In re Horizon Healthcare Services Inc. Data Breach Litigation, 2021 WL 6049549

“Furnish” under FCRA describes “active transmission of information to a third-party rather than a failure to safeguard the data.” Information stolen from defendant is not furnished within meaning of FCRA.

The New Jersey District Court’s recent opinion in this case involved a motion filed by Horizon Healthcare Services, Inc. to dismiss the amended putative class action complaint filed by the plaintiffs. In a comprehensive opinion, the court granted the motion to dismiss. 

The defendant is a New Jersey-based company that provides health insurance products and maintains its members’ personal and medical information. In November 2013, an unknown thief stole two password-protected laptop computers—containing information of more than 839,000 members—from the defendant’s New Jersey headquarters. The defendant reported the incident to the police on November 4, 2013, and subsequently notified potentially affected members of the theft via letter and press release. As a result of the breach, the defendant offered potentially affected members one year of credit monitoring and identity theft protection services. 

On December 11, 2013, the plaintiffs filed a putative class action complaint alleging allegations under the Fair Credit Reporting Act (FCRA), among other things. They argued, in part, that the defendant violated the FCRA by either improperly disclosing (§ 1681b(g)) or furnishing (§ 1681e) consumer information. 

In deciding the defendant’s motion to dismiss, the court found that the plaintiffs failed to plead a violation of § 1681b(g) because the defendant did not “disclose” information to the thieves. Courts interpreting data privacy laws have held that defendants whose information was stolen did not “disclose” that stolen information. Likewise, the court held that the plaintiffs failed to show that the defendant “furnished” information to the thieves and posited that courts routinely interpret “furnish” under FCRA to describe the “active transmission of information to a third-party rather than a failure to safeguard the data.” Courts have concluded that information stolen from a defendant is not furnished within the meaning of FCRA. 

 

Case Law Alerts, 1st Quarter, April 2022 is prepared by Marshall Dennehey Warner Coleman & Goggin to provide information on recent developments of interest to our readers. This publication is not intended to provide legal advice for a specific situation or to create an attorney-client relationship. Copyright © 2022 Marshall Dennehey Warner Coleman & Goggin, all rights reserved. This article may not be reprinted without the express written permission of our firm.