On March 31, 2015, the U.S. District Court for the District of New Jersey dismissed a consolidated class action against Horizon Healthcare Services, Inc. (“Horizon Healthcare”) for lack of standing. The Horizon Healthcare decision (In re Horizon Healthcare Services Inc. Data Breach Litigation, Civil Action No. 13-7418) demonstrates that as data breach liability actions become more common, especially against the healthcare industry, courts remain divided as to what allegations of injury are sufficient to establish a claim.
In Horizon Healthcare, class members alleged that sometime between November 1st and 3rd, 2013, two laptops containing personal and medical information, including treatment histories and social security numbers for more than 839,000 Horizon Healthcare members were stolen by an unknown party. The three named plaintiffs alleged that because of Horizon Healthcare’s actions relating to the breach, class members were at an imminent, immediate, and continued risk of harm from identity theft and other forms of fraud under the Fair Credit Reporting Act (“FCRA”) and various state law causes of action.
The plaintiffs attempted to recover under three primary theories—economic injury, violation of common law and statutory rights, and imminent risk of future harm. However, the court rejected each of the plaintiffs’ allegations that harm had ensued from the data breach. First, the plaintiffs alleged that because they paid insurance premiums to Horizon Healthcare, at least some of those premiums should have paid for data protection. Through this reasoning, the plaintiffs claimed they received “less than they bargained for” when Horizon Healthcare failed to encrypt all of its computers. However, the court ruled that neither actual injury nor monetary loss resulted from Horizon Healthcare’s actions, and therefore plaintiffs failed to allege standing through economic injury. Second, the court held that a violation of common law and statutory rights alone is insufficient to establish an injury absent some form of actual, personal harm experienced by the class. Third, the court followed a growing number of rulings by holding that the possibility of future identity theft is not sufficient to prove actual injury. The court explained that, absent a showing that the laptop thieves intended to misuse the stolen data, or that the information contained in the laptops had actually been misappropriated, the plaintiffs’ allegations of harm were conjecture. Furthermore, the court held that the expense associated with credit monitoring would not save plaintiffs’ claims because such costs are self-imposed and do not rise to the level of an actual injury upon which standing can be established.
In addition to litigation resulting from data breaches by external parties, a recent FCC announcement underscores the risk of data breaches from within an organization. On April 8, 2015, just days after the Horizon Healthcare decision, the FCC settled an investigation with AT&T for an “internal” data breach after AT&T employees stole the information of approximately 280,000 AT&T customers and sold the information to third parties. The $25 million settlement is the FCC’s largest data security enforcement action. Its provisions also outline several remedial measures, including that AT&T must conduct a privacy risk assessment, develop a privacy compliance manual, and submit routine compliance reports to the FCC, as well as notify and offer free credit monitoring services to any affected customers.