On February 3, a New York magistrate judge recommended dismissing a class action against medical management company, Professional Business System d/b/a Practicefirst Medical Management Solutions in Tassmer v. Professional Business Systems. Judge Michael J. Roemer recommended dismissal because plaintiffs’ allegations failed to constitute an injury under the Supreme Court’s ruling in TransUnion v. Ramirez, 141 S. Ct. 2190 (2021). In Ramirez, the Supreme Court ruled a plaintiff cannot establish an injury-in-fact by relying entirely on risk of future harm, unless the risk of future harm itself caused a separate concrete injury.
Practicefirst disclosed a data breach in December 2020 following a ransomware attack. The breach impacted the information of over 1.2 million Practicefirst employees and patients and resulted in the unauthorized acquisition of: names, addresses, email addresses, dates of birth, driver’s license numbers, Social Security numbers, medical diagnosis treatment information, and financial information.
Plaintiffs filed a class-action suit against Practicefirst soon after the breach disclosure. Plaintiffs alleged that Practicefirst: (1) breached contracts with medical providers, to which plaintiffs argued were the intended third-party beneficiaries; (2) was negligent based on defendants’ breach of their duty to protect class members’ personal health information and general personal information; and (3) owed plaintiffs declaratory and injunctive relief. Plaintiffs also alleged that they each spent time reviewing account statements and credit reports for any indication of actual or attempted identity theft and that this was time they could have spent on other activities.
Practicefirst filed a motion to dismiss, arguing that all three named plaintiffs lacked Article III standing to sue because they failed to allege an injury-in-fact; plaintiffs had not alleged that they experienced concrete harm arising from the data breach or the threat of actual or imminent future harm. Judge Roemer, held that the allegation of spending time reviewing account statements and credit reports was not enough to allege an injury-in-fact.
Unsurprisingly, Judge Roemer considered the recent Supreme Court case of TransUnion v. Ramirez. Under Ramirez, a plaintiff cannot establish an injury-in-fact for purposes of standing by relying entirely on risk of future harm, unless the risk of future harm itself caused a separate concrete injury. To determine whether a harm qualifies as concrete depends on “whether the alleged injury to the plaintiff has a close relationship to harm traditionally recognized as providing the basis for a lawsuit in American courts.”[1] Based on the Court’s holding in TransUnion v. Ramirez and other Second Circuit cases, Judge Roemer held that plaintiffs failed to allege both a future risk of harm, as well as a separate, concrete injury.
Judge Roemer also considered Second Circuit case law, specifically focusing on three factors created before the TransUnion v. Ramirez decision to identify whether an increased risk of identity theft is sufficiently “concrete, particularized, and imminent” to confer standing. Judge Roemer held that the relevant factors are whether: (1) the plaintiff’s data has been exposed as part of a targeted attempt to obtain the data; (2) any portion of the data has already been misused, even if plaintiffs themselves did not experience any fraud; and (3) the type of data that has been exposed is sensitive such that there is a high risk of identity theft or fraud. Without deciding whether these factors still apply post TransUnion v. Ramirez, Judge Roemer, held the plaintiffs failed to show imminent or certainly impending harm sufficient to confer standing. In support of the third factor, the plaintiffs argued their personal data was exfiltrated, and therefore, the threat attacker must have intended to use the data for identity theft or fraud purposes. However, the Court noted that the goal of a ransomware attack is to exchange money for access to data, not identity theft. The Court also stated that out of the 1.2 million people affected by the breach, none reported having experienced attempted or actual identity theft in the year following the breach.
For companies facing litigation after a ransomware attack, this case is an important reminder of the procedural requirements necessary to maintain a lawsuit. This case is also an important application of the Supreme Court’s ruling in TransUnion v. Ramirez.
Troutman Pepper’s privacy professionals have extensive pre- and post-incident response experience and are ready to help businesses mitigate the threat and fall out of ransomware attacks, which may include potential litigation.
[1] TransUnion v. Ramirez, 141 S. Ct. 2190, 2204 (2021).