A court in the District of Kansas recently remanded a data breach class action against a hospital to state court for lack of standing, holding that the named plaintiffs had failed to demonstrate any injury in fact that was fairly traceable to the exposure of their personal and health information.  See Memorandum and Order, Blood v. Labette County Medical Center, No. 5:22-cv-04036-HLT-KGG (D. Kansas Oct. 20, 2022), ECF 27.

The putative class action arose out of an October 2021 breach of the Labette County Medical Center’s networks that allegedly allowed hackers to steal files containing the personally identifiable information (PII) and protected health information (PHI) of over 85,000 patients and employees.  Three named plaintiffs filed suit against the hospital in state court, alleging that they suffered actual damages as a result of unauthorized bank charges, time spent verifying personal information and monitoring their accounts, and spam phone calls, among other harms.  They also alleged a risk of future injury based on potential fraud and identity theft.  The hospital removed the case to federal court under the Class Action Fairness Act (“CAFA”), and moved to dismiss.

The court first held that the damages allegedly incurred by the plaintiffs to date could not establish standing.  While acknowledging that two named plaintiffs pled a concrete injury in the form of unauthorized bank charges, the court found that they failed to allege “a plausible, non-speculative connection” between those charges and the exposure of their personal data.  Thus, the plaintiffs could not show a “substantial likelihood” that their injury was traceable to the hospital’s actions.  The court held that the other harms that the plaintiffs alleged they had already suffered—including time spent verifying tax returns and monitoring personal accounts, disruption from spam calls, and the lost value of their private data—were neither concrete injuries nor traceable to the breach.

The court also rejected the plaintiffs’ claimed injury based on a risk of future fraud or identity theft.  Having failed to allege an “actual misuse” of their information, the plaintiffs could not show that the anticipated fraud, identity theft, phishing, or data intrusions were “concrete, particularized, or imminent.”  Similarly, plaintiffs’ allegation that their data had been found on the “dark web” lacked “a plausible connection to [the hospital’s] actions” because they failed to explain what information was found, whether it matched the data exposed through the breach, and whether the hospital’s networks were the only place that hosted this information. 

Because the plaintiffs failed to plead an injury in fact traceable to the hospital’s actions, the court concluded that they lacked standing to bring the putative class action in federal court.  As the case had been removed, however, the court did not grant the motion to dismiss outright, but instead remanded the case back to state court for lack of subject matter jurisdiction.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Kathryn Cahoy Kathryn Cahoy

Kate Cahoy co-chairs the firm’s Class Action Litigation Practice Group and serves on the leadership committee for the firm’s Technology Industry Group. A highly skilled litigator, she defends clients in complex, high-stakes class action disputes, securing significant victories across various industries, including technology…

Kate Cahoy co-chairs the firm’s Class Action Litigation Practice Group and serves on the leadership committee for the firm’s Technology Industry Group. A highly skilled litigator, she defends clients in complex, high-stakes class action disputes, securing significant victories across various industries, including technology, entertainment, consumer products, and financial services. Kate also plays a key role in the firm’s mass arbitration defense practice. She regularly advises companies on the risks associated with mass arbitration and has a proven track record of successfully defending clients against these challenges.

Leveraging her success in class action litigation and arbitration, Kate helps clients develop strategic and innovative solutions to their most challenging legal issues. She has extensive experience litigating cases brought under California’s Section 17200 and other consumer protection, competition, and privacy laws, including the Sherman Act, California Consumer Privacy Act (CCPA), California Invasion of Privacy Act (CIPA), Wiretap Act, Stored Communications Act, Children’s Online Privacy Protection Act (COPPA), Video Privacy Protection Act (VPPA), along with common law and constitutional rights of privacy, among others.

Kate’s exceptional legal work has earned widespread recognition. The Daily Journal named her successful defense of Meta and Microsoft cases described below as among its Top Verdicts, recognizing some of the largest and most impactful verdicts in California.

Recent Successes:

Represented Meta (formerly Facebook) in a putative nationwide advertiser class action alleging violations under the California Unfair Competition Law (UCL) related to charges from allegedly “fake” accounts. Successfully narrowed claims at the pleadings stage, defeated class certification, opposed a Rule 23(f) petition, won summary judgment, and defended the victory on appeal to the Ninth Circuit. (Daily Journal, Top Verdicts of 2021. Law.com recognized Kate with a Litigator of the Week Shoutout.
Defeated a landmark class action lawsuit against Microsoft and OpenAI contending that the defendants scraped data from the internet for training generative AI services and incorporated data from users’ prompts, allegedly in violation of CIPA, the Computer Fraud and Abuse Act (CFAA), and other privacy and consumer protection laws. (Daily Journal, Top Verdicts of 2024.)

Kate regularly contributes to the firm’s blog, Inside Class Actions, and was recently featured in a Litigation Daily interview titled “Where Privacy Laws and Litigation Trends Collide.” In recognition of her achievements in privacy and antitrust class action litigation, the Daily Journal named her as one of their Top Antitrust Lawyers (2024), Top Cyber Lawyers (2022), and Top Women Lawyers in California (2023). Additionally, she received the Women of Influence award from the Silicon Valley Business Journal, was recognized by the Daily Journal as a Top Attorney Under 40, and also was named to Bloomberg Law’s They’ve Got Next: The 40 Under 40 list.

Read more about Kathryn CahoyEmail
Show more Show less