On July 17, 2017, a New Jersey federal district court heard oral arguments in a motion to dismiss a putative class action lawsuit alleging violations of the Fair Credit Reporting Act (“FCRA”), 15 U.S.C. § 1681a et seq. The FCRA claim in the case, In re: Horizon Healthcare Services Inc. Data Breach Litigation, case no. 2:13-cv-07418 (D.N.J.), arises from a theft suffered by Horizon Healthcare Services, a health insurance provider. The theft occurred when unknown individuals stole Horizon employees’ computers from an office building. The computers contained personal information of Horizon customers, including social security numbers and medical information, although it is unclear whether anyone’s personal information was accessed as a result of the theft. The plaintiffs in the case claim that Horizon intentionally or negligently failed to safeguard customers’ personally identifiable information from unauthorized disclosure, alleging that Horizon kept data unencrypted and otherwise handled data improperly and not in accordance with current cybersecurity best practices.
The district court had previously dismissed the plaintiffs’ class claims on the grounds that they lacked an injury sufficient to create standing. On appeal, the Third Circuit vacated the district court’s decision on standing, relying on the Supreme court’s decision in Spokeo v. Robinson, 136 S. Ct. 1540, 1548 (2016). It found that the plaintiffs’ allegations of a privacy injury alone were sufficient to establish harm for standing purposes. See In Re: Horizon Healthcare Services Inc. Data Breach Litigation, No. 15-2309 (3rd Cir. 2017). On remand, Horizon again filed a motion to dismiss, and raised the important question of whether Horizon, a health insurance company, qualified as a consumer reporting agency subject to FCRA. In order to be subject to the FCRA, a company must “for monetary fees, dues, or on a cooperative nonprofit basis, regularly engage in whole or in part in the practice of assembling or evaluating consumer credit information or other information on consumers for the purpose of furnishing consumer reports to third parties, [using] any means or facility of interstate commerce for the purpose of preparing or furnishing consumer reports.” 15 U.S.C. § 1681a(f).
The question of the applicability of the FCRA to a health insurance company is both central to this case, and, more importantly, also bears on whether FCRA liability may expand beyond “traditional” credit reporting agencies like Equinox or even financial services companies generally. Plaintiffs’ theory, as described in their brief opposing Horizon’s motion to dismiss, is that FCRA’s definition is very broad because it includes anything that bears on consumers’ personal characteristics or mode of living. Plaintiffs argue that FCRA’s applicability standards are met in this case because Horizon: (1) assembles and evaluates information included on enrollment forms for customers and potential customers, (2) assembles customer information provided to it in forms and through websites Horizon sponsors; and (3) collects and retains customer information obtained from customer transactions involving Horizon, its affiliates, and third parties, such as health care providers. However, during oral argument, the district court judge displayed some skepticism around whether Horizon qualified as a consumer reporting agency, questioning whether Horizon was in the consumer reporting business. Nonetheless, if the court ultimately agrees with Plaintiffs, this could expand FCRA liability to other companies who handle or process consumer information. Accordingly, LenderLaw Watch will be monitoring developments in this case and will report on new information as it arises.