District Court (NY) Dismisses Data Breach Class Action for Lack of Standing

In Jantzer v. Elizabethtown Cmty. Hosp., No. 8:19-cv-00791 (BKS/DJS), 2020 U.S. Dist. LEXIS 83207 (N.D.N.Y. May 12, 2020), Judge Sannes dismissed a data breach class action for lack of standing.  The facts were as follows:

UVM Health is Vermont Corporation headquartered in Burlington, Vermont that consists of a “six-hospital and home health & hospice system” located in “Vermont and northern New York.” (Dkt. No. 1, ¶ 10). ECH is a New York corporation headquartered in Elizabethtown, New York and is part of the UVM Health network. (Id. ¶ 9). On October 18, 2018, “ECH discovered that the PII of 32,000 of its patients was compromised as a result of a successful phishing3 attack of one or more of its employees.”4 (Dkt. No. 1, ¶ 15). Specifically, “an unauthorized third party acquired credentials that enabled them to remotely access the email account of an ECH employee and thereafter to gain unfettered access to the PII of ECH patients over a period of nine days in October 2018” (the “Data Breach”). (Id.). The PII exposed included “names, addresses, Social Security numbers, dates of birth, driver’s license numbers, and medical information such as medical record numbers, dates of service, and summaries of medical [*3]  services provided.” (Id. ¶ 16). “This Data Breach was a direct result of Defendants’ failure to implement adequate and reasonable cyber-security procedures and protocols necessary to protect patient PII.” (Id. ¶ 4). Defendants failed to (1) “take adequate and reasonable measures to ensure its data systems were protected,” (2) “disclose that it did not have adequately robust computer systems and security practices,” (3) “take standard and reasonable available steps to prevent the Data Breach,” (4) “monitor and timely detect the Data Breach,” and (5) “provide Plaintiff . . . prompt and accurate notice of the Data Breach.” (Id. ¶ 5). Plaintiff Ronald Jantzer is a patient of ECH. (Id. ¶ 8). On December 17, 2018—two months after ECH discovered the data breach—he “received notice from ECH that his PII, along with approximately 32,000 other patients, had been improperly exposed to unauthorized third parties.” (Id. ¶¶ 2, 8). The notice informed him that the compromised email account contained some of his “personal information, including [his] name and limited medical information.” (Dkt. No. 13-4, at 2). It also stated that his “Social Security number was not present in the account, and [ECH] do[es] not believe [he] [is] at any financial risk.” (Id.). According to Jennifer Parks, UVM Health’s Network Chief Compliance and Privacy Officer, the compromised email account “did not contain any financial information of [Plaintiff], such as credit or debit card numbers; it did not contain [Plaintiff’s] date of birth; and it did not contain any medical condition(s) for which [Plaintiff] was treated.” (Dkt. No. 13-2, ¶¶ 1, 5). However, the email account “did contain limited information associated primarily with billing” including “information relating to the processing of payment from insurers: date of treatment, information identifying the insurer that provided reimbursement, and payment dates and amounts.” (Id. ¶ 6). Plaintiff “has spent time monitoring and protecting his financial well-being by, among other things, corresponding with the major credit bureaus.” (Dkt. No. 1, ¶ 8). Plaintiff alleges he will continue to spend “significant amounts of time and money in an effort to protect [himself] from the adverse ramifications of the Data Breach and will forever be at a heightened risk of identity theft and fraud.” (Id. ¶ 6).

The District Court found no damages sufficient to justify standing.

