Blog | Faruki PLL

No Data Breach, No Case

Written by Michael Mayer | December 11, 2018

An Ohio federal district court recently handed down a ruling that will make companies storing client data breathe a sigh of relief.  In Williams-Diggins v. Mercy Health, Case No. 3:16-cv-1938 (N.D. Ohio), a patient sued a health system because of deficient patient information software.  (The defendant-health system certified that it subsequently completed updates and additional measures to address the issues with its software.)  The patient sought a nationwide class action lawsuit to pursue various claims, including breach of contract and violation of the Ohio Consumer Sales Protection Act.  The Court dismissed the lawsuit for lack of standing.

The plaintiff-patient had alleged that, under the Health Insurance Portability and Accountability Act ("HIPAA"), the health system had a duty to maintain the security and confidentiality of its patients' medical information.  The health system used the software at issue to store and maintain patients' personal health information and to give patients electronic access to that information.  However, according to the plaintiff, it had been known for several years that the software had vulnerabilities that caused information to be exposed to unauthorized third parties.  The patient alleged that (1) the software's known issues potentially caused it to allow unauthorized individuals to access patients' medical information, including treatment records and lab results, and (2) the health system knew or should have known that the software could be easily accessed, permitting patient information to be removed or deleted.  (Doc. No. 1 at 11 ("It is just a matter of time until a hacker discovers Mercy's vulnerable system and further exposes patients' private medical information.").

In ruling on the health system's motion to dismiss, the Court recited the requirements for standing to bring a lawsuit, set forth by the Supreme Court in Spokeo, Inc. v. Robins, 136 S. Ct. 1540, 1547 (2016):  "[a] plaintiff has standing to assert a claim if the plaintiff '(1) suffered an injury in fact, (2) that is fairly traceable to the challenged conduct of the defendant, and (3) that is likely to be redressed by a favorable judicial decision.'"  "To establish injury in fact, a plaintiff must show that he or she suffered an invasion of a legally protected interest that is concrete and particularlized and actual or imminent, not conjectural or hypothetical."  Id. at 1548. [1]

Citing Spokeo, the district court concluded that "[i]n order to establish standing, [plaintiff] must show a concrete injury…that is, one that actually exists.  Because he cannot, his claims cannot proceed."  Doc. No. 35 at 3.  The Court emphasized that plaintiffs have the burden to allege facts that show they actually have suffered an injury; they cannot proceed by attempting to require the defendant to prove that they were not harmed.  Id. at n.1.  Yet, the plaintiff in Williams-Diggins "only alleged that his personal information might be accessed improperly, not that it actually was."   Id. at 3 (emphasis in original).  "Allegations of possible future injury do not rise to the level of an imminent injury.  …  That possibility is not sufficient to confer standing."  Id. at 4.  Therefore, the Court dismissed the case.

Although companies may rejoice at the verdict and the Court's logic, it is another reminder to companies that they need to maintain updated security measures to protect their data.  The case also highlights how long litigation can take to be resolved, even when it turns out that the plaintiff did not have the right to file the lawsuit in the first place.  Williams-Diggins had been pending for over two years prior to dismissal.  Companies that maintain sensitive client data would be wise to keep this case in mind.

[1] Both Spokeo and Williams-Diggins dealt with the first requirement for standing in federal court:  injury in fact.  The plaintiff in Spokeo claimed that a search engine provider violated the Fair Credit Reporting Act by allegedly disseminating incorrect information about him and other similarly-situated individuals.  136 S. Ct. at 1544.  The U.S. Supreme Court re-affirmed that the injury in fact requirement for standing under Article III of the Constitution requires a plaintiff to allege an injury that is both concrete and particularized.  Id. at 1545.