Dismissing a class action based on a data breach, the Southern District of Texas added to the growing number of decisions that find an alleged risk of future identity theft due to a data breach is not an injury that creates standing to bring federal claims. The plaintiff, Beverly Peters, a former St. Joseph patient, brought a class action lawsuit against the medical provider after receiving notification that her personal information and protected health information had been compromised. St. Joseph moved to dismiss the complaint for lack of standing and failure to state a claim for relief.
During the course of her treatment at St. Joseph, Ms. Peters provided personal information that was stored on St. Joseph’s computer network. Hackers subsequently invaded St. Joseph’s computer network, obtaining access to the personal information of approximately 405,000 individuals.
Despite the fact that St. Joseph had no evidence that any personal information had been misused, it automatically enrolled all potentially affected individuals in a free credit monitoring and identity theft protection service for one year.
Ms. Peters’s complaint alleged violations of the Fair Credit Reporting Act along with various state and common law tort and contract claims. Her core allegation was that she and similarly situated individuals were at “an elevated risk of future identity theft/fraud” due to the breach of St. Joseph’s computer network. In support, she pointed to several incidents: (1) an attempt at a fraudulent charge on her Discover credit card; (2) a fraudulent attempt to access her Amazon.com account using her son’s name, which was contained in St. Joseph’s records; (3) receipt of “daily telephone solicitations from medical products and services companies”; and (4) receipt of unsolicited marketing materials and emails regarding the medical condition listed in St. Joseph’s records.
The Southern District Court of Texas, in an issue of first impression, cited Clapper v. Amnesty Int’l USA and Susan B. Anthony List v. Driehaus to support its finding that the injury alleged by Ms. Peters failed to rise to the level of “certainly impending” or “substantial” risk to establish the requisite Article III standing. Clapper v. Amnesty Int’l USA, 133 S. Ct. 1138 (2013); Susan B. Anthony List v. Driehaus, 134 S. Ct. 2334 (2014).
The court reasoned that Ms. Peters’s allegations of future harm had numerous variables, including time and manner. The court also noted the difficulty in determining whether any misuse of her personal information could be traced to St. Joseph’s breach. Most importantly, the Court found that:
Even if the above injuries were traceable to St. Joseph’s alleged failures under the FCRA, it is not likely that a favorable decision from this Court would redress the harm she has experienced. St. Joseph argues that Peters has not alleged any quantifiable damage or loss she has suffered as a result of the Data Breach. This Court agrees.
Peters v. St. Joseph Svcs. Corp., Civ. No. 4:14-CV-2872 (S.D. Texas Feb. 11, 2015).