersonates the victim and obtains medical services in her

name.” Attias v. Carefirst, Inc. (Attias I), 865 F.3d 620, 627–29 (D.C. Cir. 2017). On remand,

the Court dismissed for failure to state a claim all causes of action except for the breach of

4 contract and Maryland Consumer Protection Act (“MCPA”) claims brought by Plaintiffs Curt

and Connie Tringler. Attias v. CareFirst, Inc. (Attias II), 365 F. Supp. 3d 1 (D.D.C. 2019). As

relevant here, the Court concluded that all Plaintiffs except the Tringlers had failed adequately to

allege actual damages as required for most of their claims. Id. at 27.

After Plaintiffs filed a motion for reconsideration, the Court reinstated the breach of

contract claim as to all Plaintiffs. Attias v. CareFirst, Inc. (Attias III), 518 F. Supp. 3d 43

(D.D.C. 2021). The Court observed that, although there is some D.C. Court of Appeals authority

suggesting that actual damages are required for a prima facie contract claim, other authority,

which had not been provided to the Court previously, holds that “‘[e]ven where monetary

damages cannot be proved’ the prevailing party may be entitled to nominal damages, specific

performance, or declaratory relief.” Attias III, 518 F. Supp. 3d at 52 (quoting Wright v. Allen,

60 A.3d 749, 753 & n.3 (D.C. 2013)). However, the Court rejected Plaintiffs’ argument that

money spent to mitigate against potential future identity theft or fraud constituted “actual

damages” under D.C. law. Id. at 52–55. The Court also reinstated Plaintiffs’ claims under the

MCPA and Virginia Consumer Protection Act (“VCPA”). Id. at 57. The Court observed that,

although the Virginia statute requires a “loss” for Plaintiffs to recover, the law also permits

recovery of a $500 civil penalty when actual damages are de minimis, and Virginia courts have

read those loss and actual damages requirements expansively. Id. at 55–56. Although the

Maryland statute is more restrictive than the Virginia act, the Court held that absent any binding

authority to the contrary, “the D.C. Circuit, consistent with its reasoning in [In re: U.S. Office of

Personnel Management Data Security Breach Litigation, 928 F.3d 42 (D.C. Cir. 2019)], would

5 be more likely than not to treat mitigation expenses as actual damages under both statutes.” Id.

at 56.2

CareFirst now moves for summary judgment as to Plaintiffs’ breach of contract, MCPA,

and VCPA claims.

II. Legal Standards

The Court should grant summary judgment “if the movant shows that there is no genuine

dispute as to any material fact and the movant is entitled to judgment as a matter of law.” Fed.

R. Civ. P. 56(a). A genuine issue of material fact exists if the evidence is “‘such that a

reasonable jury could return a verdict for the nonmoving party,’ resolving all ambiguities and

drawing all factual inferences in favor of the nonmoving party.” Moore v. Hartman, 571 F.3d

62, 66 (D.C. Cir. 2009) (quoting Anderson v. Liberty Lobby, Inc., 477 U.S. 242, 248 (1986)).

The moving party “bears the initial responsibility of informing the district court of the basis for

its motion, and identifying those portions of the pleadings, depositions, answers to

interrogatories, and admissions on file, together with the affidavits, if any, which it believes

demonstrate the absence of a genuine issue of material fact.” Celotex Corp. v. Catrett, 477 U.S.

317, 323 (1986) (internal quotation marks omitted). The nonmoving party must then “designate

specific facts showing that there is a genuine issue for trial.” Id. (internal quotation marks

omitted). A dispute is “genuine” only if a reasonable jury could find for the nonmoving party,

and a fact is “material” only if “it is capable of affecting the outcome of the litigation.” Egudu v.

District of Columbia, 72 F. Supp. 3d 34, 40 (D.D.C. 2014) (citing Liberty Lobby, 477 U.S. at

2 A few months ago, the Court denied without prejudice to renewal Plaintiffs’ motion for class certification, largely based on concerns about class-member standing and individualized reliance determinations as to Plaintiffs’ MCPA and VCPA claims. Plaintiffs have filed a renewed motion for class certification, which the Court does not address in this opinion.

6 248). When reviewing a summary judgment motion, the Court must “view the facts and draw

reasonable inferences ‘in the light most favorable to the party opposing the’” motion. Scott v.

Harris, 550 U.S. 372, 378 (2007) (quoting United States v. Diebold, Inc., 369 U.S. 654, 655

(1962)). “Credibility determinations, the weighing of the evidence, and the drawing of

legitimate inferences from the facts are jury functions” and thus not appropriate exercises for “a

judge at summary judgment.” Barnett v. PA Consulting Grp., Inc., 715 F.3d 354, 358 (D.C. Cir.

2013) (quoting Pardo–Kronemann v. Donovan, 601 F.3d 599, 604 (D.C. Cir. 2010)).

III. Analysis

The Court begins with Plaintiffs’ breach of contract claims. Although Plaintiffs’ theories

of contract liability are somewhat underdeveloped, and the evidence supporting their claim is

thin, the Court concludes that summary judgment is inappropriate as to at least one of their

theories—that CareFirst violated an implied contractual duty to take reasonable steps to secure

Plaintiffs’ PII by failing to take certain security measures at the time of the data breach. Thus,

the Court will deny the summary judgment motion as to Plaintiffs’ breach of contract claim. The

Court will grant CareFirst’s motion for summary judgment as to the MCPA and VCPA claims,

however. As for the former claim, Plaintiffs have failed to produce evidence from which a

reasonable jury could find that Plaintiffs relied on CareFirst’s statements about data security in

the Notice of Privacy Practices. As to the latter claim, CareFirst falls outside the scope of the

VCPA, which exempts from its coverage insurance companies, including CareFirst, that are

regulated by Virginia’s State Corporation Commission.

A. Breach of Contract

“To prevail on a claim of breach of contract, a party must establish (1) a valid contract

between the parties; (2) an obligation or duty arising out of the contract; (3) a breach of that duty;

7 and (4) damages caused by breach.” Francis v. Rehman, 110 A.3d 615, 620 (D.C. 2015)

(emphasis omitted) (quoting Tsintolas Realty Co. v. Mendez, 984 A.2d 181, 187 (D.C. 2009)).

As to duty and breach, CareFirst maintains that, to the extent the privacy statements in

CareFirst’s insurance plans with Plaintiffs imposed a duty to “comply with state, federal and

local laws pertaining to the dissemination or distribution” of PII and a duty not to provide

unauthorized third parties with any member PII, this duty pertains only to affirmative

dissemination of PII, not hacking by unauthorized third parties. MSJ at 9–12. CareFirst thus

contends that it complied with this duty because it did not freely disseminate PPI. Id. Second, to

the extent Plaintiffs’ contract claim is premised on a promise to abide by the Health Insurance

Portability and Accountability Act (“HIPAA”), CareFirst maintains that it “safeguarded

Plaintiffs’ [PII] in accordance with HIPAA,” citing, for instance, a 2013 privacy and security risk

audit by KPMG that found CareFirst had robust security systems. Id. at 12–14. Third, CareFirst

argues that any breach was not material. Id. at 17. Last, CareFirst renews arguments previously

presented to the Court that Plaintiffs have no actual damages and that any nominal damages are

de minimis. Id. at 15–18.3 The Court addresses each of these arguments, and Plaintiffs’

responses, in turn.

1. Contractual Duties

CareFirst concedes that its relationship with the Plaintiffs was contractual but contends

that the only contractual duty arising from the Privacy Statements in Plaintiffs’ insurance

agreements was a duty not to affirmatively disseminate, distribute, or provide Plaintiffs’ PII to

unauthorized persons. MSJ at 11. Although their briefing is less than clear at times, Plaintiffs

3 CareFirst also asserts that two of the named Defendants—CareFirst, Inc. and Group Hospitalization and Medical Services, Inc.—had no contractual relationship with any Plaintiffs, a contention Plaintiffs do not dispute. MSJ at 9 n.2; Reply at 2 n.2.

8 appear to articulate two different theories of CareFirst’s contractual duties: (1) an express

promise in the CareFirst Privacy Statements to comply with federal law, and HIPAA in

particular, in protecting member PII, Opp’n at 12–14, and (2) an implied promise to “use

adequate [or reasonable] measures to safeguard Plaintiffs’” PII, evidenced in part by

representations made in CareFirst’s Notice of Privacy Practices, id. at 6–7. The Court begins by

addressing whether the express terms of CareFirst’s Privacy Statements imposed only an

obligation for the company not to affirmatively disseminate customer PII to unauthorized parties

or also created a duty to prevent malicious third-party hackers from gaining access to PII,

specifically by virtue of the contracts’ reference to compliance with state, federal, and local laws

regarding the distribution of PII.4

In relevant part, CareFirst’s Privacy Statements provide that the company “shall comply

with state, federal and local laws pertaining to the dissemination or distribution of non-public

personally identifiable financial, medical or health related data” and, “[i]n that regard,” the

company “will not provide to . . . unauthorized third parties any personally identifiable financial

4 As a preliminary matter, CareFirst maintains that “Plaintiffs disavowed reliance on alleged HIPAA violations for all but their negligence per se claim, which the Court dismissed” at the motion to dismiss stage. MSJ at 13. The Court disagrees. In their opposition to CareFirst’s Rule 12(b)(6) motion to dismiss, Plaintiffs stated that “only Plaintiffs’ Negligence per se cause of action requires a finding that HIPAA was violated to be plausibly stated.” Opp. to Mot. to Dismiss at 19, ECF No. 45. In context, however, the Court understands this statement to express only Plaintiffs’ position that their other claims could survive even without finding a HIPAA violation. The opposition went on to say that Plaintiffs’ “breach of contract claim listed several terms other than HIPAA violations which were breached.” Id. Although the Court’s opinion on the motion to dismiss observed in a footnote that Plaintiffs “disavowed reliance on alleged HIPAA violations for all but their negligence per se claim,” Attias II, 365 F. Supp. 3d at 25 n.17, in context, this observation simply described Plaintiffs’ opposition and did not purport to bar any future reliance on a HIPAA-violation theory, which is expressly raised in Plaintiffs’ complaint. See SAC ¶¶ 68–69. Additionally, although CareFirst also points out that HIPAA does not provide a private right of action, MSJ at 12, the Court sees no reason why that fact would preclude a breach of contract claim premised on the violation of a promise to maintain HIPAA- compliant security systems.

