On February 11, 2015, the U.S. District Court for the Southern District of Texas held that a plaintiff lacked standing to pursue claims for alleged violations of the Fair Credit Reporting Act, 15 U.S.C. § 1681 et seq. (“FCRA”) against St. Joseph Services Corporation d/b/a St. Joseph Health System, and St. Joseph Regional Health Center (collectively, “St. Joseph”). In dismissing a putative class action, the court found that the heightened risk of future identify theft or fraud posed by a data breach did not confer Article III standing on persons whose information may have been accessed. The District Court held that plaintiff could not establish Article III standing because she had not suffered an injury, actual or imminent, that was traceable to St. Joseph’s conduct.

St. Joseph, a health care service provider, announced via a February 4, 2014 letter that between December 16, 2013 and December 18, 2013, a security breach of its computer system occurred (the “Data Breach”). As a result of the Data Breach, hackers potentially gained access to the personally identifiable information and protected health information of plaintiff and approximately 405,000 others. In her complaint, plaintiff alleged that she suffered an attempted access to her credit card, attempted access to her Amazon.com account, telephone solicitations from medical product and services companies, spam email sent from her account, and physical and electronic materials targeting her medical condition.

To show standing pursuant to Article III of the Constitution, a plaintiff bears the burden of establishing injury, causation, and redressability. In this case, according to the court, plaintiff failed to carry that burden on all three elements. First, to the extent that plaintiff argued that the increased risk she faced of future identify theft or fraud constituted an “imminent” injury, the court rejected this argument, explaining that plaintiff’s “alleged future injuries are speculative – even hypothetical,” which was insufficient to “plausibly establish a ‘certainly impending’ or ‘substantial’ risk that she will be victimized.” The court noted that a split had existed among the Third, Seventh, and Ninth Circuits over whether the increased risk of harm stemming from a data security breach constituted imminent injury for purposes of Article III, but it concluded that a recent U.S. Supreme Court decision, Clapper v. Amnesty Int’l USA, 133 S. Ct. 1138 (2013), had resolved that split.

Second, the court noted that, even if plaintiff had alleged that she suffered unreimbursed costs in mitigation of the Data Breach, such costs would not have been sufficient to satisfy the injury requirement because “voluntary mitigation expenses are not valid Article III injuries.” Finally, the court held that the incidents identified by plaintiff as evidence of actual identify theft failed to meet the causation and redressability elements of the standing test. To the extent that any of these occurrences were cognizable injuries, they were the result of the independent actions of opportunistic third parties and thus failed the causation test. Moreover, the court held that, even if she satisfied the first two prongs, it was not likely that a favorable decision from the court would redress the harm she had experienced.

A copy of the decision is available by clicking here.