Hospital Dodges Data Breach Action After U.S. Court in New York Finds Plaintiff Lacked Standing
- May 15, 2020
A federal court in New York dismissed May 12 a putative class action against Elizabethtown Community Hospital (ECH) involving a 2018 data breach that allegedly exposed 32,000 patients’ personal information after finding the named plaintiff in the case lacked standing.
The U.S. District Court for the Northern District of New York held plaintiff Ronald Jantzer, who brought the action, failed to show an injury in fact because the specific stolen information—dates and amount of his treatment and his insurer—did not create an imminent risk of identity theft.
According to the complaint, New York-based ECH, which is part of University of Vermont Health Network, discovered in October 2018 that the personal information—including names, addresses, Social Security numbers, dates of birth, driver’s license numbers, and medical information—of 32,000 patients was exposed for a period of nine days following a successful phishing attack.
Jantzer alleged the data breach was a direct result of ECH’s failure to implement adequate and reasonable cybersecurity procedures. Jantzer sued alleging claims of negligence, invasion of privacy, breach of implied contract, unjust enrichment, breach of fiduciary duty, breach of confidence, and deceptive, unfair, and unlawful trade acts or practices.
ECH moved to dismiss, arguing that Jantzer, as the named plaintiff, failed to show standing as his exposure in the data breach was limited to non-sensitive information. Jantzer alleged the threat of future harm was sufficiently imminent and that the time he spent protecting himself also amounted to an injury for standing purposes.
The Second Circuit hasn’t resolved the issue of whether the risk of identity theft creates an injury in fact to confer standing in a data breach action.
The court here acknowledged that the theft of certain personal information, like birth dates and Social Security numbers, could constitute a substantial risk of harm—and thus an injury in fact. In this case, however, the stolen information at issue was limited to dates of treatment and plaintiff’s insurer. None of plaintiff’s financial information was compromised.
“Because the type of information exposed is not sensitive enough such that identity theft is ‘certainly’ impending’ or there is a ‘substantial risk’ that it will occur,” the court held that Jantzer failed to establish an injury.
The court also said plaintiff could not manufacturer standing by asserting an injury involving the time spent protecting himself from the unlikely possibility of identity theft.
Elizabethtown Community Hosp. v. Jantzer, 8:19-cv-00791 (BKS/DJS) (N.D.N.Y. May 12, 2020).