9 or medical information without the prior written authorization of the patient or parent/guardian

of the patient or as otherwise permitted by law.” MSJ, Ex. B ¶ 25.5 CareFirst contends that this

promise pertains only to CareFirst’s affirmative “dissemination,” “distribution,” or “provi[sion]”

of sensitive PII to unauthorized third parties and, therefore, does not cover the conduct at issue

here—a hacker gaining unauthorized access into CareFirst’s computers despite CareFirst’s

security measures. MSJ at 11–12; Reply at 2. Because there is no evidence that CareFirst

intentionally provided PII to outside parties, CareFirst maintains summary judgment is

warranted. To this argument, Plaintiffs respond, albeit without any elaboration, that the terms

“dissemination,” “distribution,” and “provide” are ambiguous, rendering summary judgment

inappropriate under D.C. law. See Plaintiffs’ Statement of Material Facts (“PSMF”) ¶ 10

(“[T]he ambiguous nature of the words ‘affirmatively,’ ‘disseminate,’ ‘distribute,’ and ‘provide’

are open to interpretation and therefore create a genuine dispute of material fact.”); Aziken v.

District of Columbia, 70 A.3d 213, 219 (D.C. 2013) (summary judgment improper where

contract terms are ambiguous).

The Court agrees with CareFirst that this particular language created a limited obligation

on CareFirst to comply with applicable law with regard to its affirmative disclosure of PII. As

CareFirst points out, the terms “dissemination,” “distribution,” and “provide” all speak to

CareFirst’s affirmative conduct, e.g., its policies concerning when it may share private medical

information with health care providers or employers. See Disseminate, Merriam-Webster,

https://www.merriam-webster.com/dictionary/disseminate (last visited Sept. 13, 2023) (“to

spread abroad as though sowing seed; to disperse throughout”); Distribute, Merriam-Webster,

5 The Privacy Statements in Plaintiffs Richard and Latanya Bailey’s agreement do not include this express term, promising only to “keep your medical and claims records confidential.” Id. ¶ 29.

10 https://www.merriam-webster.com/dictionary/distribute (last visited Sept. 13, 2023) (“to spread

out so as to cover something; to give out or deliver especially to members of a group”); Provide,

Merriam-Webster, https://www.merriam-webster.com/dictionary/provide (last visited Sept. 13,

2023) (“to supply or make available (something wanted or needed); to make something available

to”). This language stands in contrast to the broader language of CareFirst’s Notice of Privacy

Practices (on which Plaintiffs do not appear to rely for any express contract argument), which

promises that the company “maintain[s] physical, electronic and procedural safeguards in

accordance with federal and state standards to protect your health information.” MSJ, Ex. Z at 1

(emphasis added). Unlike the insurance agreements, the Notice of Privacy Practices seems to

describe an affirmative duty to “protect” or “safeguard” information, as opposed to a duty merely

not to “disclose” or “disseminate” it without authorization.

As to Plaintiffs’ implied contractual term theory, however, the Court agrees that their

contracts with CareFirst included an implicit promise to take reasonable steps to secure their PII

against unauthorized intrusion by third parties. “Under D.C. law, an implied-in-fact contract

contains ‘all necessary elements of a binding agreement,’ differing from other contracts ‘only in

that it has not been committed to writing’ and is instead ‘inferred from the conduct of the

parties.’” Camara v. Mastro’s Rests. LLC, 952 F.3d 372, 375 (D.C. Cir. 2020) (quoting Boyd v.

Kilpatrick Townsend & Stockton, 164 A.3d 72, 81 (D.C. 2017)). The existence of an express

contract does not necessarily preclude the existence of additional, implied terms “inferred from

the conduct of the parties in the milieu in which they dealt.” Emerine v. Yancey, 680 A.2d 1380,

1383 (D.C. 1996) (quoting Vereen v. Clayborne, 623 A.2d 1190, 1193 (D.C. 1993)).6

6 Contrary to CareFirst’s suggestion that Plaintiffs’ implied contract theory is a new argument, Plaintiffs’ complaint alleges that “an implied contract was created whereby

11 Plaintiffs’ briefing is muddy as to exactly what implied contractual duty CareFirst

breached or the basis for inferring the existence of such an implied duty. Their opposition brief

states that “[a]n implied term in each contract is that Defendants will use adequate measures to

safeguard Plaintiffs’ and members’ information,” citing a passage from CareFirst’s corporate

representative deposition in which the deponent acknowledged that CareFirst had to “put in place

security safeguards to protect” PII. Opp’n at 6 (citing MSJ, Ex. C at 43:13–16). The opposition

also suggests that CareFirst’s security practices must be “reasonable under the circumstances”

and that CareFirst failed to “act in a reasonable manner” with respect to data security. Id.

Elsewhere in the opposition, Plaintiffs detail more specific security failures, for instance, a

failure to train employees properly and to implement particular kinds of database monitoring,

which the Court discusses in greater detail below. Id. at 6, 7–12.

Although Plaintiffs’ recitation of this implied contract argument does not identify a

particular history, course of dealings, or series of statements to support the existence of an

implied contractual term of this sort, the Court follows the lead of other federal courts that have

found an implied contractual duty to take reasonable measures to secure customer PII under

similar circumstances. See In re Arby’s Rest. Grp. Inc. Litig., No. 17-CV-0514-AT, 2018 WL

2128441, at *16 (N.D. Ga. Mar. 5, 2018) (citing cases). Generally, these decisions rest on the

principle that when a consumer provides sensitive information to a merchant or business, such as

credit card numbers (or, in this case, names, birth dates, and email addresses), “she intends to

provide that data to the merchant only” and would not expect “the merchant to allow

unauthorized third-parties to access that data,” resulting in “an implicit agreement to safeguard

Defendants’ [sic] promised to safeguard Plaintiffs’ health information and Sensitive Information from being accessed, copied, and transferred by third parties.” SAC ¶ 70.

12 the data” in order to effectuate the contract. Anderson v. Hannaford Bros. Co., 659 F.3d 151,

159 (1st Cir. 2011). As one court observed, “it is difficult to imagine how, in our day and age of

data and identity theft, the mandatory receipt of Social Security numbers or other sensitive

personal information would not imply the recipient’s assent to protect the information

sufficiently.” Castillo v. Seagate Tech., LLC, No. 16-CV-01958-RS, 2016 WL 9280242, at *9

(N.D. Cal. Sept. 14, 2016).7

This is not to say that every data breach will give rise to a valid claim for a breach of an

implied contract. But the conduct of the parties here is instructive, particularly CareFirst’s

Notice of Privacy Practices, which describes how the company may “use, disclose (share or give

out), collect, handle and protect our members’ protected health information” and represents that

the company “maintain[s] physical, electronic and procedural safeguards in accordance with

federal and state standards to protect your health information.” MSJ, Ex. Z at 1. Unlike the

Privacy Statements in Plaintiff’s insurance agreements, the Notice of Privacy Practices speaks of

7 To be sure, not all courts have agreed. For instance, CareFirst cites Gaddy v. Long & Foster Cos., No. 21-2396, 2022 U.S. Dist. LEXIS 46657 (D.N.J. Mar. 15, 2022), which dismissed a breach of implied contract claim arising from a data breach. Looking to confidentiality agreements similar to those at issue here, Gaddy held that such provisions did not give “rise to a plausible inference that Long & Foster implicitly promised to ward against the theft of Plaintiffs’ PII by hackers,” only a duty to avoid “intentional disclosure of employee PII.” Id. at *25–27 (emphasis in original). Such decisions buck the weight of authority, however, and CareFirst’s Notice of Privacy Practices, moreover, goes beyond merely addressing intentional disclosures. MSJ, Ex. Z at 1. The Court also is not persuaded by CareFirst’s reliance on Kuhns v. Scottrade, Inc., 868 F.3d 711 (8th Cir. 2017). There, the Eighth Circuit rejected an implied contract claim because the complaint did not specify “how Scottrade failed to take ‘industry leading’ security measures” to protect customer PII. Id. at 718; see also Anderson v. Kimpton Hotel & Rest. Grp., LLC, No. 19-CV-01860-MMC, 2019 WL 3753308, at *5 (N.D. Cal. Aug. 8, 2019) (dismissing implied contract claim where plaintiffs did not “plead any facts to support” the “conclusory assertions” regarding a failure to take reasonable steps to protect PII). By contrast, as discussed below, Plaintiffs here have amassed at least some evidence concerning measures that CareFirst could or should have taken to reduce the risk that hackers would pilfer member data.

13 an obligation to take affirmative steps to “protect” member PII. In light of the Notice of Privacy

Practices and the fact that Plaintiffs must provide certain PII to use CareFirst’s online web portal,

MSJ, Ex. C at 297, the Court agrees with the courts cited above that CareFirst made an implied

promise to take reasonable steps to secure Plaintiffs’ PII against threats from third-party hackers.

This was a promise that would substantially overlap with, if not include, HIPAA’s requirements

that covered entities ensure “the confidentiality, integrity, and availability of all electronic

protected health information” and protect “against any reasonably anticipated threats or hazards

to the security or integrity of such information.” 45 C.F.R. §§ 164.306(a)(1)–(2). Whether

CareFirst has breached that implied duty, however, is a closer question, to which the Court now

turns.

2. Breach

CareFirst asserts that, even if it had a contractual duty to take reasonable steps to secure

member PII, it did not breach that duty. MSJ at 13; Reply at 8–9. As evidence that CareFirst

acted reasonably, the company points out that the Health and Human Services (“HHS”) Office of

Civil Rights requested information concerning the company’s data security practices sometime

after the breach but eventually closed its investigation without finding any HIPAA regulation

violations. DSUF ¶ 26. CareFirst also points to a 2013 data security audit by KPMG, which

observed that CareFirst had “created a robust security awareness program,” had “enhanced

physical security capabilities,” and had begun implementing “a wide variety of tools and

technological solutions” to safeguard PII. MSJ, Ex. O at 290. Additionally, CareFirst’s expert

report by data-security analyst Ronald Yearwood posits that CareFirst was compliant with its

privacy policies, citing its implementation of firewalls and intrusion detection systems, its

maintenance of workstation and equipment use policies, and its monitoring of access to sensitive

14 files and systems. MSJ, Ex. BB at 15–16; see also DSUF ¶¶ 28–32 (highlighting a laundry list of

CareFirst’s technological and procedural safeguards for data protection); MSJ, Ex. A (House

Decl.) ¶ 23.

In response, Plaintiffs rely almost exclusively on the report of their own data-security

expert, Matthew Strebe, who outlines a series of purported shortcomings in CareFirst’s data

security practices that, he maintains, permitted the hackers to exfiltrate Plaintiffs’ PII. See

Opp’n at 7–12; PSMF ¶¶ 13–32. But expert opinion alone cannot create a genuine dispute of

fact. As CareFirst points out, “a party cannot avoid summary judgment when it offers an expert

opinion that is speculative and provides no basis in the record for its conclusions.” Martin v.

