We talk a lot on this blog about data-breach lawsuits that arise from breaches in which a hacker targeted and stole personal information from a business.

Also common, though, are situations in which a business fails to secure data, but then discovers and corrects the issue before hackers steal anything. As we’ve noted before, these “exposure without disclosure” cases can lead to enforcement actions by privacy and data-security regulators like the FTC—despite a seeming absence of harm to individual consumers.

But can they also form the basis for a private lawsuit?

A recent decision from a federal court in Ohio explores that question. This post examines that decision, called Williams-Diggins v. Mercy Health.

Showing no mercy

Mercy Health is a large health system that operates across Ohio and Kentucky. Like many healthcare providers, Mercy operates and maintains online portals through which patients can access their medical information.

In 2016, Lindsey Williams-Diggins, a Mercy patient, filed a federal lawsuit against Mercy that alleged Mercy’s patient portal suffered from critical security vulnerabilities. Computer security experts, the complaint alleged, had identified those vulnerabilities years earlier, and they were well known in the industry. Williams-Diggins alleged that because of Mercy’s failure to identify and correct the vulnerabilities, “sensitive medical information . . . has been exposed and is a great risk of further unauthorized disclosure (if it hasn’t already been disclosed).”

Three days after the complaint was filed, Mercy had fixed the vulnerability.

Williams-Diggins then filed an amended complaint that acknowledged Mercy fixed the vulnerabilities after he filed the lawsuit. But he still asserted claims for breach of contract, unjust enrichment, breach of confidence, and violation of Ohio’s Consumer Sales Protection Act. Those claims centered on two theories:

  • An “increased risk of future harm” theory, under which Mercy’s lax data security measures and the corresponding “exposure” of its patients’ sensitive health information before the vulnerability was fixed put them at greater risk of risk of identity theft; and
  • An overpayment theory, under which patients who paid for Mercy’s healthcare services received “diminished value” for those services when Mercy failed to protect their health information.

No harm no foul?

Mercy moved to dismiss under Rules 12(b)(1) and 12(b)(6). Its arguments centered on two themes.

First, argued Mercy, Williams-Diggins could not establish an injury-in-fact sufficient to establish Article III standing. Williams-Diggins had not alleged that his or anyone else’s data was accessed or stolen, and thus any risk of future identity theft was too speculative.

Second, Mercy argued that Williams-Diggins’ overpayment theory failed because he had alleged no facts to show that the parties bargained for data security measures as part of Mercy’s delivery of healthcare services. And even if they had, Williams-Diggins’ failure to allege that his data was accessed or stolen left him “in the very same position . . . that he would have been even if the alleged failure he [was] complaining about never existed.”

The court’s decision.

The court agreed with Mercy and dismissed the action for lack of standing.

To reach that result, the court first looked to the Supreme Court’s decision in Clapper v. Amnesty International. Williams-Diggins, observed the court, had only alleged that his information “might” have been accessed improperly. And that allegation, concluded the court, reflected only a “possible future injury” that relied a “speculative chain of possibilities.” Clapper held that such an injury is not an injury-in-fact under Article III.

The court then turned to Williams-Diggins’ overpayment theory. Even taking his allegations as true, reasoned the court, Williams-Diggins paid only for the expectation that Mercy would not disclose his information to unauthorized third parties. And this, explained the court, “was what he received.” Although Mercy’s approach to data security may have been “clumsy,” it was also harmless. As a result, there was no “overpayment” for services that could confer standing.

An important limit on overpayment theories?

As we’ve discussed before, overpayment theories have become popular with data-breach plaintiffs seeking to clear Article III’s standing hurdle. Those theories may have legs when there’s been an actual data breach. But when it comes to “exposure without disclosure” cases, Mercy Health gives defendants a strong argument that plaintiffs got what they paid for.