Can Inadequate Security Without an Actual Data Breach Support a Class Action? One Federal Court Weighs In

Last week, a district judge in the Northern District of Ohio dismissed a putative class action suit against health care provider Mercy Health, and in doing so, weighed in on the evolving question of standing related to privacy claims.

In Williams-Diggins v. Mercy Health, Case No. 3:16-cv-1938 (N.D. Ohio), Williams-Diggins filed suit against Mercy Health, alleging the health system knew, or should have known, the software it used to store and maintain its patients’ personal health information and to give its patients electronic access to that information operated on an outdated computer server, which could be easily accessed, potentially permitting unauthorized individuals to remove or delete sensitive medical information. Williams-Diggins sought to represent a nationwide class and an Ohio-based subclass of other Mercy Health patients, asserting claims for breach of contract, unjust enrichment, breach of confidence, and violation of the Ohio Consumer Sales Protection Act. The case had been sealed until last week due to concerns that hackers would be able to exploit the allegedly inadequate data security of Mercy Health if the issue was publicly disclosed before the health provider had the chance to address the issue.

Mercy Hospital moved to dismiss Williams-Diggins’ complaint, arguing Williams-Diggins lacked standing to bring the claims contained in his complaint and, standing aside, failed to state a claim. U.S. District Judge Jeffery J. Helmick agreed, finding that the mere possibility someone could have improperly accessed confidential patient information was not enough to meet the standing requirements established by the Supreme Court’s decision in Spokeo, Inc. v. Robins, --- U.S. ----, 136 S. Ct. 1540 (2016). Judge Helmick explained that Williams-Diggins failed to demonstrate he had suffered a “concrete injury,” such that he had standing to proceed. “The mere possibility that Williams-Diggins’ personal information may have already been compromised and misused, is only a link in the speculative chain of possibilities which might lead from plaintiff’s relationship with defendant to the alleged harm for which he seeks to recover. That possibility is not sufficient to confer standing.” (Order at 4) (internal citations and quotations omitted).

Williams-Diggins also argued he had suffered an economic injury, claiming that a portion of his payments to Mercy Health were for data security measures the health system should have taken, but did not actually take. Judge Helmick similarly rejected this argument. “The problem with plaintiff’s argument is that his allegations only show defendant did not take a specific action, and do not show defendant failed to take sufficient action to prevent unauthorized disclosure.” (Id.) (internal citation omitted). According to the district judge, Williams-Diggins paid for health care services expecting that his personal information would not be disclosed to unauthorized third parties. Because there was no indication Williams-Diggins’ information actually was disclosed to unauthorized third parties, he received what he expected. (Id.) 

For guidance on responding to data breaches to minimize the risk of litigation and handling such litigation if it occurs, please contact Jenny Buchheit, or Rachel Spiker. Jenny Buchheit is a senior counsel in Ice Miller’s Litigation and Intellectual Property Group who represents clients at both the trial and appellate levels and focuses much of her work on defending companies in both state and national putative class actions. Rachel Spiker is an associate in Ice Miller’s Data Security and Privacy and Litigation Groups who focuses much of her work on data breach and security incident response.

This publication is intended for general information purposes only and does not and is not intended to constitute legal advice. The reader should consult with legal counsel to determine how laws or decisions discussed herein apply to the reader’s specific circumstances.