Omni Hotels Mgmt. Corp., 321 F.R.D. 35, 40 (D.D.C. 2017); accord Crystal Prods., Inc. v. Doc

Severinsen Orchestras, No. CIV.A. 90-932, 1994 WL 507546, at *3 (D.D.C. Sept. 10, 1992)

(“Where a party opposing summary judgment relies on expert opinion to support its position,

summary judgment is nevertheless appropriate if the expert’s opinion has no basis other than

theoretical speculations.”). On that note, Strebe’s report does not inspire a great deal of

confidence. As discussed below, it is often difficult to gauge the validity of Strebe’s conclusions

about CareFirst’s practices, either because he does not cite any materials to support his

statements or because Plaintiffs have not included or identified the cited materials in the

evidence filed with their summary judgment materials. Based on the evidence that Plaintiffs

have included, however, the Court will now proceed to evaluate whether the record could

support Strebe’s conclusions about CareFirst’s various data security deficiencies.

a. Failure to Engage a Full-Scale Incident Response Plan and Examine the Network

First, Plaintiffs assert that after learning about the spear phishing email in April 2014,

CareFirst “failed to engage its full-scale incident response plan, failing to examine the network,

15 as well as the Security Incident and Event Monitoring (‘SIEM’) System, which would have

revealed further indicators of an attack or compromise of Defendants’ network.” Opp’n at 8;

PSMF ¶¶ 17–18. Although Plaintiffs cite page 24 of the Strebe report for support, the relevant

pages appear to be pages 19–20 and 25–26. See MSJ, Ex. CC (Strebe Report) at 19–20, 25–26

(Page 24 focuses instead on “whitelisting” servers and security training.)

Strebe’s support for these conclusions is thin, at best. At the time of the data breach,

CareFirst used a product called ArcSight SIEM, a security incident event management tool that

examines “large volumes of logs and data to look for patterns of abnormality.” MSJ, Ex. C at

205; see also MSJ, Ex. B ¶ 39; MSJ, Ex. CC at 8 (“SIEM software collects the logs of all the

devices on a network including computers, servers, networking equipment, and security

equipment, and feeds them into a centralized system where they are filtered, processed,

aggregated, and analyzed automatically, generating bigger-picture events and alerts which are

exposed to human security operators for action, typically via graphing dashboards.”). Strebe

speculates that CareFirst failed to configure its SIEM system properly because, at some point,

AT&T apparently notified CareFirst of some suspicious activity within its network. MSJ, Ex.

CC at 20 (“When AT&T notified Care First that it had botnet participants operating inside its

network, [CAREFIRST-054755] indicated that CareFirst was overrun with malware that it did

not know about due to its deficient human monitoring of the SIEM and anti-malware logs which

were not being shipped to the SIEM.” (emphasis in original)). But Plaintiffs have not cited, nor

can the Court find in the filed summary judgment materials, the purported supporting evidence—

apparently an email, which is referred to in deposition transcripts in the record, MSJ, Ex. C at

54–75; MSJ, Ex. DD at 112–113.

16 From what the Court can glean about the email, however, it does not appear to support

Strebe’s conclusory assertions. The AT&T email was sent before the breach and had nothing to

do with the type of cyberattack at issue in this case. MSJ, Ex. C at 59 (“Q. Okay. And let’s be

clear. This breach has nothing to do with a DDOS attack, correct? . . . A. Correct.”). Moreover,

as CareFirst’s 30(b)(6) deponent testified, and as Strebe himself acknowledged, CareFirst

actually had discovered and addressed the suspicious activity discussed in the AT&T email

before the email was sent. Id. at 60, 306; MSJ, Ex. DD at 91. Thus, setting aside the inapposite

AT&T email, Strebe’s assertion that CareFirst failed to configure SIEM properly is not

supported by any citation. See MSJ, Ex. CC at 20 (“Routine monitoring of numerous system

logs was obviously not occurring, and events were recorded that would have flagged observant

administrators to ongoing threat actor activity.”). Nor does Strebe provide citations for

statements like “it never seems to have occurred to anyone that they should engage their full-

scale incident response plan and examine the network and the SIEM.” Id. at 26.

Additionally, Strebe contends that CareFirst’s ArcSight SIEM system “was deficient.”

Id. at 19. That conclusion, it seems, is premised on the reasoning that CareFirst, at some point,

replaced one SIEM system (ArcSight) with another one (QRadar), “because it could integrate

Sophos [antivirus] logs.” Id. ArcSight, Strebe explains, “was also capable of ingesting Sophos

[antivirus] logs at the time,” and so Strebe speculates that CareFirst’s justification for replacing

ArcSight with QRadar “indicates that nobody at CareFirst knew how to use or configure it to do

so.” Id. In addition to the fact that this theory is fairly speculative—divining CareFirst’s

improper use of antivirus technology from its alleged justification for changing to a different

SIEM system—the Court again cannot find in the evidentiary record submitted with the

summary judgment briefing any document supporting Strebe’s statement that CareFirst switched

17 to QRadar for reasons that demonstrated an unfamiliarity with the SIEM system. What evidence

the Court has been able to locate rather suggests that CareFirst switched to QRadar because of its

“heavy investment in IBM at the time” and its judgment that QRadar was “a better platform to

move to [because it] could serve [CareFirst’s] needs better and perform a better job.” MSJ, Ex.

C at 229–30.

Strebe also asserts that CareFirst “failed to change administrative credentials across the

board,” but his citation to a Bates-stamped page numbered CAREFIRST-000223 is followed by

a parenthetical stating, “check this cite for applicability.” MSJ, Ex. CC at 26. On its own, the

Court has located some evidence that CareFirst did not require “all users and administrators to

reset their passwords” after the breach. See MSJ, Ex. C at 277. Elsewhere, however, CareFirst’s

30(b)(6) deponent states that some number of users did have to change passwords, id. at 215, a

statement consistent with the Mandiant report’s finding that CareFirst performed a targeted

password reset for users who had downloaded the malicious software, MSJ, Ex. Q at 3–4. Even

assuming that CareFirst did not require the relevant employees to change their credentials and

that such a requirement would have stopped the cyberattack, Plaintiffs nowhere explain why

CareFirst’s failure to change administrator credentials was unreasonable under the

circumstances, given that CareFirst apparently did not know its employee may have exposed his

administrator credentials when he clicked the malware link. See MSJ, Ex. A ¶ 15; MSJ, Ex. C at

257, 147 (Doyle “testified internally that he did not” use administrator credentials when he

clicked the link).

Accordingly, the Court concludes that Strebe’s assertions regarding CareFirst’s initial

response to the cyberattack and its use of SIEM software are speculative, unsupported by record

evidence, and therefore do not create a genuine dispute of material fact.

18 b. Failure to Properly Train Employees

Plaintiffs next maintain that CareFirst failed to train its employees adequately on

recognizing spear phishing attempts and on properly using privileged accounts. Opp’n at 8–10;

PSMF ¶¶ 19–24; MSJ, Ex. CC at 24–25. On this point as well, Strebe’s report is decidedly

conjectural. Strebe states that among his company’s customers who do not use spear phishing

resistance training, 25–40% of users fail to identify phishing messages, versus 1–3% for those

customers who have received professional anti-spear phishing training. MSJ, Ex. CC at 24.

Strebe then states that, according to the Mandiant report, the spear phishing cyberattack on

CareFirst “was engaged against five users in the environment, two of whom clicked on the link,”

comprising a 40% failure rate. Id. From this, Strebe deduces that CareFirst “obviously lacked

spear-phishing resistance training for its end users.” Id.

There are multiple problems with this conclusion. For starters, Strebe’s numbers are

wrong. The Mandiant report states that the spear phishing campaign targeted 48 CareFirst

employees, six of whom clicked on the malicious link, and five of whom (a subset of the six)

downloaded and ran malicious software. MSJ, Ex. Q at 3; see also MSJ, Ex. C at 135–39.8 Six

out of 48 employees would amount to a 12.5% failure rate, not Strebe’s hypothetical 40% failure

rate. Even if he were right about the underlying figures, Strebe acknowledges that “there is a

small-numbers sampling problem in a five-user sample.” MSJ, Ex. CC at 24. Moreover, the

report in no way addresses CareFirst’s evidence that it does train its employees on data security.

See DSUF ¶ 30. Further, whether or not CareFirst’s employees could recognize a spear phishing

8 The Court cannot tell how Strebe procured his figures. Plaintiffs’ statement of undisputed material facts makes the same error—stating that two of five targeted employees downloaded the malicious software—but they cite the page of the Mandiant report that contains the opposing figures discussed above. PSMF ¶ 1.

19 email is irrelevant to Plaintiffs’ theory of how the cyberattack succeeded, which is that Doyle,

knowing full well that the email was a spear phishing attempt, nevertheless improperly went

rogue to investigate the attack and unwittingly gave the hackers access to his administrator

credentials. MSJ, Ex. CC at 25 (“Wesley Doyle’s naïve attempt at investigation opened the

backdoor . . . .”); PSMF ¶ 22 (“Mr. Doyle investigated the infected email on his own

recognizance . . . .”); MSJ, Ex. C at 143–44.

Apart from this conjecture about phishing failure rates, Strebe and Plaintiffs assert that,

with proper training, Doyle would not have used his administrator privilege account when he

clicked the malware. Opp’n at 9. But it is not clear from the record that Doyle was using his

administrator account when he clicked on the malware link, as the hackers could have accessed

administrator credentials stored in his machine’s cache even if he was using his non-privileged

user account. MSJ, Ex. C at 145–73. And even if Doyle happened to access the malware via his

administrator account, Strebe’s report states that CareFirst did employ the best practice of

requiring “admin users to use low privileged accounts for their routine work.” MSJ, Ex. CC at

24. For further support that reasonable steps could have avoided Doyle’s error, Plaintiffs cite the

following exchange from the deposition of CareFirst’s data security expert:

Q: And would you agree that with proper administrative safeguards, Mr. Doyle would have had the knowledge not to click on an identified spear phishing malware link? . . .

THE WITNESS: So I don’t know what the history of safeguards would have – and I mean if we’re thinking administrative safeguards as far as additional training, perhaps that’s possible, that with additional training he may . . . have had a different perspective. I don’t know . . . . I can’t say that he didn’t receive training . . . regarding phishing or . . . other topics.

