It is now common for class action lawsuits to be filed in response to a healthcare data breach. While the theft of sensitive healthcare data can undoubtedly cause a great deal of inconvenience to victims of a data breach, for a lawsuit to stand a chance of success, the plaintiffs must allege they have suffered an injury as a direct result of the breach. Last month, the District of Massachusetts dismissed a class action complaint against Injured Workers’ Pharmacy, LLC, as the plaintiffs and class members failed to establish an injury-in-fact sufficient to confer Article III standing.
In May 2021, Injured Workers’ Pharmacy, which provides a pharmaceutical home delivery service, discovered parts of its network had been accessed by unauthorized individuals who potentially viewed or obtained the personally identifiable information of more than 75,000 of its customers.
A lawsuit was filed on behalf of customers Alexsis Webb and Marsclette Charley – Webb v. Injured Workers’ Pharmacy, LLC, that alleged negligence for failing to implement appropriate data security measures, breach of implied contract, unjust enrichment, and other claims. Webb and other individuals similarly affected by the breach alleged they had suffered an injury as a result of the data breach in the form of anxiety, loss of sleep, stress, and fear, and had spent considerable time and effort monitoring their financial accounts and protecting themselves against identity theft and fraud. Charley alleged she had spent hours dealing with the IRS due to a fraudulent tax return that had been filed in her name. The plaintiffs also alleged that as a result of their personally identifiable information being made available on the dark web, they had suffered damage to and diminution of the value of their PII, the cost of which was estimated to be $1,000.
IWP sought to dismiss the lawsuit for lack of standing as the plaintiffs had failed to state a claim, and the lawsuit failed to allege any concrete and particularized injuries that are actual or imminent. The District of Massachusetts agreed and rejected the factual allegations of the complaint as the plaintiffs failed to allege they had suffered any identifiable harm as a result of the data breach.
The only alleged harm that was suffered was the “considerable time and effort” that was spent monitoring accounts and dealing with the IRS, as there was no allegation of monetary loss, data misuse, or even an allegation that the plaintiffs’ PII had been stolen. While Charley had a fraudulent tax return filed in her name, the court ruled that there was no plausible allegation that connected the fraudulent claim to the data breach. Regarding the claim that there had been a diminution of the value of the plaintiffs’ PII, the court said it was unclear how the loss of black market value of the PII could inflict an injury on the plaintiffs.
The Supreme Court had previously ruled that in a suit for damages, the mere risk of future harm, without more, cannot establish Article II standing, with the District of Massachusetts ruling that “[Plaintiffs] cannot manufacture standing merely by inflicting harm on themselves based on… hypothetical future harm.”
The post District of Massachusetts Tosses Data Breach Lawsuit for Lack of Injury appeared first on HIPAA Journal.