In this case, Plaintiff was informed that his social security number was not included in the data that was stolen. (Dkt. No. 13-4, at 2). While the data breach contained “limited information [of Plaintiff’s] associated primarily with billing,” such as “the date of treatment, information identifying the insurer that provided reimbursement, and payment dates and amounts,” it “did not contain any financial information of [Plaintiff], such as credit or debit cards,” his birth date, or any of his medical conditions. (Dkt. No. 13-2, ¶¶ 1, 5). As Defendant states, “Plaintiff does not contest, controvert, or in any way challenge [Defendants’] showing” regarding what PII of Plaintiff’s was stolen. (Dkt. No. 17, at 5) (emphasis omitted). Thus, the Court must determine whether the theft of Plaintiff’s personal information related to the date and amount of his treatment, and his insurer, creates an imminent risk of identity theft. The Court finds that it does not, and thus Plaintiff has not alleged the requisite injury in fact necessary for standing. Even assuming that the Second Circuit allowed standing based on an increased risk of future identity theft, “it would be of no help to Plaintiff[] in this case,” Steven v. Carlos Lopez & Assocs., LLC, 422 F. Supp. 3d 801, 804 (S.D.N.Y. 2019), because the type of information exposed is not sensitive enough such that identity theft is “certainly impending” or there is a “substantial risk” that it will occur. Driehaus, 573 U.S. at 158 (citation omitted). The cases Plaintiff relies on are distinguishable from the instant case because they involved the theft of more sensitive information. (Dkt. No. 15, at 14). See In re Zappos.com, Inc., 888 F.3d 1020, 1023-27 (9th Cir. 2018) (finding the plaintiffs had standing when the data breach included “names, account numbers, passwords, email addresses, billing and shipping addresses, telephone numbers, and credit and debit card information” and this data “gave hackers the means to commit fraud or identity theft”); In re Yahoo! Inc. Customer Data Sec. Breach Litig., No. 16-md-02752, 2017 WL 3727318, at *2, *13, 2017 U.S. Dist. LEXIS 140212, at *31, *62 (N.D. Cal. Aug. 30, 2017) (finding the plaintiffs alleged a “credible threat of real and immediate harm” when the data breached contained information about plaintiffs’ “Yahoo login, country code,  recovery e-mail, date of birth, hashed password, cell phone numbers, and zip codes”) (citation and internal quotation marks omitted). Here, the limited nature of information exposed undercuts Plaintiff’s assertion that there is a substantial risk of future harm.5 See Clapper, 568 U.S. at 409 (“[A]llegations of possible future injury are not sufficient” (citation and internal quotation marks omitted)). “Those who are entrusted with details about an individual’s health care should guard against even the inadvertent disclosure of that confidential information” and “[t]hose duties were allegedly breached in this case when hackers secured access to confidential health care information through a cyberattack.” Fero I, 236 F. Supp. 3d at 742. “Nonetheless, while legal remedies may be pursued by those who were injured, the law only allows for the pursuit of plausible claims—and only by those who have standing based on an alleged legally compensable injury.” Id. The Court finds the harm of increased risk of future identity fraud too speculative to support standing in this case. . . Defendants  contend that “[p]laintiffs are not permitted to use unspecified monitoring to manufacture an injury” because “‘[m]itigation expenses do not qualify as actual injuries where the harm is not imminent.'” (Dkt. No. 17-18 (quoting Remijas v. Neiman Marcus Grp., LLC, 794 F.3d 688, 694 (7th Cir. 2015)). The Court agrees with Defendants. . . .  In this case, Plaintiff’s allegation that “he has spent time monitoring and protecting his financial wellbeing, by, among other things, corresponding with the major credit bureaus,” (Dkt. No. 1, ¶ 8), is thus not sufficient to confer standing. See Whalen II, 689 F. App’x at 91 (stating that the plaintiff “pleaded no specifics about any time or effort that she herself has spent monitoring her credit” and so “she alleged no injury that would satisfy the constitutional standing requirements of Article III”). This case is unlike Rudolph, where the plaintiff’s specific allegations, detailing the time and expense she had incurred in obtaining a replacement debit card, established a concrete injury sufficient for Article III standing. Rudolph, 2019 WL 2023713, at *7, 2019 U.S. Dist. LEXIS 77665, at *21-23.