Opp’n, Ex. C at 137. This exchange is no smoking gun. Rather, it is entirely non-committal and

not based on any concrete facts about Doyle’s training or what additional training might have

20 changed his behavior.9 Plaintiffs thus have not created a genuine dispute of material fact as to

whether CareFirst employees were properly trained against spear phishing attacks.

c. Failure to Implement Network Segmentation and Search for Lateral Movement

Next, Plaintiffs contend that CareFirst failed to implement proper segmentation—

essentially the placement of digital borders between various internal computer systems—and

failed to monitor traffic flowing between such segments to prevent hackers from engaging in

“lateral movement” between computer systems. PSMF ¶¶ 25–26; MSJ, Ex. CC at 18–19.

Unlike Plaintiffs’ previous theories, the contention that CareFirst failed to monitor potential

lateral movement sufficiently in the wake of the initial spear phishing incident creates a genuine

dispute as to the element of breach.

Strebe’s report acknowledges that “CareFirst has stated that it implements network

segmentation.” MSJ, Ex. CC at 19. Based on the fact that attackers nevertheless moved through

the network without detection, however, Strebe asserts that CareFirst did not adequately monitor

the metaphorical “borders” between digital segments. Id. Once again, however, Strebe cites no

evidence to support this contention, and the record, to the contrary, suggests that CareFirst did in

fact monitor for such traffic as a general matter. See MSJ, Ex. C at 184–85 (stating that

CareFirst looked for lateral movement in April 2014 and at other times); id. at 213 (“We

monitored for activity from the suspect segment and did not see any indication of traffic coming

9 Strebe repeatedly suggests that CareFirst must have known that Doyle used his administrator credentials when he clicked on the link, relying on the notion that CareFirst “reprimanded” Doyle for doing so. MSJ, Ex. CC at 24–25. Again, the record does not establish that Doyle used his administrator credential when he clicked the link. And the statement lacks support in any case, with Strebe adding the parenthetical “[cite reprimand]” after making this assertion. Id. at 24. CareFirst’s 30(b)(6) deponent, moreover, made clear that Doyle was reprimanded for accessing the spear phishing message, not because CareFirst believed he used a privileged account in doing so. See MSJ, Ex. C at 166–67.

21 from there.”); id. at 195–201 (explaining that there were “blocks” for “the known indicators of

compromise into our firewalls, and so they would have shown up as firewall blocks in the logs”);

id. at 203 (“The sensors that we had at the time were cross-network segment sensors. So the

degree that the communication was externally to something in another segment of our network

that had a sensor between the two, then we could have seen that traffic.”); id. at 204 (“As part of

our standard monitoring, we capture that traffic.”); id. at 207 (noting that the “SIEM platform . . .

has correlation rules that look for abnormalities” to monitor lateral movement).

Despite the dearth of evidence in Strebe’s report to support his conclusion that CareFirst

did not properly segment or monitor the segmentation of its computer systems, Plaintiffs have

identified one document from which a reasonable jury might conclude otherwise: an email in

which CareFirst’s chief security officer, Don Horn, responding to another IT official’s request

for information about the company’s conduct after the phishing incident, stated that the IT team

“did not look for lateral movement” after the phishing incident. Opp’n, Ex. L at 6–8. But even

this evidence is mixed. Horn’s email proceeds to state that the IT team “jumped on the incident

quickly and had no reason to suspect that the attacker moved even faster,” adding that company

IT “monitored for activity from the suspect segment . . . and did not see any indication of traffic

coming from there,” language which sounds similar to looking for lateral movement. Id. at 6.

According to CareFirst’s corporate deponent, Horn’s description was incorrect and the company

“had documentation from a member of his staff indicating that some steps were taken to look

for . . . lateral movement.” MSJ, Ex. C at 209; see also id. at 205–13. That “documentation”

appears to be another email in the chain with Horn, in which another CareFirst cybersecurity

specialist described monitoring of traffic to and from the workstations and domain associated

with the phishing attack. Opp’n, Ex. L at 4–5. But even so, that cybersecurity specialist

22 conceded that, “[i]n retrospect,” CareFirst’s monitoring should have been more comprehensive

and that the company “should have had a protocol or a process for monitoring *all* remote

access involving the credentials associated with these users” “across the enterprise,” which

would have provided “some indication that the perimeter had been breached.” Id. at 5.

Reading this evidence in the light most favorable to Plaintiffs, these emails, although

their conclusions are disputed by CareFirst, create a genuine question about whether CareFirst

searched adequately for lateral movement in the immediate aftermath of the spear phishing

attack.

d. Failure to Implement Database Access Monitoring

Last, Plaintiffs maintain that CareFirst failed to implement “Database Access

Monitoring,” or “DAM,” a practice of logging database queries (such as commands to insert,

update, delete, or alter data) and setting alerts for the use of specific commands (such as mass

deletions of data) which might signal nefarious activity. Opp’n at 11; PSMF ¶¶ 27–30; MSJ, Ex.

CC at 20–21. Here, again, Plaintiffs’ contention has modest support in the record and creates a

genuine dispute of material fact as to breach.

The Strebe report cites an internal CareFirst document which appears to post-date the

2014 phishing attack and which, according to CareFirst, was prepared to obtain internal approval

of a plan to implement DAM. See Opp’n, Ex. L at 2; Reply at 9 n.5. At one point, the document

states that failure to implement DAM “leaves CareFirst databases vulnerable to inappropriate

access to protected information, leading to non-compliance with HIPAA regulations that can

lead to criminal penalties and fines, and an inability to respond to the audit findings.” Id.

Pointing to this statement, Strebe opines that properly configured DAM would have more

quickly detected the unauthorized access to CareFirst’s network resulting from the 2014 phishing

23 attack. MSJ, Ex. CC at 21. CareFirst addresses DAM only in a footnote in its reply brief and

does not deny that it had not implemented DAM as of 2014. See Reply at 9 n.5. Rather,

CareFirst cites a portion of Strebe’s deposition testimony, in which CareFirst’s lawyer pointed

out that the use of DAM did not stop similar hacks of Anthem and Premera, which had

implemented DAM. Reply at 9 n.5; MSJ, Ex. DD at 125. Strebe’s full deposition testimony,

however, goes on to opine that, in the Anthem and Premera cases, DAM was not “properly

configured to alert” users to suspicious activity and that, based on his work in those cases, DAM

“did provide numerous indicators of attack prior to the exfiltration” of data. Id. at 125–26.

CareFirst also argues that “the DAM tool,” even if implemented, “would not have been

able to detect lateral movement,” Reply at 9 n.5, but that observation appears to be beside the

point. Although detecting suspicious lateral movement was one way in which CareFirst might

have caught the hackers, Strebe contends that DAM could have detected them in different ways,

for example, by alerting CareFirst IT to the use of “high-threat queries” in the company’s

databases, such as those deleting or moving large amounts of data. MSJ, Ex. DD at 123. The

Court therefore concludes that Plaintiffs have established a genuine factual question as to

whether the implementation of DAM was the sort of reasonable data-security measure that could

have abated the 2014 cyberattack.

e. Conclusion

In sum, although many of the purported security flaws on which they rely lack factual

foundation, Plaintiffs have pointed to at least some evidence to support the conclusion that

CareFirst failed to search for lateral movement after the spear phishing incident and failed to

implement DAM. Plaintiffs do not provide much legal argument, however, as to the more

difficult question: whether a jury could find that either or both of these failures constituted a

24 breach of CareFirst’s implied contractual duty to take reasonable steps to safeguard member PII

and to comply with HIPAA’s data-security standards, to the extent they also require covered

entities to take reasonable precautions to safeguard protected data. Nevertheless, the Court

concludes that a jury must ultimately answer that question.

“While in some rare cases where there is no controversy over the facts, the issue of

whether a party to a contract has breached a contractual provision is also a question of law,

generally whether there was a breach of the terms of a contract is a question of fact.” 23

Williston on Contracts § 63:15 (4th ed.) (footnotes omitted). Put another way, “[w]ith respect to

assertions that a contract has been breached, ‘[t]he determination whether a material breach has

occurred is generally a question of fact’” but may reduce to a question of law only if there is but

“one reasonable conclusion.” America v. Preston, 468 F. Supp. 2d 118, 122 (D.D.C. 2006)

(second alteration in original) (quoting 23 Williston on Contracts § 63:3 (4th ed.)). Particularly

with respect to breaches that turn on the reasonableness of the breaching party’s actions,

however, whether the defendant’s conduct constitutes a breach of a contract is usually a jury

question. See, e.g., 17B C.J.S. Contracts § 1041 (“Questions of the reasonableness of behavior

or performance under a contract expressly or impliedly calling for reasonable effort or behavior

are generally questions of fact as under a provision for commercially reasonable efforts. . . . The

question becomes one of law in the absence of an issue of material fact when only one inference

can be drawn from the evidence or when reasonable minds could not differ or could come to

only one conclusion.” (footnotes omitted)); VKGS, LLC v. Planet Bingo, LLC, 962 N.W.2d 909,

920 (Neb. 2021) (“Typically, the question of whether reasonable measures were taken to keep

information confidential is an issue for a jury.”); Informed Physician Servs., Inc. v. Blue Cross &

Blue Shield of Md., Inc., 711 A.2d 1330, 1342 (Md. 1998) (“[W]hat will constitute reasonable

25 efforts under a contract expressly or impliedly calling for them is largely a question of fact in

each particular case and entails a showing by the party required to make them of ‘activity

reasonably calculated to obtain the approval by action or expenditure not disproportionate in the

circumstances.’” (quoting Allview Acres v. Howard, 182 A.2d 793, 796 (Md. 1962))).

Here, whether Plaintiffs’ theory of breach turns on HIPAA’s regulatory standards or on

what data security practices are reasonable in the abstract, either basis for liability is essentially

premised on the reasonableness of CareFirst’s data security measures. Although Plaintiffs do not

cite any provisions of HIPAA that they allege were violated, CareFirst concedes that the

“HIPAA Security Rule contemplates a flexible approach, as ‘[c]overed entities . . . may use any

security measures that allow the covered entity . . . to reasonably and appropriately implement

the standards and implementation specifications as specified in this subpart.’” MSJ at 13

(emphasis added) (quoting 45 C.F.R. § 164.306(b)(1)). Although HIPAA regulations also set

forth more specific requirements, the lodestar in the analysis is reasonableness.

