BreachExchange mailing list archives
Massachusetts Court: Patients Have Standing to Sue for Data Breach Based on Data Exposure Alone
From: Inga Goddijn <inga () riskbasedsecurity com>
Date: Wed, 6 Jan 2016 17:20:47 -0600
http://www.jdsupra.com/legalnews/massachusetts-court-patients-have-58160/ A Massachusetts Superior Court judge held that a plaintiff has standing to sue for money damages based on the mere exposure of plaintiff’s private information in an alleged data breach. The court concluded that the plaintiff had pleaded a “real and immediate risk” of injury despite failing to allege that any unauthorized persons had even seen or accessed that information. The Massachusetts decision adopts a more relaxed approach to standing than has generally been followed in the federal courts. The holding, however, may not have broad applicability outside of Massachusetts state court, and does not eliminate potential obstacles to proving the claims asserted. In *Walker et al v. Boston Medical Center Corp.*, No. 2015-1733-BLS 1 (Mass. Super. Ct. Nov. 19, 2015), plaintiffs alleged that Boston Medical Center Corp. (“BMC”) notified them that their medical records “were inadvertently made accessible to the public through an independent medical record transcription service’s online site.” Although BMC did not know how long the information had been vulnerable to access by unauthorized individuals, BMC notified the plaintiffs by letter that it had no reason to suspect that any patient data had been misused as a result of the breach. Plaintiffs do not allege that any unauthorized persons actually viewed, accessed or misused their private information. Plaintiffs seek to recover money damages under a host of statutory and common law theories. BMC moved to dismiss for lack of standing. A robust line of federal authority, following the Supreme Court’s decision in *Clapper v. Amnesty International USA* <https://supreme.justia.com/cases/federal/us/568/11-1025/>, 113 S. Ct. 1138 (2013), holds that alleging mere exposure of private data, without any resulting harm or injury, is insufficient to establish standing to sue for money damages in federal court. Without citing to or distinguishing these federal cases, the Massachusetts court denied BMC’s motion to dismiss, reasoning that pleading a “real and immediate risk” of injury was sufficient for a plaintiff to demonstrate standing. Although the *Walker* plaintiffs did not allege that their medical records had been accessed, or their personal information used, by any unauthorized person, the court’s holding indicates that the mere *exposure *of patient data to the *potential *to be accessed by unauthorized persons may still adequately plead an injury. In this case, the plaintiffs alleged facts that, if true “suggest[ed] a real risk of harm from the data breach at BMC” (internal quotations omitted) because BMC’s letter notifying the plaintiffs of the data breach supported an inference that “plaintiffs’ medical records were available to the public on the internet for some period of time and that there is a serious risk of disclosure.” Based on this inference, the court found it was reasonable to draw the further inference that the records “either were accessed or likely to be accessed by an unauthorized person.” This “general allegation of injury from the data breach” was sufficient to demonstrate standing. This decision is significant for several reasons. First, *Walker* represents a comparatively lax approach to standing, in which alleging the mere *exposure* of information with the potential for access and misuse by unauthorized persons pleads sufficient injury to establish standing and survive a motion to dismiss. In contrast, in *Clapper*, the U.S. Supreme Court held that plaintiffs who alleged that the National Security Agency (“NSA”) actually *had access* to their private telephone and email conversations through its surveillance program still lacked Article III standing to sue based on the theory that their communications would be obtained at some future point. In other words, the threat of future injury was insufficient to support Article III standing even where access, not just exposure, to private information was actually alleged. 113 S. Ct. 1138, 1143 (2013). *Walker*’s adoption of the relaxed “real risk of harm” standard for establishing standing in a data breach claim also leaves in question whether there may be real, meaningful differences in standing doctrine between the federal courts and Massachusetts’ Trial Court. While the federal courts are subject to the constitutional restrictions of Article III’s “case or controversy” requirement, Massachusetts’ highest court has suggested in other cases that standing doctrine in state courts is not so exacting: “State courts…are not burdened by” the federal courts’ “same jurisdictional concerns and, consequently, may determine, particularly when class actions are involved, that concerns other than standing in its most technical sense may take precedence.” *Weld v. Glaxo Wellcome Inc. <http://masscases.com/cases/sjc/434/434mass81.html>*, 434 Mass. 1, 88-89 (2001). Given this comparatively lax application of standing doctrine in Massachusetts state courts, *Walker*’s holding may not actually move the needle much and may have limited force beyond Massachusetts Superior Court. As the *Walker* case proceeds through discovery, the parties will have the opportunity to build a fulsome record demonstrating the actual breadth of the exposure, if any, resulting from the data breach, and whether, and to what extent, the breach posed a risk of harm to the plaintiffs, including the likelihood of any nefarious use of the plaintiffs’ personal information. Accordingly, any longer lasting principles that develop out of this case may have to await further proceedings to establish what, if any, harm resulted from the breach.
_______________________________________________ Dataloss Mailing List (dataloss () datalossdb org) Archived at http://seclists.org/dataloss/ Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss For inquiries regarding use or licensing of data, e-mail sales () riskbasedsecurity com Supporters: Risk Based Security (http://www.riskbasedsecurity.com/) Need access to data breach details or alerts when new breaches happen? Risk Based Security's Cyber Risk Analytics portal, fueled by the RBS breach research team, provides detailed information on how data breaches occur and which vendors to trust. Contact us today for a demo.
Current thread:
- Massachusetts Court: Patients Have Standing to Sue for Data Breach Based on Data Exposure Alone Inga Goddijn (Jan 07)