A court in the District of Kansas recently remanded a data breach class action against a hospital to state court for lack of standing, holding that the named plaintiffs had failed to demonstrate any injury in fact that was fairly traceable to the exposure of their personal and health information. See Memorandum and Order, Blood v. Labette County Medical Center, No. 5:22-cv-04036-HLT-KGG (D. Kansas Oct. 20, 2022), ECF 27.
The putative class action arose out of an October 2021 breach of the Labette County Medical Center’s networks that allegedly allowed hackers to steal files containing the personally identifiable information (PII) and protected health information (PHI) of over 85,000 patients and employees. Three named plaintiffs filed suit against the hospital in state court, alleging that they suffered actual damages as a result of unauthorized bank charges, time spent verifying personal information and monitoring their accounts, and spam phone calls, among other harms. They also alleged a risk of future injury based on potential fraud and identity theft. The hospital removed the case to federal court under the Class Action Fairness Act (“CAFA”), and moved to dismiss.
The court first held that the damages allegedly incurred by the plaintiffs to date could not establish standing. While acknowledging that two named plaintiffs pled a concrete injury in the form of unauthorized bank charges, the court found that they failed to allege “a plausible, non-speculative connection” between those charges and the exposure of their personal data. Thus, the plaintiffs could not show a “substantial likelihood” that their injury was traceable to the hospital’s actions. The court held that the other harms that the plaintiffs alleged they had already suffered—including time spent verifying tax returns and monitoring personal accounts, disruption from spam calls, and the lost value of their private data—were neither concrete injuries nor traceable to the breach.
The court also rejected the plaintiffs’ claimed injury based on a risk of future fraud or identity theft. Having failed to allege an “actual misuse” of their information, the plaintiffs could not show that the anticipated fraud, identity theft, phishing, or data intrusions were “concrete, particularized, or imminent.” Similarly, plaintiffs’ allegation that their data had been found on the “dark web” lacked “a plausible connection to [the hospital’s] actions” because they failed to explain what information was found, whether it matched the data exposed through the breach, and whether the hospital’s networks were the only place that hosted this information.
Because the plaintiffs failed to plead an injury in fact traceable to the hospital’s actions, the court concluded that they lacked standing to bring the putative class action in federal court. As the case had been removed, however, the court did not grant the motion to dismiss outright, but instead remanded the case back to state court for lack of subject matter jurisdiction.