To be sure, there is also evidence in the record—a great deal of it—that supports

CareFirst’s contention that it took adequate measures to protect Plaintiffs’ PII. Among other

things, CareFirst has pointed to audits by KPMG showing a high degree of compliance with

HIPAA privacy and security standards, has produced an expert report further describing the

company’s data security efforts, and has included in its filings a multitude of documents

evidencing the existence of internal security compliance policies. See MSJ, Ex. BB (Yearwood

report); MSJ, Ex. O at 286–305 (2013 KPMG audit); id. at 306–44 (2014 KPMG audit); id. at

290 (stating that CareFirst “has created a robust security awareness program” and has

implemented “a wide variety of tools and technological solutions to assist in safeguarding” PII);

id. at 291 (stating that CareFirst “complies to some level with 99% of the CMS audit protocols”);

26 id. at 1218–1300 (information security compliance manual). But see MSJ, Ex. O at 292–95

(pointing out areas for improvement, including lacking “a complete understanding of where all

[Electronic Personal Health Information (‘ePHI’)] is housed, accessed, transmitted, or

managed”).10

On the other side of the balance, moreover, neither Strebe’s expert report nor his defense

of that report in his deposition inspires much confidence. In addition to the missing citations and

speculation in his report, Strebe appeared to walk back some of his written opinions in his

deposition. See MSJ, Ex. DD at 115 (acknowledging that Strebe “would give [CareFirst] a pass

for not being able to detect” certain forms of lateral movement “because a lot of that

technology’s newer”); id. at 103 (considering whether he needs to revise report’s statement that

certain security tools were “common” in 2014); id. at 105–06 (acknowledging that statement that

the hacker could not have gotten administrator credentials had CareFirst better monitored those

credentials “is a little bit incorrect” and “a little bit erroneous”); id. at 112 (“well, okay, I don’t

want to be that assertive”). At other times, Strebe showed a lack of awareness of some important

facts in the record. See id. at 117 (stating that he was not aware that it took Mandiant 70 scans of

CareFirst’s systems to discover evidence of the breach, after writing in his report that the breach

was “easily found by Mandiant”).

10 As noted previously, CareFirst also relies on the decision of HHS’s Office of Civil Rights to close its investigation into the company’s data breach without finding any HIPAA violations. MSJ at 21. HHS’s closure letter, however, at most states that, as of the investigation’s closure in 2021, CareFirst had “taken numerous steps to enhance its security posture by employing additional policies and procedures to continue reducing risk to its ePHI environment.” MSJ, Ex. P at 5. The fact that HHS closed its investigation does not, without more, prove that CareFirst had taken reasonable steps to protect customer PII as of 2014 and 2015.

27 At this stage, however, the Court cannot make credibility determinations or weigh the

evidence; those tasks must be left to a jury. Barnett, 715 F.3d at 358. Whatever the Court’s

view of who has the stronger case, Plaintiffs have pointed to more than “a scintilla of evidence”

from which a reasonable jury could conclude CareFirst breached its promise to take certain

reasonable steps to safeguard their PII. Chen v. Bell-Smith, 768 F. Supp. 2d 121, 133 (D.D.C.

2011) (quoting Anderson, 477 U.S. at 252).

3. Causation

In its reply brief, CareFirst also contends that summary judgment is warranted because

Plaintiffs have not established causation. Reply at 9–10. Because CareFirst did not raise this

argument in its opening brief, and thus Plaintiffs had no opportunity to address it, CareFirst’s

objection to causation is waived. Shands Jacksonville Med. Ctr. v. Burwell, 139 F. Supp. 3d

240, 260 n.7 (D.D.C. 2015) (citing New York v. EPA, 413 F.3d 3, 20 (D.C. Cir. 2005)).

Even if the argument were not waived, the Court does not find it persuasive. CareFirst

maintains that the cause of the breach was Doyle’s clicking on the malware link with his

administrator credentials and that there “is no evidence in the record suggesting any other cause

for how the hackers gained access.” Reply at 9–10. That Doyle’s initial actions may have

triggered the cyberattack may be true, but it is irrelevant to legal causation. Plaintiffs’ theory is

that CareFirst’s database security deficiencies led to failures to detect and thwart the hackers

after they were given access, which is what Plaintiffs maintain enabled the exfiltration of their

PII. That Doyle was solely responsible for permitting the initial access is immaterial to that

theory of breach.

28 4. Damages

Finally, CareFirst renews its previous argument that Plaintiffs have not shown actual

damages. MSJ at 15–18; Reply at 10–12. This question has already been litigated in this case.

In Attias III, the Court granted Plaintiffs’ motion for reconsideration of the prior decision to

dismiss Plaintiffs’ contract claim and permitted that claim to proceed on the theory that a

prevailing party might be eligible for nominal damages, even if actual monetary damages cannot

be proved and even if Plaintiffs’ costs associated with mitigating the risk of identity theft do not

constitute actual damages. 518 F. Supp. 3d at 48, 52.

CareFirst acknowledges that ruling, but insists that dismissal is warranted nonetheless

because any nominal damages available here are de minimis. MSJ at 17. For this argument,

CareFirst relies on Henson v. Prue, 810 A.2d 912 (D.C. 2002). There, the D.C. Court of Appeals

upheld a trial court’s verdict that the plaintiff’s eviction was unlawful, which included an award

of an injunction but no damages. Id. at 916. The court stated that although it could theoretically

remand the case with instructions to award nominal damages, “[s]uch a remand would . . . be

symbolic only” and the failure of the trial court to award nominal damages was “not a ground for

reversal.” Id. (quoting Lee v. Dunbar, 37 A.2d 178, 180 (D.C. 1944)); id. (“[A] judgment for

plaintiff will not be reversed on appeal for a failure to award nominal damages, even though

plaintiff is entitled to recover nominal damages as a matter of law.” (quoting Kraisinger v.

Liggett, 592 P.2d 477, 480 (Kan. 1979))). Henson, therefore, stands only for the proposition that

a failure to award nominal damages is not a ground for reversal and remand on appeal; it does

not hold that Plaintiffs’ case here should be dismissed simply because nominal damages are, as a

rule, de minimis.

29 Plaintiffs also contend that, in addition to nominal damages, (1) the Tringlers have shown

possible entitlement to actual damages stemming from tax fraud they purportedly suffered after

the CareFirst breach and (2) mitigation expenses should qualify as actual damages. Opp’n at 23–

24. Because, as Plaintiffs do not dispute, tax fraud would only be possible through the use of the

Tinglers’ Social Security or tax identification numbers, Plaintiffs suggest there is a genuine

dispute about whether the hackers here accessed such information, as opposed to only Plaintiffs’

names, dates of birth, web portal usernames/email addresses, and CareFirst subscriber

identification numbers. PSMF ¶ 6–7. But there is no evidentiary support for this conclusion.

The only evidence Plaintiffs cite is CareFirst’s breach notification letter sent to affected members

in 2015, which stated that, based on the Mandiant investigation, it “appears that attackers had

access to your name, subscriber ID, email address and date of birth as well as the user name that

you setup [sic] as part of your registration to use the site.” Opp’n, Ex. I at 1. Plaintiffs

emphasize that the use of the word “appears” leaves room for doubt that more information might

have been breached. PSMF ¶ 6. But that interpretation of the letter is belied by the letter itself,

which goes on to explain that “the attackers did not gain access to your medical information,

claims information, Social Security number, credit card, financial information or any other

information about you.” Opp’n, Ex. I at 1. To boot, the suggestion that the hackers accessed

Social Security or other taxpayer numbers is rebutted by other uncontradicted evidence,

including the Mandiant report, MSJ, Ex. Q at 4 (noting that CareFirst member data did not

include Social Security or taxpayer ID numbers), and CareFirst’s 30(b)(6) deponent’s testimony,

MSJ, Ex. C at 225–26.

Plaintiffs next assert that, “even assuming that the hacker(s) did not access the Tringer’s

[sic] Social Security numbers”—as the undisputed record shows—“the information obtained in

30 the breach was entirely sufficient to execute a successful identity theft against not just the

Tringlers, but all Plaintiffs.” Opp’n at 23. Plaintiffs raise two arguments to support this claim.

First, Plaintiffs posit that the D.C. Circuit, in this case, already concluded that the

information involved in this breach could be combined to commit identity theft and fraud “even

if the compromised information did not include plaintiffs’ social security numbers.” Id. The

Circuit did not so hold. What the Circuit said, and what this Court restated in its opinion

granting partial reconsideration, was that the complaint alleged that CareFirst stored PII—

including credit card and Social Security numbers—and that, even absent a breach of Social

Security numbers, Plaintiffs faced a risk of some forms of medical identity fraud sufficient to

plead standing. See Attias I, 865 F.3d at 628; Attias III, 518 F. Supp. 3d at 47–48. Neither the

Circuit nor this Court ruled that the evidence in fact supported such an allegation in this case. In

light of the now developed record, which shows that the information required to commit the

Tringlers’ tax fraud was not a part of the CareFirst breach, the assertion that the breach caused

the Tringler’s purported experience with tax fraud is simply not plausible.11

Second, Plaintiffs point to a statement in their damages expert report, by Daniel J.

Korczyk, that “it does not take much stolen information to put a person’s finances at risk . . .

[one’s] name and address are enough information to serve as a gateway to steal [someone’s]

11 The only other evidence Plaintiffs cite regarding the Tringlers is Mrs. Tringler’s deposition testimony, in which she affirmatively answered counsel’s question, “Did the Maryland Comptroller connect your tax return fraud to the CareFirst breach?” MSJ, Ex. H at 39. Setting aside the probability that this statement is inadmissible hearsay, this response to a leading question from Plaintiffs’ counsel cannot create a genuine question for a jury in light of the overwhelming evidence that Plaintiffs’ Social Security and tax ID numbers were simply not part of the CareFirst breach. Indeed, the more plausible interpretation of Mrs. Tringler’s statement is that an official with the Maryland Comptroller indicated he or she “had seen the letter” sent by CareFirst, MSJ, Ex. G at 48 (Curt Tringler deposition), a fact that would “connect” the tax fraud to the breach, but not in any meaningful way.

31 identity.” Opp’n at 23–24.12 Plaintiffs’ suggestion, it seems, is that the theft of the information

here—limited to member names, subscriber ID numbers, date of birth, and email addresses—

could have opened the door to hackers to procure member Social Security numbers through

different avenues, which in turn could have enabled someone to obtain the Tringlers’ tax refund.

Aside from Korczyk’s statement, Plaintiffs cite no evidence that such a conjectural series of

events actually happened in this case. Such “[m]ere speculation is not enough to survive

summary judgment.” Atanus v. Sebelius, 652 F. Supp. 2d 4, 10 (D.D.C. 2009); see also Byrd v.

EPA, 174 F.3d 239, 248 n.8 (D.C. Cir. 1999) (“It is well settled that [c]onclusory allegations

unsupported by factual data will not create a triable issue of fact.” (alteration in original)

(quoting Exxon Corp. v. FTC, 663 F.2d 120, 126–27 (D.C. Cir. 1980))).

