Massachusetts Court: Patients Have Standing to Sue for Data Breach Based on Data Exposure Alone

[Inga Goddijn <inga () riskbasedsecurity com>]

http://www.jdsupra.com/legalnews/massachusetts-court-patients-have-58160/

A Massachusetts Superior Court judge held that a plaintiff has standing to
sue for money damages based on the mere exposure of plaintiff’s private
information in an alleged data breach. The court concluded that the
plaintiff had pleaded a “real and immediate risk” of injury despite failing
to allege that any unauthorized persons had even seen or accessed that
information.  The Massachusetts decision adopts a more relaxed approach to
standing than has generally been followed in the federal courts.  The
holding, however, may not have broad applicability outside of Massachusetts
state court, and does not eliminate potential obstacles to proving the
claims asserted.

In *Walker et al v. Boston Medical Center Corp.*, No. 2015-1733-BLS 1
(Mass. Super. Ct. Nov. 19, 2015), plaintiffs alleged that Boston Medical
Center Corp. (“BMC”) notified them that their medical records “were
inadvertently made accessible to the public through an independent medical
record transcription service’s online site.”  Although BMC did not know how
long the information had been vulnerable to access by unauthorized
individuals, BMC notified the plaintiffs by letter that it had no reason to
suspect that any patient data had been misused as a result of the breach.
Plaintiffs do not allege that any unauthorized persons actually viewed,
accessed or misused their private information.  Plaintiffs seek to recover
money damages under a host of statutory and common law theories.

BMC moved to dismiss for lack of standing. A robust line of federal
authority, following the Supreme Court’s decision in *Clapper v. Amnesty
International USA*
<https://supreme.justia.com/cases/federal/us/568/11-1025/>, 113 S. Ct. 1138
(2013), holds that alleging mere exposure of private data, without any
resulting harm or injury, is insufficient to establish standing to sue for
money damages in federal court.  Without citing to or distinguishing  these
federal cases, the Massachusetts court denied BMC’s motion to dismiss,
reasoning that pleading a “real and immediate risk” of injury was
sufficient for a plaintiff to demonstrate standing.  Although the *Walker*
plaintiffs did not allege that their medical records had been accessed, or
their personal information used, by any unauthorized person, the court’s
holding indicates that the mere *exposure *of patient data to the *potential
*to be accessed by unauthorized persons may still adequately plead an
injury.  In this case, the plaintiffs alleged facts that, if true
“suggest[ed] a real risk of harm from the data breach at BMC” (internal
quotations omitted) because BMC’s letter notifying the plaintiffs of the
data breach supported an inference that “plaintiffs’ medical records were
available to the public on the internet for some period of time and that
there is a serious risk of disclosure.”  Based on this inference, the court
found it was reasonable to draw the further inference that the records
“either were accessed or likely to be accessed by an unauthorized person.”
This “general allegation of injury from the data breach” was sufficient to
demonstrate standing.

This decision is significant for several reasons. First, *Walker*
represents a comparatively lax approach to standing, in which alleging the
mere *exposure* of information with the potential for access and misuse by
unauthorized persons pleads sufficient injury to establish standing and
survive a motion to dismiss.  In contrast, in *Clapper*, the U.S. Supreme
Court held that plaintiffs who alleged that the National Security Agency
(“NSA”) actually *had access* to their private telephone and email
conversations through its surveillance program still lacked Article III
standing to sue based on the theory that their communications would be
obtained at some future point.  In other words, the threat of future injury
was insufficient to support Article III standing even where access, not
just exposure, to private information was actually alleged.  113 S. Ct.
1138, 1143 (2013).

*Walker*’s adoption of the relaxed “real risk of harm” standard for
establishing standing in a data breach claim also leaves in question
whether there may be real, meaningful differences in standing doctrine
between the federal courts and Massachusetts’ Trial Court.  While the
federal courts are subject to the constitutional restrictions of Article
III’s “case or controversy” requirement, Massachusetts’ highest court has
suggested in other cases that standing doctrine in state courts is not so
exacting: “State courts…are not burdened by” the federal courts’ “same
jurisdictional concerns and, consequently, may determine, particularly when
class actions are involved, that concerns other than standing in its most
technical sense may take precedence.” *Weld v. Glaxo Wellcome Inc.
<http://masscases.com/cases/sjc/434/434mass81.html>*, 434 Mass. 1, 88-89
(2001).  Given this comparatively lax application of standing doctrine in
Massachusetts state courts, *Walker*’s holding may not actually move the
needle much and may have limited force beyond Massachusetts Superior Court.

As the *Walker* case proceeds through discovery, the parties will have the
opportunity to build a fulsome record demonstrating the actual breadth of
the exposure, if any, resulting from the data breach, and whether, and to
what extent, the breach posed a risk of harm to the plaintiffs, including
the likelihood of any nefarious use of the plaintiffs’ personal
information.  Accordingly, any longer lasting principles that develop out
of this case may have to await further proceedings to establish what, if
any, harm resulted from the breach.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Need access to data breach details or alerts when new breaches happen? Risk Based Security's Cyber Risk Analytics 
portal, fueled by the RBS breach research team, provides detailed information on how data breaches occur and which 
vendors to trust. Contact us today for a demo.