AETNA DATA BREACH CLASS ACTION LAWSUIT DISMISSED BY FEDERAL JUDGE
A federal judge has dismissed a class action lawsuit, Allison v. Aetna, filed after the insurer’s computer database may have been hacked. Allegedly, the personal data of some 450,000 job applicants were potentially compromised.
U.S. District Judge Legrome D. Davis held that such a claim of “increased risk of identity theft” is not enough to confer standing to sue.
“At best, plaintiff has alleged a mere possibility of an increased risk of identity theft, which is insufficient for purposes of standing, and he certainly has not asserted a credible threat of identity theft,” Davis wrote. The ruling is a victory for Aetna and other company’s that harvest personal data, but do not have to ensure the information is guarded from hackers.
“This case is about whether plaintiff and the class can recover for:
(i) out-of-pocket costs necessarily incurred as a result of the data breach;
(ii) time spent responding to the breach; and
(iii) an increased risk of identity theft,” the plaintiffs lawyers argued.
Aetna mailed breach notification letters to the 65,000 individuals whose Social Security numbers were at risk. Aetna’s letter “urged” the individuals to take precautions to prevent identity theft, such as monitoring their personal accounts, placing a fraud alert on their consumer credit files, and reviewing their credit reports for accounts. Acknowledging the individuals were at a greater risk of identity theft, Aetna offered free credit monitoring for one year.
This court opinion highlights the lack of consumer protection for victims of identity theft. While Aetna acknowledges the increased risk of identity theft of the persons affected by the breach, the law does not hold it liable for lax security measures that guard personal data. The consumer reporting agencies, Equifax, Experian and Trans Union, profit from the sale of credit monitoring, a right under federal law already available to consumers and victims of identity theft under the Fair Credit Reporting Act.
If you have received a breach notification letter, or are already a victim of identity theft, then you should contact data security lawyer Micah Adkins for a free and confidential legal consultation.