Finally, with respect to whether their expenditures on mitigation measures in response to

the data breach may constitute actual damages, Plaintiffs attempt to distinguish this case from

Randolph v. ING Life Insurance and Annuity Co., 973 A.2d 702 (D.C. 2009), where the D.C.

Court of Appeals held that costs “incurred to undertake credit monitoring or other security

measures to guard against possible misuse of” breached data are “not the result of any present

injury, but rather the [result of] the anticipation of future injury that has not materialized,” id. at

708 (citation omitted). Plaintiffs suggest this case is not governed by Randolph, despite the

Court’s previous conclusion, because Randolph noted in a footnote that “there is no evidence

that the burglary” resulting in the theft of an ING employee’s laptop containing plaintiffs’ data

“was undertaken for the specific purpose of obtaining the information on the laptop.” Id. at 704

12 Plaintiffs cite Exhibit A to their opposition but did not attach the correct pages of the Korczyk report. The Court was only able to review the correct pages because they were also submitted as an exhibit to Plaintiffs’ motion for class certification. See Mot. for Class Cert, Ex. 7 at 22, ECF No. 89-7.

32 n.2. That footnote, however, had no bearing on the court’s conclusion that mitigation expenses

did not constitute actual harm. This argument therefore fails.

* * *

For the foregoing reasons, although their recovery is almost certainly limited to nominal

damages, Plaintiffs have created a genuine dispute of material fact as to their breach of contract

claim. The Court, accordingly, denies CareFirst’s motion for summary judgment as to that

claim, with one caveat: CareFirst argued in its motion that two of the named defendants—

CareFirst, Inc. and Group Hospitalization and Medical Services, Inc.—did not have any

contractual relationship with any of the named Plaintiffs. MSJ at 9 n.2; MSJ, Ex. B ¶¶ 3, 5, 17,

21, 24, 27, 29. Rather, only CareFirst BlueChoice, Inc. and CareFirst of Maryland, two

subsidiaries of CareFirst, Inc. and Group Hospitalization and Medical Services, Inc., had

contractual relationships with Plaintiffs. MSJ, Ex. B ¶¶ 15, 19, 22, 26; see also DSUF ¶¶ 9–25.

Because Plaintiffs did not dispute this argument, the Court concludes that it is conceded.

Mulhern v. Gates, 525 F. Supp. 2d 174, 185 n.15 (D.D.C. 2007) (“On a motion for summary

judgment, the Court may assume that the non-moving party has conceded the moving party’s

statement of facts unless the non-moving party specifically controverts the moving party’s

statement.”). The Court therefore grants CareFirst’s motion for summary judgment on Plaintiffs’

breach of contract claim as to Defendants CareFirst, Inc. and Group Hospitalization and Medical

Services, Inc. only.

B. Maryland Consumer Protection Act

The Court next addresses CareFirst’s contention that summary judgment is warranted on

Plaintiffs’ MCPA claim. Plaintiffs advance two theories for CareFirst’s alleged violation of the

MCPA: first, that CareFirst’s Notice of Privacy Practices misrepresented that CareFirst

33 maintained data-security safeguards “in accordance with federal and state standards,” and

second, that CareFirst’s investigation and notification of the data breach violated the Maryland

Personal Information Protection Act (“MPIPA”), a violation of which would also constitute an

MCPA violation. Neither theory can be sustained. As to the first, Plaintiffs have failed to

adduce evidence that they were even aware of, let alone that they relied on, statements in the

Notice of Privacy Practices. And as to the second, the data breach at issue in this case does not

fall within the scope of MPIPA.

1. Misrepresentation Theory

“In a private action under the MCPA, a consumer must establish ‘(1) an unfair or

deceptive practice . . . that is (2) relied upon, and (3) causes them actual injury.’” In re Marriott

Int’l, Inc., Customer Data Sec. Breach Litig., 341 F.R.D. 128, 159 (D. Md. 2022) (quoting Bey v.

Shapiro Brown & Alt, LLP, 997 F. Supp. 2d 310, 319 (D. Md. 2014)). Among the unfair or

deceptive practices that can support an MCPA claim are making false or misleading statements

that have the capacity, tendency, or effect of deceiving or misleading consumers; representing

that consumer services have a characteristic which they do not have; and failing to state a

material fact if the failure deceives or tends to deceive. Md. Comm. Code § 13-301(1)–(3). If

relying on a misrepresentation theory, consumers “must prove that they relied on the

misrepresentation in question to prevail on a damages action under the MCPA.” Bank of Am.,

N.A. v. Jill P. Mitchell Living Tr., 822 F. Supp. 2d 505, 532 (D. Md. 2011); accord Akins v. Fair

Acquisitions, LLC, No. 1:20-cv-816 (RDA/MSN), 2021 WL 1239221, at *5 (E.D. Va. Mar. 26,

2021) (“[A] consumer bringing a claim under the [MCPA] must allege he relied on” the alleged

misrepresentation.” (citing Lloyd v. Gen. Motors Corp., 916 A.2d 257, 277 (Md. 2007))). “A

consumer relies on a misrepresentation when the misrepresentation substantially induces the

34 consumer’s choice.” Bank of Am., 822 F. Supp. 2d at 532. “The requirement of reliance flows

from the MCPA’s prescription that the party’s ‘injury or loss’ be ‘the result of’ the prohibited

practice . . . .” Peete-Bey v. Educ. Credit Mgmt. Corp., 131 F. Supp. 3d 422, 432 (D. Md. 2015)

(quoting Bank of Am., 822 F. Supp. 2d at 534).

Plaintiffs maintain that CareFirst’s Notice of Privacy Practices constitutes a material

misrepresentation under the MCPA. Opp’n at 16–17. In relevant part, the Notice of Privacy

Practices, which is made available to CareFirst members at some point near the time of

enrollment, states:

We maintain physical, electronic and procedural safeguards in accordance with federal and state standards to protect your health information. All of our associates receive training on these standards at the time they are hired and thereafter receive annual refresher training. Access to your protected health information is restricted to appropriate business purposes and requires pass codes to access our computer systems and badges to access our facilities. Associates who violate our standards are subject to disciplinary standards.

MSJ, Ex. Z at 1.

At the outset, it is questionable whether the Notice of Privacy Practices contains a

misrepresentation at all. Whether the potential data security shortcomings discussed above

constitute a viable misrepresentation under the MCPA depends on what a reasonable consumer

would understand the Notice to represent. Sager v. Housing Com’n of Anne Arundel Cnty., 855

F. Supp. 2d 524, 558 (D. Md. 2012) (“In Maryland, whether a statement is ‘misleading’ is judged

from the point of view of a reasonable, but unsophisticated consumer.” (citing Luskin’s, Inc. v.

Consumer Prot. Div., 726 A.2d 702, 712 (Md. 1999)). Plaintiffs do not argue that the Notice

misrepresented that CareFirst employees receive training on data privacy, that access to PII is

restricted, or that employees who violate the company’s standards are subject to discipline.

Rather, citing the evidence discussed above and pointing to the first sentence of the Notice,

35 Plaintiffs contend that CareFirst misrepresented that it maintains procedural safeguards “in

accordance with” federal and state law. Opp’n at 16–17. But that sentence can be read in

multiple ways. On the one hand, it can be read to say that CareFirst maintains safeguards to

protect health information, as is required by federal and state law. On the other, the Notice can

be read to say that CareFirst maintains safeguards to protect health information and that those

safeguards satisfy the federal and state standards. If the former interpretation governs, then

CareFirst made no misrepresentation at all. The company did, indeed, maintain a host of

physical, electronic, and procedural safeguards required by federal law to protect member data,

as the 2013 KPMG audit confirms. If the latter interpretation governs, then whether there was a

misrepresentation would turn on whether CareFirst actually satisfied HIPAA’s standards, a

question that is subject to reasonable disagreement.

The Court need not resolve how a reasonable consumer would interpret the Notice,

however, because Plaintiffs have not demonstrated a genuine dispute of material fact as to

reliance. As CareFirst points out, there is no evidence in the record that any of the Maryland

Plaintiffs—Curt and Connie Tringler and Lisa Crider—relied on (or, indeed, even read) the

Notice of Privacy Practices when they obtained insurance from CareFirst. MSJ at 25. When

asked at her deposition why CareFirst was her healthcare insurance provider, Connie Tringler

stated that “[i]t was through my husband’s work [as an employee of Allegany County, Maryland]

that we received this insurance,” as CareFirst “was the health insurance provider for the

County’s employees at the time.” MSJ, Ex. H at 15–16. In his deposition, Curt Tringler

confirmed that he had CareFirst insurance because, as far as he knew, it “was the presumptive

healthcare insurance provider for those employees who worked for Allegany County” during his

employment. MSJ, Ex. G at 15–16. Lisa Crider similarly testified that the law firm where she

36 worked usually offered two health insurance plans—CareFirst and another plan—but that

“almost all my life I’ve had BlueCross BlueShield CareFirst,” suggesting she chose CareFirst

because of its name recognition or her familiarity with the company. MSJ, Ex. J at 16. None of

these depositions discusses any reliance on the Notice of Privacy Practices. Rather, the only

evidence in the record going to Plaintiffs’ reasons for choosing CareFirst suggests that they

selected the carrier either because it was the insurance offered through their employment or

because of their pre-existing relationship with the brand.13

Plaintiffs’ two arguments in response are not persuasive. First, Plaintiffs assert that

CareFirst “accompanied” the “option to enroll in CareFirst’s online portal” with “specific

promises and representations” regarding data security, and thus suggest that all Plaintiffs relied

on the representations in the Notice at least when enrolling in the company’s online portal, even

if they did not do so when selecting CareFirst insurance. Opp’n at 17. Plaintiffs cite no evidence

in the record to establish that they were prompted to review the Notice (or any other privacy

statements) upon signing up for CareFirst’s online portal, nor can the Court find such evidence.

This bare assertion in Plaintiffs’ briefing is insufficient to avoid summary judgment.

Second, Plaintiffs maintain that “[w]hether a misrepresentation substantially induces a

consumer’s choice is ordinarily a question for fact for the trier of fact,” Opp’n at 21 (quoting

Bank of Am., 822 F. Supp. 2d at 532), and that whether a consumer relied on a misrepresentation

is an objective, not subjective, inquiry, meaning that the Court may presume reliance based on

13 CareFirst also maintains that Plaintiffs cannot show reliance because members “do not even receive the Notice of Privacy Practices until after enrollment.” MSJ at 25. The Court is not convinced by this argument, as CareFirst’s 30(b)(6) deponent stated that the Notice is provided “at enrollment,” MSJ, Ex. C at 289, which could mean just before or at the same time as the enrollment decision. In any event, when the Notice is made available to Plaintiffs is irrelevant absent any evidence that they reviewed it or considered it in their health insurance decisions.

