Aetna boots data breach class action suit

[Jake Kouns <jkouns () opensecurityfoundation org>]

http://www.infosecurity-us.com/view/8024/aetna-boots-data-breach-class-action-suit/

12 March 2010

Health insurer Aetna has succeeded in having a class-action lawsuit
over an alleged security breach dismissed.

The case, bought by Cornelius Allison, stemmed from an alleged
security breach of the Aetna online job application database. The
breach, which was announced by Aetna last May, caused it to send
notification letters to 65 000 current and former employees telling
them that personal information may have been exposed.

Allison, who worked for the company as an office assistant from 1998
until May 2005, applied for a customer service position at Aetna using
its website. He uploaded his personal information and his resume.

According to the complaint filed in the lawsuit, Allison became aware
last May of a breach in the job application website, when applicants
reported receiving phishing emails from Aetna asking for additional
personal information in response to job enquiries.

Aetna argued in the case that Allison's claim was invalid, because it
merely speculated that there may have been material damage. "Courts
have recognized that allegations of 'increased risk of harm' and
related costs for preventative measures are not legally cognizable
injuries." In short, Allison could not prove that any harm had been
done.

The case was dismissed even though Allison contended that he had
incurred out-of-pocket expenses, lost time, and an increased risk of
identity theft. "Plaintiffs alleged injury or an increased risk of
identity theft is far too speculative," the judge said in a decision.
"Plaintiff's allegation that his personal information was even
accessed is conjecture. Plaintiff never received the phishing email.
In addition, defendants letter stated that they were unable to verify
whether plaintiff's information was even accessed."

Allison had also admitted that only email addresses had been
accessible in the breach, the court said. "At best, plaintiff has
alleged a mere possibility of an increased risk of identity theft,
which is insufficient for purposes of standing, and he certainly has
not asserted a credible threat of identity theft."

The decision carries particular significance for future data breach
cases bought by victims who cannot prove that their identities have
been stolen.

Aetna's job application website contained the email addresses of 450
000 job applicants, along with the social security numbers of current
and former employees. The social security numbers, telephone numbers
for addresses, and employment histories of those who had been offered
jobs by Aetna were also in the system.
_______________________________________________
Dataloss-discuss Mailing List (dataloss-discuss () datalossdb org)
Archived at http://seclists.org/dataloss/

Get business, compliance, IT and security staff on the same page with
CREDANT Technologies: The Shortcut Guide to Understanding Data Protection
from Four Critical Perspectives. The eBook begins with considerations
important to executives and business leaders.
http://www.credant.com/campaigns/ebook-chpt-one-web.php