On December 22, the U.S. District Court for the District of New Jersey dismissed putative class claims brought against a health insurance company, following a 2013 data breach incident. In In re Horizon Healthcare Servs. Data Breach Litigation, the court dismissed a putative class complaint against Horizon Healthcare Services, Inc. (Horizon) and held that (1) the plaintiffs failed to sufficiently allege that Horizon was a consumer reporting agency (CRA) under the Fair Credit Reporting Act (FCRA) and (2) the plaintiffs failed to allege that Horizon’s actions violated the FCRA. Civil Action No. 2:13-cv-07418, 2021 U.S. Dist. LEXIS 243041 (D.N.J. Dec. 21, 2021).

According to the complaint, Horizon is a New Jersey-based company that provides health insurance products and services to approximately 3.7 million members. In its normal course of business, Horizon collects and maintains client information, which includes names, birth dates, social security numbers, medical histories, and insurance information. In November 2013, an unknown thief stole two password-protected laptop computers containing client information from Horizon’s New Jersey headquarters. Horizon promptly reported the incident to police, began an investigation, and notified potentially affected members via a letter and press release. Additionally, Horizon offered all potentially affected members one year of credit reporting and monitoring through Experian.

In December 2013, a group of plaintiffs filed a putative class action alleging violations of the FCRA and several state laws stemming from the data breach. After the court dismissed the plaintiffs’ claims for lack of Article III standing, the Third Circuit remanded the matter back to the court and noted that similar cases in this area of law have not been “entirely consistent.” On remand, the court examined whether Horizon qualified as a CRA and whether plaintiffs alleged sufficient facts to support a finding that Horizon violated the FCRA.

As to the first question, the court relied on the reasoning in Dolmage v. Combined Insurance Company of America, and found that Horizon was not a CRA because the company did not collect personal information on consumers “for the purpose of furnishing consumer reports to third parties.” No. 14 C 3809, 2015 U.S. Dist. LEXIS 6824 (N.D. Ill. Jan. 21, 2015). Rather, “[the plaintiffs’] contentions actually substantiate Defendant’s averment that it is a health insurance company that collects its consumers’ information for the purpose of providing health insurance coverage and administering health benefits plans” — a purpose that falls outside the ambit of the FCRA.

With respect to the second question, the court found that even if Horizon qualified as a CRA, plaintiffs still failed to plausibly allege that Horizon violated the FCRA. The court noted that a CRA violates sections 1681b or 1681e of the FCRA by “improperly disclosing or furnishing consumer information.” But here, plaintiffs could not allege that Horizon violated these provisions because the consumer information was stolen — i.e., Horizon did not “disclose” or “furnish” the information. Moreover, other courts interpreting data privacy laws have held that defendants whose information was stolen did not “disclose” the stolen information.

The decision is yet another notable guidepost for defending against claims that an entity is a CRA under the FCRA, including in the data privacy space. Troutman Pepper will continue to monitor and provide updates on cases impacting the court’s interpretation of the FCRA, data, and privacy laws.