37 the objective materiality of the alleged misrepresentation, Opp’n at 22. Plaintiffs raised a similar

argument in their motion for class certification, citing cases that have presumed classwide

reliance under the MCPA. For the reasons stated in the memorandum opinion denying class

certification (without prejudice), ECF No. 100, the Court remains skeptical that classwide

reliance can be presumed in this case. But, in any event, even the case on which Plaintiffs rely

for this theory explains that “one must at least know whether a plaintiff was ‘exposed’ to the

allegedly deceptive conduct even if one does not need to know whether he or she relied upon the

conduct.” In re Marriott Int’l, 341 F.R.D. at 158–59 (discussing New York law, but then

applying that analysis to the MCPA). Here, Plaintiffs cite no evidence that they were even aware

of the Notice of Privacy Practices, let alone that it influenced their decisions to obtain CareFirst

insurance or to enroll in the online portal.

To be sure, Plaintiffs need not show that the alleged misrepresentation in the Notice was

the but-for cause of their decision to choose CareFirst insurance. Bank of Am., 822 F. Supp. 2d

at 532 (citing Nails v. S & R, Inc., 639 A.2d 660, 669–70 (Md. 1994)). But even if materiality

“can be presumed from the nature of the practice” on an objective basis, the reason for that

presumption is “the probability that the deceptive practice affected the consumer’s decision.”

Luskins, Inc. v. Consumer Prot. Div., 726 A.2d 702, 713 (Md. 1999) (citing Matter of Cliffdale

Assocs., 103 F.T.C. 110, 175–76 (1984)). Where, as here, there is no evidence that a consumer

was even aware of an alleged misrepresentation, there is also no basis for assuming any

“probability that the deceptive practice affected the consumer’s decision.” Id. This conclusion,

moreover, comports with cases in which courts have dismissed MCPA claims “for want of any

allegation that [plaintiff] relied on [defendant’s] representations to her detriment.” Peete-Bey,

131 F. Supp. 3d at 433; see also Currie v. Wells Fargo Bank, N.A., 950 F. Supp. 2d 788, 798 (D.

38 Md. 2013) (holding that an MCPA claim could not be based on alleged misrepresentations made

after the plaintiffs had entered into the agreement at issue); In re ZF-TRW Airbag Control Units

Prods. Liab. Litig., 601 F. Supp. 3d 625, 775 (C.D. Cal. 2022) (dismissing consumer protection

claim when the “consumer has neither seen nor heard” the alleged misrepresentation (quoting

Preston v. Am. Honda Motor Co., Inc., 783 F. App’x 669, 670 (9th Cir. 2019))); Mouzon v.

Radiancy, Inc., 200 F. Supp. 3d 83, 92–93 (D.D.C. 2016) (dismissing consumer protection

claims, including MCPA claim, where plaintiffs did not allege “having been exposed to any

misrepresentations” by defendant).

The Court recognizes that whether “a misrepresentation substantially induces a

consumer’s choice is ordinarily a question of fact for the trier of fact.” Bank of Am., 822 F.

Supp. 2d at 532 (emphasis added). But “ordinarily” is not “always.” Here, the Court cannot

conclude that a reasonable jury could find the element of reliance when there is no indication

Plaintiffs were even cognizant of the alleged misrepresentations when they chose CareFirst as

their health insurance or enrolled in the company’s online portal. See, e.g., Pucci v. Annapolis

Sailyard, Inc., No. CIV. JKB-10-2968, 2011 WL 3793762, at *1 (D. Md. Aug. 24, 2011) (“It is

clear that anything said by [defendant] subsequent to the signing of the contract did not affect the

[plaintiff’s] ‘choice of a product.’”); Shreve v. Sears, Roebuck & Co., 166 F. Supp. 2d 378, 417

(D. Md. 2001) (“The misrepresentations that plaintiffs allege refer to representations made in the

Owner’s Manual, which [plaintiff] read after he purchased the snow thrower. Any

representations made in the Owner’s Manual did not induce (as is required by § 13–301(9)) or

deceive Shreve so that he would purchase the machine.”).14

14 In a footnote, CareFirst also argues that Plaintiffs did not plead their MCPA claim with sufficient particularity, as required by Federal Rule of Civil Procedure 9(b), which applies to MCPA claims that sound in fraud. MSJ 19 n.5. Plaintiffs do not address this argument (perhaps

39 2. MPIPA Theory

As an alternative to their misrepresentation theory, Plaintiffs allege that they have a valid

claim based on violation of MPIPA, Md. Comm. Code § 14-3504, et seq., a violation of which

constitutes an unfair or deceptive trade practice under the MCPA, id. § 14-3508.

MPIPA provides that a business “that owns, licenses, or maintains computerized data that

includes personal information of an individual residing in the State, when it discovers or is

notified that it incurred a breach of the security of a system, shall conduct in good faith a

reasonable and prompt investigation to determine the likelihood that personal information of the

individual has been or will be misused as a result of the breach.” Id. § 14-3504(b)(1) (emphasis

added). The company must also provide notice of the breach to consumers affected by it. Id.

§ 14-3504(b)(2)–(3). MPIPA defines “breach of the security of a system” as “the unauthorized

acquisition of computerized data that compromises the security, confidentiality, or integrity of

the personal information maintained by a business.” Id. § 14-3504(a)(1) (emphasis added). In

turn, the statute at the time of the CareFirst breach defined “personal information” as “an

individual’s first name or first initial and last name in combination with any one or more of the

following data elements”—“a Social Security Number,” a “driver’s license number,” a “financial

understandably, as it is raised only in passing in a footnote). Even if this argument is not waived, however, Plaintiffs likely have just barely satisfied Rule 9(b). Rule 9(b) requires fraud claims to set out “the time, place, and contents of the false representations, as well as the identity of the person making the misrepresentation and what he obtained thereby.” Harrison v. Westingthouse Savannah River Co., 176 F.3d 776, 784 (4th Cir. 1999) (quoting 5 Charles Alan Wright & Arthur R. Miller, Fed. Prac. and Proc.: Civ. § 1297, at 590 (2d ed. 1990)). “A court should hesitate to dismiss a complaint under Rule 9(b) if the court is satisfied (1) that the defendant has been made aware of the particular circumstances for which she will have to prepare a defense at trial, and (2) that plaintiff has substantial prediscovery evidence of those facts.” Id. Plaintiffs’ complaint identifies CareFirst’s “Privacy Policy” as the source of the misrepresentation and quotes the passage at issue here. SAC ¶¶ 29, 102. Even if Plaintiffs did not identify which particular CareFirst entity is responsible for the Notice, CareFirst obviously was well equipped to identify the Notice and who issued it.

40 account number, including a credit card number or debit card number, that in combination with

any required security code, access code, or password, would permit access to an individual’s

financial account,” and an “Individual Taxpayer Identification Number.” Id. § 14-3501(d)(1)

(effective Jan. 1, 2008 to Dec. 31, 2017).

Plaintiffs allege that CareFirst violated MPIPA by failing to conduct a timely

investigation and by failing to timely notify them of the breach, which the company did not do

until 2015, a year after the phishing incident. See SAC ¶ 67. CareFirst correctly contends,

however, that MPIPA does not apply to this data breach because the cyberattack did not

“compromise[] the security, confidentiality, or integrity of” members’ Social Security numbers,

financial accounts numbers, driver’s license numbers, or taxpayer identification numbers. MSJ

at 23. As discussed above, the undisputed record shows that Plaintiffs’ Social Security numbers

were not accessed in the cyberattack. Although Plaintiffs’ complaint alleges that their subscriber

ID numbers constitute “financial account numbers” under the statute, SAC ¶ 104, Plaintiffs do

not advance this theory in their opposition. Even if Plaintiffs had not waived this argument, the

Court does not construe “financial account numbers” to include Plaintiffs’ subscriber ID

numbers, which are merely identification numbers associated with Plaintiffs’ health insurance

profiles and have no connection with bank or other financial accounts. Moreover, the breach did

not reveal or affect any “security code, access code, or password” that would have allowed

access to the CareFirst portal in any event. Md. Comm Code § 14-3501(d)(1) (effective Jan. 1,

2008 to Dec. 31, 2017). Thus, because the data exfiltrated during the CareFirst data breach does

not include any of the information specified by the statute at the time, there was no qualifying

“breach of a security system” to trigger MPIPA’s applicability. Id. § 14-3504.

41 To argue that the breach implicated MPIPA, Plaintiffs again point to the portion of this

Court’s and the Circuit’s decisions restating the allegation that the cyberattack implicated

information “that could be combined to commit identity theft and fraud.” Opp’n at 20. But, as

stated above, those statements were a description of the complaint’s allegation that Social

Security numbers were leaked, which has not been borne out by the evidence.

Additionally, Plaintiffs posit—without elaboration—that “even if Social Security

numbers, driver’s license numbers, financial account numbers, or Taxpayer Identification

Numbers were not accessed in the CareFirst data breach, such information was still compromised

as a result of the data breach, even if it was not directly accessed.” Opp’n at 20 (emphasis in

original). Although Plaintiffs’ argument here is far from clear, the Court understands this

sentence to suggest that the “security, confidentiality, or integrity” of their Social Security

numbers has been “compromised”—i.e., weakened (as opposed to revealed to an unauthorized

person)—by the breach of Plaintiffs’ other information, which could subsequently be used to

obtain covered personal information in the future. Id. at 19–20. If that is Plaintiffs’ theory, the

Court agrees that such a reading is not unreasonable. For instance, Plaintiffs’ interpretation

might cover a breach in which consumer names and login information (both usernames and

passwords) were leaked, as hackers might then be able to use that information to access a

consumer’s online profile and steal more sensitive information covered by the statute, such as

Social Security or credit card numbers. Even if that interpretation of MPIPA is plausible,

however, Plaintiffs have not identified any evidence that the data accessed in this breach—

member names, subscriber ID numbers, usernames, e-mail addresses, and birth dates—would

give hackers ready access to Social Security numbers or financial account information

42 maintained by CareFirst.15 Perhaps the leaked data could be enough to enable some forms of

future mischief; perhaps not. What matters here is that Plaintiffs identify no evidence, aside

from the single, speculative sentence in the Korczyk expert report described above, that the

information breached here actually impacted the security of the personal information covered by

MPIPA.

