On March 31, 2015, a New Jersey federal judge dismissed a class action lawsuit against Horizon Healthcare Services Inc. alleging the company failed to protect the personal information of thousands of insurance network members following the theft of two company laptops.
An unknown thief stole two password-protected laptop computers from Horizon’s headquarters containing information of more than 839,000 Horizon members. Horizon reported the incident to the police within days and began an investigation into the amount and type of information in the stolen laptops. Horizon notified potentially affected members of the theft via letter and press release. Horizon also offered free credit monitoring and identity theft protection for members who had Social Security numbers stored on the stolen laptops.
Four Horizon members filed a class action on behalf of themselves and other Horizon members whose personal information was housed in the stolen laptops. They alleged that, as “a direct and proximate result of Horizon’s wrongful actions and inaction,” they “have been placed at an imminent, immediate, and continuing increased risk of harm from identity theft, identity fraud, and medical fraud, requiring them to take the time and effort to mitigate the actual and potential impact of the Data Breach on their lives.” Thus the plaintiffs claimed to have sustained “economic damages and other actual harm for which they are entitled to compensation.” The plaintiffs also asserted federal causes of action under the Fair Credit Reporting Act and several state law causes of action.
The federal court rejected each of these claims for lack of standing. The court observed that three of the plaintiffs failed to point to any individual harm. The court held that plaintiffs’ “allegations of hypothetical, future injury are insufficient to establish standing” because plaintiffs had “not suffered any injury” and would not sustain an injury “[u]nless and until these conjectures come true.” In other words, because there was no “misuse” of information, there was no “harm.”
With respect to the fourth plaintiff, who had alleged an actual injury, the court concluded that he too lacked standing. The fourth plaintiff asserted that the Horizon laptop thief filed a fraudulent joint tax return under his and his wife’s names and that the unknown culprit attempted to fraudulently use his credit card. Regarding the tax return, the court concluded that the plaintiff could only “demonstrate the remote possibility, rather than the plausibility, that the fraudulent tax return was connected to the Horizon laptop theft.” Accordingly, the plaintiff’s tax fraud injury is not “fairly traceable” to Horizon. Regarding the credit card, the court reasoned that the plaintiff’s current credit card information (as opposed to a new credit card, which can be fraudulently obtained using a stolen Social Security number) was not on the stolen laptops. Therefore, “any harm stemming from the fraudulent use of [plaintiff’s] current credit card is not ‘fairly traceable’ to [Horizon].”
Finally, the court dismissed plaintiffs’ various New Jersey state law claims for lack of jurisdiction. The court explained that because it lacked original jurisdiction over plaintiffs’ federal claims, it lacked discretion to retain supplemental jurisdiction over the state law claims pursuant to 28 U.S.C. § 1367.
The Horizon decision is another indication that courts are unwilling to entertain claims from customers who have had their personal information stolen purely because their information has been stolen. Customers must show that there has been some sort of misuse of their information traceable to the data breach and that misuse resulted in some harm.