Court Finds Data Breach not an Imminent Risk to Victim

A federal court ruled last week that a massive data breach at a Texas hospital didn’t put patients at imminent risk of identity theft.

Beverly Peters wasn’t alone in having her personal information — including medical data — laid bare for hackers. Just the opposite. Peters was just one of more than 400,000 patients of St. Joseph Hospital whose information was stolen by hackers in an attack that took place between December 16 and 18, 2013. In that incident, hackers gained access to information on current and former patients of the facility as well as employees.

In notifying current and former patients and employees, St. Joseph said that it wasn’t aware of any of the information being misused. Still, after Peters found that her Discover credit card information had been stolen some months later, and that hackers had tried to infiltrate her account — posing as her son — she was pretty sure what the source of her woes was. And she was determined to act.

Peters filed a 13-count complaint against St. Joseph, alleging violations of the federal “Fair Credit Reporting Act” (FCRA). She alleged that her personal information had been exposed in the breach and then disseminated in the public domain, where it was being “misused by unauthorized and unknown third parties.” Hackers' attempts to use her son’s name to compromise her account was particularly damning, Peters claimed: that information could only have been obtained from names and next-of-kin information she provided to St. Joseph before the data breach.

Peters also asserted that telemarketers were using the stolen information – that she had been besieged with calls and solicitations for medical products and services companies, with telemarketers asking to speak to her and with specific family members, whose contact information was part of the record stolen from St. Joseph.

Despite that, a Federal court in Texas decided last week that Peters could not prove harm from the breach and, therefore, did not have standing to bring the case against St. Joseph.

Peters argued that she faced an “imminent injury” due to “increased risk” of future identity theft and fraud because of the breach at St. Joseph.

But the court found otherwise, ruling that she lacked standing in federal court under Article III of the Constitution, because she hadn’t been able to prove any direct damages from the attempted identity theft, and the threat she faced in the future was not “imminent.”

“Peters’ alleged future injuries are speculative — even hypothetical — but certainly not imminent,” the court ruled in an opinion on February 11. Peters, the court concluded, “cannot describe how [she] will be injured without beginning the explanation with the word ‘if.’” “The misuse of her information could take any number of forms, at any point in time,” the opinion reads. “The risk of future harm is, no doubt, indefinite. It may even be impossible to determine whether the misused information was obtained from exposure caused by the data breach or from some other source. Ultimately, Peters’ theory of standing “relies on a highly attenuated chain of possibilities.”

Interestingly, the ruling turns on a high profile case involving government surveillance dating back to the Carter administration, as this reading notes. In 1978, The U.S. Supreme Court ruled in Clapper v. Amnesty International USA, striking down a suit filed by reporters, attorneys and the human rights group to challenge part of the Foreign Intelligence Surveillance Act (FISA). The plaintiffs said they feared that their sources, colleagues and clients would be targets of U.S. government surveillance, and the threat would force them to take expensive security measures to keep their communications private. But the Supreme Court ruled otherwise, saying the threat of government surveillance was hypothetical, but not “certainly impending.”

In his 15 page ruling, U.S. District Judge Kenneth Hoyt said the same logic applied to Peters’ suit as well. “Under Clapper, Peters must at least plausibly establish a “certainly impending” or “substantial” risk that she will be victimized,” Hoyt wrote. “The allegation that risk has been increased does not transform that assertion into a cognizable injury.”

The case could have important implications for tens or hundreds of millions of U.S. residents who have had financial and personal data exposed in data breaches in recent years. The ruling implies such victims would have to show harm as a direct consequence of a specific breach in order to successfully sue for relief – a high bar to meet for any cyber forensic investigation.

More from the Digital Guardian Data Security Knowledge Base:

Paul Roberts

Please post your comments here

How to Protect Unstructured Sensitive Data

Organizations' most valuable data assets often exist in unstructured form, making them increasing challenging to protect. Learn about Digital Guardian's approach to securing unstructured data in this whitepaper.

Download now

Digital Guardian Case Study

A healthcare organization identified a significant risk of non-compliance. Deploying Digital Guardian resulted in an 85% reduction decrease in prompts to users in the first 6 months.

Read now

Related Articles
What's the Cost of a Data Breach in 2019?

The answer ultimately depends on the country and industry but in general, can span anywhere from $1.25 million to $8.19 million.

After Panama Papers: Firms Should Add Pen Testing to Due Diligence Process

An analysis by Wired shows that the Panama firm Mossack and Fonseca did a poor job managing its public facing systems, all the while promising clients security.

Is Ashley Madison Membership Really Still Growing?

The company’s latest statement claims that hundreds of thousands of new users to continue to sign up each week. Are these numbers valid?