Judge Proposes Dismissal of Practicefirst Data Breach Lawsuit

February 08, 2022 - A judge of the US District Court for the Western District of New York recommended the dismissal of a class-action lawsuit against medical management company Practicefirst, citing insufficient evidence of actual harm resulting from a December 2020 data breach.

In July 2021, Practicefirst began notifying over 1.2 million individuals of a healthcare ransomware attack targeted at the medical billing, coding, and practice management vendor that potentially exposed protected health information (PHI) and personally identifiable information (PII).

A few days after the notification, victims filed a complaint alleging that “after receiving notification of the data breach, they spent time reviewing their account statements and credit reports for any indication of actual or attempted identity theft, and that this was valuable time which could have been spent on other activities,” the filing stated.

In Ramirez v. TransUnion, the Supreme Court ruled that data breach victims must demonstrate actual injury and prove that the defendant’s conduct caused the damage. The June 2021 ruling signified a significant shift in how data breaches are handled in court. Plaintiffs must now prove that they suffered a concrete injury to claim Article III standing.

In the PracticeFirst case, plaintiffs alleged that the breach caused actual injuries, including a diminished PHI value, a violation of their privacy rights, and the possibility of future harm due to the increased risk of identity theft.

“Here, defendants argue that plaintiffs lack Article II standing to sue because they fail to allege an injury-in-fact,” the judge’s motion stated.

“Specifically, defendants contend that plaintiffs have not shown that they experienced concrete harm arising from the data breach or a threat of future harm that is actual or imminent.”

As a result, the court recommended the dismissal of the class action complaint.

In addition, the motion noted that the primary goal of any ransomware attack is “the exchange of money for access to data, not identity theft.”

“Plaintiffs seem to concede this fact,” the motion continued. “However, plaintiffs maintain that because their [PII] and PHI was exfiltrated or copied from defendants’ system as part of the ransomware attack, the hacker must intend to use the data, in the future, for identity theft or fraud.”

The judge argued that this suggestion was purely speculative and noted that of the 1.2 million people impacted, not one has come forward with a claim of actual identity theft in the year following the ransomware attack.

The motion also emphasized that the plaintiffs could not prove that the value of their PHI and PII had diminished.

“The complaint contains general and conclusory allegations that PII/PHI is a ‘valuable commodity’ on the ‘cyber black-market’ and that ‘many companies now offer consumers an opportunity to sell this information to advertisers and other third parties,’” the document continued.

“However, plaintiffs do not allege that they attempted to sell their personal information and were forced to accept a decreased price, nor do they allege any details as to how their specific, personal information has been devalued because of the breach.”

Lawsuits are extremely common in the wake of large-scale data breaches. But due to the previous Supreme Court ruling and other landmark decisions, it may become increasingly harder to prove actual harm due to a data breach.