A healthcare data breach lawsuit against Northeast Radiology and its supplier Alliance Healthcare Services has been dismissed by a judge in the U.S. District Court for the Southern District of New York, citing a failure to provide evidence of imminent risk of fraud or actual harm.
In determining the dismissal, the judge referred to the Supreme Court's June 2021 decision and found that “to be specific, an injury 'must actually exist.' In addition, victims of the violation must identify and provide evidence of “a close historical or common law analogy for their alleged injury, though it need not be an exact copy.”
“As far as statutory damages are concerned, it is not enough to allege that a defendant violated the law,” according to the decision. “Only those plaintiffs who have been specifically harmed by the defendant's statutory violation will have standing.”
Filed in July 2021, the class action stemmed from a nine-month data breach caused by long-standing vulnerabilities in the vendor's image archiving and communications system. PACS are leveraged by health systems to easily share medical images and health information with connected partners, as well as for data archiving purposes.
However, the technology has well-documented vulnerabilities that can easily allow unauthorized access to sensitive data. The lawsuit itself followed an SC Media report detailing the risk of these flaws and a Department of Health and Human Services warning that found 130 health systems actively exposing images through these flaws.
For Northeast Radiology and Alliance Health, overlooked flaws in PACs allowed a threat actor to gain access to legacy technology, exposing data belonging to 298,532 patients. The data included names, dates of birth, exam descriptions, dates of service, medical images and details, and corresponding social security numbers.
Alliance began notifying these patients in March 2020, and the class action lawsuit followed on July 8, 2021. The lawsuit alleged that the vendors' “careless handling of e-PHI is prohibited by federal and state law” and because of the non-compliance with the Health Insurance Portability and Accountability Act, both Northeast Radiology and Alliance Health caused direct harm to victims.
The alleged injuries included ongoing, immediate risk of identity theft and fraud, “because, unlike a credit card, there is no way to cancel e-PHI.” The lawsuit argued that victims would prove that vendors' security policies, providers' communications and disclosed vulnerabilities would shed light on allegations of harm.
In dismissing, the judge says the risk of future harm is too speculative
However, the judge disagreed with those claims and explained that tort victims seeking injunctive relief to prevent future harm “may prove injury in fact if they demonstrate that “the risk of future harm is sufficiently imminent and substantial,'' as noted in the Supreme Court decision on damage.
Moreover, in seeking damages, the Supreme Court held that “the mere risk of future harm, by itself, cannot be characterized as specific harm—at least not unless the exposure to the risk of future harm itself causes a separate specific harm.”
Therefore, the judge ruled that the victims of the breach had not “alleged an injury sufficient to confer standing.”
It is worth noting that the lawsuit did not allege that the affected patients' data was misused. The judge then ruled that allegations that the unauthorized actor would “see” the patient data in the file name list to download a copy would be “extremely unlikely” and “too remote to prove that [patients]”The risk of future harm from identity theft is significant or imminent.”
Further, the judge rejected the idea that the breached PACS system was specifically aimed at identity theft, as the victims did not provide evidence of alleged or suspected data misuse.
“The patients' claim that they would not have used the defendants' services if the defendants had disclosed their inadequate safety practices also does not allege an injury in fact,” the judge ruled. Patients “are not alleging any misuse or attempted misuse of their data as a result of the breach.” And even if they did “lose some degree of privacy,” they failed to prove the alleged specific harm.
“Allegations of potential harm without factual support are insufficient,” according to the ruling. Additionally, the “risk of future harm to patients is too speculative to establish standing” and the “efforts and expense of the victims of the breach to monitor their accounts is not a sufficient injury in fact to confer standing.”
The dismissal may help provide standing for future healthcare data breach lawsuits, an issue recently analyzed by BakerHostetler data and SC Media report the alarming number of law firms jumping to publicize healthcare data breaches.
