Court Finds Lack of Standing in Medical Data Breach Case

In Peters v. St. Joseph Servs. Corp., the United States District Court for the Southern District of Texas recently dismissed a class action complaint seeking damages arising out of a data incursion. The Court dismissed the complaint under Federal Rule of Civil Procedure 12(b)(1) for lack of standing without leave to amend, while granting the plaintiff 30 days to raise her state and common law claims in state court.

In Peters, the plaintiff supplied her personally identifiable information (PII) and/or protected health information (PHI) to the defendants when purchasing health care services from them. She sought to certify a class of all Texas residents who were sent a letter or other communication from the defendants notifying them that their PII and/or PHI was maintained on a server accessed by hackers during a three day period in 2013. The plaintiff brought federal statutory claims under the Fair Credit Reporting Act in addition to various state and common law claims including violation of the Texas Medical Practice Act and Hospital Licensing Law.

The plaintiff alleged that she suffered attempted unauthorized charges on her credit card; unauthorized access of her account; multiple telephone solicitations from medical products and services companies; large volumes of spam emanating from her email account; unsolicited marketing materials by mail and email, targeting medical conditions that she claimed senders could only have learned by obtaining her PII/PHI; and diminished value of the medical services she purchased. The Court found that her allegations failed to satisfy the causation and redressability elements of Article III standing:

Although it is alleged that [defendants’] failures ‘proximately caused’ [plaintiff’s] injuries, the allegation . . . fails to account for the sufficient break in causation caused by opportunistic third parties. The injuries . . . are “the result of the independent action of a third party” and therefore not cognizable under Article III.

The Court reasoned that even if the harm alleged by the plaintiff were traceable to the defendants, a court ruling “would not prevent medical products and services companies from contacting [the plaintiff] or otherwise disgorge them of her personal information.”

Gibbons P.C. will monitor whether the plaintiff files a complaint in Texas state court and if so, whether a class action is permitted to go forward against the defendants in that jurisdiction.

Gibbons P.C. provides strategic guidance pertaining to all types of data breach and privacy matters. Wendy Stein, Counsel in the Gibbons Intellectual Property department, has litigated matters arising out of data breaches and represented multi-national pharmaceutical companies. Barry Liss, a Director in the Gibbons Corporate Department and Healthcare Team Leader, represents hospital systems, large multi-specialty physician groups, HMOs, health insurance companies, and other business enterprises in the healthcare sector.

This is the first in a series of articles concerning data incursions affecting the healthcare sector.