Breach Lawsuit Against Pediatric Dental Practice DismissedJudge Rules Proof of Harm Lacking in Ransomware Incident Affecting 391,000 Individuals
A federal judge has dismissed a lawsuit filed against Sarrell Regional Dental Center for Public Health in the wake of a January 2019 ransomware attack that affected more than 391,000 individuals. The judge cited a lack of evidence that any data had been misused.
The ransomware incident that affected the pediatric dental and eye care practice, which has more than a dozen clinics in Alabama, was the 15th largest health data breach reported last year to federal regulators, according to the Department of Health and Human Services' HIPAA Breach Reporting Tool website.
In a statement on its website last October, Sarrell reported that it did not pay a ransom to recover its data. "To protect health information in the future, we rebuilt our business systems with updated security and virus protection for the entire Sarrell network before reopening our practice," the statement said.
In dismissing the lawsuit, which had sought class action status, U.S. District court Judge Austin Huffaker noted that while "the extent and depth" of the breach is still "murky," Sarrell's investigation into the incident "has not found evidence that any files or information were copied, downloaded, or removed from . . . [its] network" or "discovered any evidence that the information that may be involved in this incident had been misused."
The lawsuit alleged that as a result of the exposure of the plaintiffs' personally identifiable information, the plaintiffs faced an increased risk of identity theft as well as the costs of monitoring their credit.
In his ruling, the judge said the lawsuit alleged that the breach was a direct result of Sarrell's failure to implement adequate and reasonable cybersecurity procedures and protocols. The lawsuit also alleged that as a result of the breach, patient information is "now likely in the hands of thieves," which means they must spend significant amounts of time and money in an effort to protect themselves from the ramifications of the breach and endure a heightened risk of identity theft and fraud, the judge pointed out.
But the judge said the plaintiffs failed to provide "at least some plausible specific allegation of actual or likely misuse of data."
The judge wrote: "The fact that the breach occurred cannot, in and of itself, be enough, in the absence of any imminent or likely misuse of protected data, to provide plaintiffs with standing to sue. The plaintiffs fail to allege that they or members of the putative class have suffered actual identity theft. Instead, their pleading speaks of 'possibilities' and traffics in 'maybes'."
Consumers whose personal information was disclosed in a security breach or ransomware incident often have "a steep hill to climb" when filing a lawsuit, notes privacy attorney David Holtzman, principal of consulting firm HITprivacy LLC.
"Many judges require the lawsuit show that there was an actual or imminent injury to the consumer from the disclosure of their personal information and that it can be directly tied to the security incident that resulted in the unauthorized disclosure of their personal information," he says. "It can be difficult to meet the standard to provide at least some plausible, specific allegation of actual or likely misuse of data."
What ultimately swayed the court in the Sarrell case, Holtzman says, was "the failure to show that there was a specific impending credible threat of harm that resulted from the ransomware attack. Courts can be swayed to accept speculative risks of future harm from identity theft, but the claims must be more than what this court described as 'applesauce'."
Other Cases Settled
Judges in many other breach-related lawsuits have also dismissed the cases when plaintiffs have not shown evidence of harm from the incidents.
But some other lawsuits have been settled when there appeared to be likelihood of harm.
For instance, a preliminary settlement was reached last month in a ransomware-related lawsuit against Iowa Health System, which does business as UnityPoint Health. That case was "starkly different" than the Sarrell lawsuit because the court found "plaintiffs have plausibly alleged injuries that can be linked to this [breached] information," says Paul Hales, an independent privacy and security attorney, who was not involved in the lawsuits.
In the UnityPoint case, "plaintiffs alleged facts sufficient to establish an objectively reasonable likelihood of future identity theft," he adds. "As a result, serious settlement negotiations followed."
The lessons are clear, he says. "For plaintiffs, if you're unable to show an 'injury in fact', a Hail Mary lawsuit is worthless. For defendants, pretrial motions hold the keys to success."
More to Come
Despite the dismissal of the Sarrell case, Holtzman says that "it's a good bet that we will continue to see more class action lawsuits brought by consumers whose personal information has been disclosed by healthcare organizations through a cyberattack or ransomware incident."
Too many organizations are making "the same missteps in the areas of privacy and data security, " he says. "Through failing to implement 'reasonable security procedures,' healthcare organizations will continue to be defending themselves from privacy and data breach class action lawsuits."