Beverly Peters wasn’t alone in having her personal information — including medical data — laid bare for hackers. Just the opposite. Peters was just one of more than 400,000 patients of St. Joseph Hospital whose information was stolen by hackers in an attack that took place between December 16 and 18, 2013. In that incident, hackers gained access to information on current and former patients of the facility as well as employees.
In notifying current and former patients and employees, St. Joseph said that it wasn’t aware of any of the information being misused. Still, after Peters found that her Discover credit card information had been stolen some months later, and that hackers had tried to infiltrate her Amazon.com account — posing as her son — she was pretty sure what the source of her woes was. And she was determined to act.
Peters filed a 13-count complaint against St. Joseph, alleging violations of the federal “Fair Credit Reporting Act” (FCRA). She alleged that her personal information had been exposed in the breach and then disseminated in the public domain, where it was being “misused by unauthorized and unknown third parties.” Hackers' attempts to use her son’s name to compromise her Amazon.com account was particularly damning, Peters claimed: that information could only have been obtained from names and next-of-kin information she provided to St. Joseph before the data breach.
Peters also asserted that telemarketers were using the stolen information – that she had been besieged with calls and solicitations for medical products and services companies, with telemarketers asking to speak to her and with specific family members, whose contact information was part of the record stolen from St. Joseph.
Despite that, a Federal court in Texas decided last week that Peters could not prove harm from the breach and, therefore, did not have standing to bring the case against St. Joseph.
Peters argued that she faced an “imminent injury” due to “increased risk” of future identity theft and fraud because of the breach at St. Joseph.
But the court found otherwise, ruling that she lacked standing in federal court under Article III of the Constitution, because she hadn’t been able to prove any direct damages from the attempted identity theft, and the threat she faced in the future was not “imminent.”
“Peters’ alleged future injuries are speculative — even hypothetical — but certainly not imminent,” the court ruled in an opinion on February 11. Peters, the court concluded, “cannot describe how [she] will be injured without beginning the explanation with the word ‘if.’” “The misuse of her information could take any number of forms, at any point in time,” the opinion reads. “The risk of future harm is, no doubt, indefinite. It may even be impossible to determine whether the misused information was obtained from exposure caused by the data breach or from some other source. Ultimately, Peters’ theory of standing “relies on a highly attenuated chain of possibilities.”
Interestingly, the ruling turns on a high profile case involving government surveillance dating back to the Carter administration, as this reading notes. In 1978, The U.S. Supreme Court ruled in Clapper v. Amnesty International USA, striking down a suit filed by reporters, attorneys and the human rights group to challenge part of the Foreign Intelligence Surveillance Act (FISA). The plaintiffs said they feared that their sources, colleagues and clients would be targets of U.S. government surveillance, and the threat would force them to take expensive security measures to keep their communications private. But the Supreme Court ruled otherwise, saying the threat of government surveillance was hypothetical, but not “certainly impending.”
In his 15 page ruling, U.S. District Judge Kenneth Hoyt said the same logic applied to Peters’ suit as well. “Under Clapper, Peters must at least plausibly establish a “certainly impending” or “substantial” risk that she will be victimized,” Hoyt wrote. “The allegation that risk has been increased does not transform that assertion into a cognizable injury.”
The case could have important implications for tens or hundreds of millions of U.S. residents who have had financial and personal data exposed in data breaches in recent years. The ruling implies such victims would have to show harm as a direct consequence of a specific breach in order to successfully sue for relief – a high bar to meet for any cyber forensic investigation.
More from the Digital Guardian Data Security Knowledge Base:
How to Protect Unstructured Sensitive Data
Organizations' most valuable data assets often exist in unstructured form, making them increasing challenging to protect. Learn about Digital Guardian's approach to securing unstructured data in this whitepaper.
Digital Guardian Case Study
A healthcare organization identified a significant risk of non-compliance. Deploying Digital Guardian resulted in an 85% reduction decrease in prompts to users in the first 6 months.
Related ArticlesWill SCOTUS Spokeo Ruling Deny Justice To Data Breach Victims?
The suit against professional tracking service Spokeo didn’t involve a data breach, but the ruling this month by the Supreme Court in Spokeo’s favor could have big implications for breached firms and their customers.Equifax: 2.4M Additional Americans Affected by 2017 Breach
Equifax this week revised the total number of Americans affected by last year’s breach: 147.9 million Americans, as well as some Canadian and British nationals.Court Sides with Insurer: Credit Card Data isn’t Lost Property
A court in Alabama threw out a suit brought by a breached grocery store chain, saying that stolen credit card data doesn’t count as “damaged property.”