- The US Court of Appeals, Fourth Circuit, dismissed a data breach lawsuit earlier this month that alleged the William Jennings Bryan Dorn Veterans Affairs Medical Center (Dorn VAMC) had violated the Privacy Act of 1974 and the Administrative Procedure Act (APA).
Plaintiffs claimed that earlier reported data breaches at Dorn VAMC created an “increased risk of future identity theft,” and that there were costly measures to protect against it. However, the appeals court agreed with the district court’s ruling in that there was a lack of subject-matter jurisdiction.
The lawsuit was filed after two data breaches were reported at Dorn VAMC. In February 2013, a laptop was stolen from Dorn VAMC's Respiratory Therapy department. The device contained unencrypted personal information of approximately 7,400 patients, including names, dates of birth, the last four digits of Social Security numbers, and physical descriptors (e.g. age, race, gender, height, and weight).
The second incident took place in July 2014, when it was discovered that four boxes of pathology reports meant for long-term storage had been misplaced or stolen. Over 2,000 patients may have had some of their information exposed, including names, Social Security numbers, and medical diagnoses.
The first incident resulted in Richard Beck and Lakreshia Jeffery filing a lawsuit alleging Privacy Act violations, as well as “embarrassment, inconvenience, unfairness, mental distress, and the threat of current and future substantial harm from identity theft and other misuse of their Personal Information.”
The 2014 data breach led to Beverly Watson filing a class-action lawsuit over the missing pathology reports.
“Watson sought money damages and declaratory and injunctive relief, alleging the same harm as did the Beck plaintiffs,” explained the appeals court decision. “The Defendants moved to dismiss the complaint for lack of subject-matter jurisdiction and for failure to state a claim.”
The district court also concluded that Watson’s claim for injunctive relief under the APA was insufficient.
“Her allegations, based on Dorn VAMC's ‘historic inability or unwillingness to protect Plaintiff's personal information’ were insufficient to show that, absent injunctive relief, she would be ‘in real and immediate danger of sustaining a direct injury as a result of some official conduct,’” the appeals court stated.
The Beck plaintiffs also made three allegations in their lawsuit:
- 33 percent of health-related data breaches result in identity theft
- The Defendants expend millions of dollars trying to avoid and mitigate those risks
- By offering the Plaintiffs free credit monitoring, the VA effectively conceded that the theft of the laptop and pathology reports constituted a “reasonable risk of harm to those victimized” by the data breaches.
According to the appeals court, the allegations were insufficient to establish a “substantial risk of harm.” Over two-thirds of healthcare data breach victims would not be identity theft victims, the court stated, which “falls far short of establishing a ‘substantial risk’ of harm.”
The Plaintiffs' other allegations fare no better. Contrary to some of our sister circuits, we decline to infer a substantial risk of harm of future identity theft from an organization's offer to provide free credit monitoring services to affected individuals. To adopt such a presumption would surely discourage organizations from offering these services to data-breach victims, lest their extension of goodwill render them subject to suit.
The appeals court also addressed the Plaintiffs' request for broad injunctive relief under the APA, concluding that the Plaintiffs do not have standing to seek injunctive relief under the APA. The “allegations of Dorn VAMC's past Privacy Act violations are insufficient to establish an ongoing case or controversy,” the court explained.
The written decision acknowledged that the named victims had “been victimized” by “at least two admitted VA data breaches,” and called the past events disconcerting. However, they were “not sufficient to confer standing to seek injunctive relief.”
“The most that can be reasonably inferred from the Plaintiffs' allegations regarding the likelihood of another data breach at Dorn VAMC is that the Plaintiffs could be victimized by a future data breach,” the appeals court stated. “That alone is not enough.”