Moreover, even if MPIPA applied, CareFirst likely satisfied its obligations under the law.

CareFirst was aware of the phishing incident when it occurred in April 2014, but based on its

initial investigation (which included examining and reimaging the computers of the employees

who had clicked on the malware, MSJ, Ex. C at 193), the company did not believe the incident

had led to any access to its computer systems. CareFirst did not learn of the full extent of the

cyberattack until April 2015, after the Mandiant investigation, and it promptly notified members

of the attack at that point. In other words, CareFirst complied with MPIPA once it “discover[ed]

or [was] notified of” the breach. Md. Comm. Code § 14-3504(b)(1). Plaintiffs characterize

CareFirst’s failure to detect the breach earlier as “willful ignorance of the strong likelihood that a

breach occurred,” Opp’n at 20–21, but the evidence they have produced, as discussed above, at

most supports the conclusion that the company could have had particular systems in place that

would have better detected the hackers’ continued presence. Based on that evidence, the Court

cannot say CareFirst failed to act “in good faith” in conducting its investigation when it did and

not earlier. Md. Comm. Code § 14-3504(b)(1).

15 Critically, CareFirst members’ passwords were not a part of the data breach. MSJ, Ex. A ¶ 20.

43 Accordingly, because Plaintiffs have failed to point to evidence from which a reasonable

jury could find they relied on CareFirst’s Notice of Privacy Practices, and because MPIPA,

during the relevant time, did not cover a data breach of the information leaked here, the Court

grants CareFirst summary judgment as to Plaintiffs’ MCPA claim.

C. Virginia Consumer Protection Act

Last, CareFirst moves for summary judgment on Plaintiffs’ VCPA claim, which is

premised on the same alleged misrepresentation in the Notice of Privacy Practices as their

MCPA claim. Here, the analysis is even simpler. By its own text, the VCPA does not apply to

Plaintiffs’ claims against CareFirst.

The VCPA outlaws a number of unfair consumer practices, including misrepresenting the

benefits of goods or services and using deception, fraud, or misrepresentation in consumer

transactions. Va. Code Ann. § 59.1-200. The statute also provides, however, that “[n]othing in

this chapter shall apply to . . . insurance companies regulated and supervised by the State

Corporation Commission or a comparable federal regulating body.” Id. § 59.1-199

(“Exclusions”). As the Fourth Circuit has explained, the “spectre of governmental supervision

served as the legislative justification for exempting [insurance companies, banks, credit unions,

and the like] from the scope of the Consumer Protection Act.” Gill v. Rollins Protective Servs.

Co., 773 F.2d 592, 597–98 (4th Cir. 1985), opinion amended on denial of reh’g, 788 F.2d 1042

(4th Cir. 1986).

CareFirst has provided an uncontested declaration stating that CareFirst BlueChoice, Inc.,

the CareFirst subsidiary operating in Virginia which had insurance contracts with the Virginia

Plaintiffs, “is registered with the Virginia State Corporation Commission to conduct the business

of insurance in the Commonwealth of Virginia and is subject to regulation by the Virginia

44 Bureau of Insurance and other agencies of the Commonwealth.” MSJ, Ex. B ¶¶ 4, 11; see also

DSUF ¶¶ 21–23. The Virginia Bureau of Insurance is a division of the Virginia State

Corporation Commission “established to administer the insurance laws of the Commonwealth.”

Va. Code Ann. § 38.2-100. The Bureau “licenses, regulates, investigates and examines

insurance companies, agencies and agents on behalf of the citizens of the Commonwealth of

Virginia.” Insurance Agents & Agencies, State Corp. Comm’n,

https://www.scc.virginia.gov/pages/Bureau-of-Insurance (last visited Sept. 13, 2023). Thus,

because CareFirst is an insurance company regulated by the State Corporation Commission, the

VCPA does not apply to it. MSJ at 30–31.

Plaintiffs assert that CareFirst is “not exempt from Plaintiffs’ VCPA claims because

CareFirst’s failure to protect Plaintiffs’ personal information is separate and distinct from

CareFirst’s primary service of selling health insurance.” Opp’n at 29. There is no basis for this

distinction in the text of the VCPA. One of the Court’s previous opinions in this case shows

why. At the motion to dismiss stage, the Court rejected CareFirst’s argument that a provision of

the MCPA exempting from coverage the “professional services” of an “insurance company”

applied to this case. Attias II, 365 F. Supp. 3d at 26 (quoting Md. Comm. Code § 13-104(1)).16

Explaining that Maryland’s highest court had interpreted “‘professional services’ narrowly as

applied to ‘medical or dental practitioner[s],’ who are also exempt under the MCPA,” the Court

concluded “that the professional-services exemption of the MCPA does not apply to CareFirst’s

data-security practices,” which are “ancillary to the provision of health insurance coverage much

like billing is ancillary to the provision of medical care.” Id. at 26–27. In other words, the

16 The Court had no occasion to consider the VCPA’s exemption provision in that opinion because it had already dismissed those claims for a failure to allege actual damages. Attias II, 365 F. Supp. 3d at 17.

45 “professional services” language of the MCPA’s exemption provision was intended to

distinguish between the “commercial or entrepreneurial” aspects of a covered profession and the

aspects that go to the core of the service. Id. (quoting Scull v. Groover, Christie & Merritt, P.C.,

76 A.3d 1186, 1196 (Md. 2013)). The VCPA, in contrast to the MCPA, contains no such

language limiting the exemption to the “professional services” of insurance providers; it applies

without qualification to “insurance companies” so long as they are “regulated and supervised by

the State Corporation Commission or a comparable federal regulating body.” Va. Code Ann.

§ 59.1-199(4).

Plaintiffs next point to a separate exclusion that exempts from VCPA coverage “[a]ny

aspect of a consumer transaction which aspect is authorized under” state or federal law. Id.

§ 59.1-199(1). Plaintiffs maintain that the Court must therefore determine whether state or

federal law authorized consumer transactions with CareFirst. Opp’n at 29. The Court agrees

with CareFirst’s observation that “[t]his argument makes no sense.” Reply at 17 n.8. The

exemption for insurance companies regulated by the State Corporations Commission is a

completely separate exemption from the one excluding VCPA coverage for aspects of consumer

transactions authorized under state or federal law. The exemptions are presented as separate

items on a list, not as separate conditions all of which are required for an exemption to apply.

The fact that one exemption does not apply is irrelevant to whether a different exemption does.

The conclusion that the VCPA’s exemption applies here does not, of course, mean that

CareFirst and other insurers in Virginia operate in a consumer-protection-free zone. Other

provisions of Virginia law, enforced by the State Corporation Commission, prohibit health

insurers from engaging in misleading advertising and provide for the suspension or revocation

licenses if insurers advertise “services in an untrue, misrepresentative, misleading, deceptive, or

46 unfair manner.” Va. Code Ann. § 38.2-4316(6); see id. § 38.2-4312; id. § 38.2-502 (generally

prohibiting misrepresentations and false advertising of insurance policies). The existence of

these other provisions illustrates the Fourth Circuit’s observation that the “spectre of

governmental supervision” over entities such as insurance companies “served as the legislative

justification for exempting” them from the VCPA. Gill, 773 F.2d at 597–98. Accordingly,

because the VCPA expressly carves out insurance companies regulated by the State Corporation

Commission, Plaintiffs’ claims under the VCPA must be dismissed.17

D. Timing of Summary Judgment Motion

To tie up one loose end, the Court briefly addresses Plaintiffs’ contention that CareFirst’s

motion for summary judgment, which was filed while Plaintiffs’ motion for class certification

was still pending this Court’s decision, is premature under Federal Rule of Civil Procedure 56(d).

See Opp’n at 2–4. Specifically, Plaintiffs assert that the Court’s scheduling order contemplated

that additional discovery would be permitted after a decision on the class certification motion

and that they need more time to “offer qualified expert testimony related to Defendants’ failure

to comply with HIPAA.” Opp’n at 3–4.

As a general matter, a party “may file a motion for summary judgment at any time until

30 days after the close of all discovery,” unless a different time is set by local rule or court order.

17 Even if the VCPA’s exemption for insurance companies were not dispositive, Plaintiffs’ VCPA claim would, like their MCPA claim, fail for lack of evidence of reliance. The VCPA requires reliance on the alleged misrepresentation. Owens v. DRS Auto. Fantomworks, Inc., 764 S.E.2d 256, 260–61 (Va. 2014). In his deposition, Richard Bailey stated that CareFirst was among several plans available for him to choose as a Transportation Security Administration employee and that he did not “go out in the open marketplace and pick insurance Plan A over insurance Plan B.” MSJ, Ex. L at 23. Latanya Bailey had CareFirst via her husband Richard’s employment. MSJ, Ex. M at 12. Like the statements of the Maryland Plaintiffs, Mr. Bailey’s description of his decision to choose CareFirst does not suggest that he relied on, or was even aware of, the Notice of Privacy Practices. And as with the MCPA claim, Plaintiffs cite no evidence to the contrary.

47 Fed. R. Civ. P. 56(b). The Court doubts that Plaintiffs have sustained their obligation under Rule

56(d), which requires a party seeking to defer summary judgment to (1) “outline the particular

facts he intends to discover and describe why those facts are necessary to the litigation,” (2)

“explain ‘why [he] could not produce [the facts] in opposition to the motion [for summary

judgment],’” and (3) “show the information is in fact discoverable.” Convertino v. U.S. Dep’t of

Just., 684 F.3d 93, 99–100 (D.C. Cir. 2012) (citations omitted). Here, Plaintiffs’ opposition

offers only a vague suggestion that they need more time to “offer qualified expert testimony

related to Defendants’ failure to comply with HIPAA,” Opp’n at 4, and their supporting affidavit

does not provide even that level of detail.

In any case, the Court need not decide whether Plaintiffs’ request for relief under Rule

56(d) might warrant deferral of summary judgment. As explained above, even without any

additional expert discovery on HIPAA compliance, the Court denies CareFirst’s motion for

summary judgment as to Plaintiffs’ breach of contract claim. And the Court grants summary

judgment as to Plaintiffs’ MCPA and VCPA claims for reasons unrelated to CareFirst’s

compliance with HIPAA. Whether Plaintiffs might obtain additional expert opinions regarding

CareFirst’s HIPAA compliance therefore has no bearing on the outcome of this motion.

48 IV. Conclusion

For these reasons, it is hereby

ORDERED that [Dkt. No. 94] Defendant’s Motion for Summary Judgment is

GRANTED in part and DENIED in part.

SO ORDERED.

CHRISTOPHER R. COOPER United States District Judge

Date: September 13, 2023