A court in the District of Kansas recently remanded a data breach class action against a hospital to state court for lack of standing, holding that the named plaintiffs had failed to demonstrate any injury in fact that was fairly traceable to the exposure of their personal and health information.  See Memorandum and Order, Blood v. Labette County Medical Center, No. 5:22-cv-04036-HLT-KGG (D. Kansas Oct. 20, 2022), ECF 27.

The putative class action arose out of an October 2021 breach of the Labette County Medical Center’s networks that allegedly allowed hackers to steal files containing the personally identifiable information (PII) and protected health information (PHI) of over 85,000 patients and employees.  Three named plaintiffs filed suit against the hospital in state court, alleging that they suffered actual damages as a result of unauthorized bank charges, time spent verifying personal information and monitoring their accounts, and spam phone calls, among other harms.  They also alleged a risk of future injury based on potential fraud and identity theft.  The hospital removed the case to federal court under the Class Action Fairness Act (“CAFA”), and moved to dismiss.

The court first held that the damages allegedly incurred by the plaintiffs to date could not establish standing.  While acknowledging that two named plaintiffs pled a concrete injury in the form of unauthorized bank charges, the court found that they failed to allege “a plausible, non-speculative connection” between those charges and the exposure of their personal data.  Thus, the plaintiffs could not show a “substantial likelihood” that their injury was traceable to the hospital’s actions.  The court held that the other harms that the plaintiffs alleged they had already suffered—including time spent verifying tax returns and monitoring personal accounts, disruption from spam calls, and the lost value of their private data—were neither concrete injuries nor traceable to the breach.

The court also rejected the plaintiffs’ claimed injury based on a risk of future fraud or identity theft.  Having failed to allege an “actual misuse” of their information, the plaintiffs could not show that the anticipated fraud, identity theft, phishing, or data intrusions were “concrete, particularized, or imminent.”  Similarly, plaintiffs’ allegation that their data had been found on the “dark web” lacked “a plausible connection to [the hospital’s] actions” because they failed to explain what information was found, whether it matched the data exposed through the breach, and whether the hospital’s networks were the only place that hosted this information. 

Because the plaintiffs failed to plead an injury in fact traceable to the hospital’s actions, the court concluded that they lacked standing to bring the putative class action in federal court.  As the case had been removed, however, the court did not grant the motion to dismiss outright, but instead remanded the case back to state court for lack of subject matter jurisdiction.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Raymond Lu Raymond Lu

Raymond Lu is a litigator who handles a wide range of complex commercial disputes and class actions in federal and state courts. He represents clients in the technology, financial, and pharmaceutical industries, among others, and maintains an active pro bono practice.

Photo of Kathryn Cahoy Kathryn Cahoy

Kate Cahoy co-chairs the firm’s Class Actions Litigation Practice Group and serves on the leadership committee for the firm’s Technology Industry Group. She defends clients in complex, high-stakes class action disputes and has achieved significant victories across various industries, including technology, entertainment, consumer…

Kate Cahoy co-chairs the firm’s Class Actions Litigation Practice Group and serves on the leadership committee for the firm’s Technology Industry Group. She defends clients in complex, high-stakes class action disputes and has achieved significant victories across various industries, including technology, entertainment, consumer products, and financial services. Kate has also played a key role in developing the firm’s mass arbitration defense practice. She regularly advises companies on the risks associated with mass arbitration and has a proven track record of successfully defending clients against these challenges.

Leveraging her success in class action litigation and arbitration, Kate helps clients develop strategic and innovative solutions to their most challenging legal issues. She has extensive experience litigating cases brought under California’s Section 17200 and other consumer protection, competition, and privacy laws, including the Sherman Act, California Consumer Privacy Act (CCPA), California Invasion of Privacy Act (CIPA), Wiretap Act, Stored Communications Act, Children’s Online Privacy Protection Act (COPPA), Video Privacy Protection Act (VPPA), along with common law and constitutional rights of privacy, among others.

Recent Successes:

Represented Meta (formerly Facebook) in a putative nationwide advertiser class action alleging violations under the California Unfair Competition Law (UCL) related to charges from allegedly “fake” accounts. Successfully narrowed claims at the pleadings stage, defeated class certification, opposed a Rule 23(f) petition, won summary judgment, and defended the victory on appeal to the Ninth Circuit. The Daily Journal selected Covington’s defense of Meta as one of its 2021 Top Verdicts, and Law.com recognized Kate as a Litigator of the Week Shoutout.
Defeated a landmark class action lawsuit against Microsoft and OpenAI contending that the defendants scraped data from the internet for training generative AI services and incorporated data from users’ prompts, allegedly in violation of CIPA, the Computer Fraud and Abuse Act (CFAA), and other privacy and consumer protection laws.

Kate regularly contributes to the firm’s blog, Inside Class Actions, and was recently featured in a Litigation Daily interview titled “Where Privacy Laws and Litigation Trends Collide.” In recognition of her achievements in privacy and antitrust class action litigation, the Daily Journal named her as one of their Top Antitrust Lawyers (2024), Top Cyber Lawyers (2022), and Top Women Lawyers in California (2023). Additionally, she received the Women of Influence award from the Silicon Valley Business Journal and was recognized by Daily Journal as a Top Attorney Under 40.