On July 16, the U.S. District Court for the Middle District of Alabama dismissed a putative class action against Sarrell Regional Dental Center for Public Health relating to a 2019 ransomware incident.
Data Incident and Response
In July 2019, Sarrell detected ransomware on one of its computers and immediately deactivated its network, temporarily closed its practices, and engaged an independent computer security firm to conduct a forensic investigation of the breach. Sarrell also rebuilt its business systems with updated security and virus protection before reopening.
At the conclusion of its investigation—which found no evidence that any files or information had been copied, downloaded, or removed from its network or misused—Sarrell prepared and delivered notices of the incident to more than 390,000 patients. The notices informed the patients that the breach may have resulted in the disclosure of their personal health information, but that Sarrell’s investigation had uncovered no evidence that the patients’ information had been misused in any way.
Class Action Filed
In October 2019, one of Sarrell’s patients filed a putative class action on behalf of herself, her three minor children, and other similarly-situated patients whose information may have been affected by the breach. She did not allege that she and her children had suffered any harm from actual misuse of their personal information, but she claimed that they were at an “increased risk” of suffering harm from identity theft, that they would be forced to assume the cost of monitoring their credit to mitigate the risks of identity theft, that she had overpaid for their dental services because she expected their information would be protected, and that their personal information had diminished in value as a result of the breach.
Case Dismissed – “Pure Applesauce”
On July 16, 2020, the district court dismissed the case. The court ruled that the plaintiff did not have standing to bring the case because neither she nor her children had suffered a concrete injury from the breach. The judge wrote that absent allegations of any actual misuse of their leaked information, most courts require allegations showing that the potential for future misuse is “certainly impending,” and all courts require allegations showing that there is at least a “credible threat” that the information will be misused. In other words, the fact that the breach occurred could not in and of itself form the basis of the plaintiff’s case without allegations showing some imminent or likely misuse of the leaked information.
As to Sarrell’s breach, the plaintiff did not raise any specific plausible allegations that her or her children’s information was or would likely be misused. In fact, the notice she received from Sarrell—on which she based her lawsuit—stated that its investigation revealed that no information was copied, downloaded, or removed from its network and that there was no evidence that any information which may have been involved in the incident had been misused.
The court found the “possibility” that hackers may have obtained sensitive information, which they could potentially disseminate or misuse, too speculative to form the basis of a federal lawsuit. Likewise, the court held that the plaintiff’s alleged time and money spent protecting herself against this speculative threat could not create an injury upon which she could file suit, as that would be tantamount to allowing her to sue for the breach itself. Finally, in a footnote, the court dismissed the plaintiff’s claims that she would not have paid for dental services had she known that Sarrell would later get hacked, referring to the theory as “pure applesauce.”
Takeaways for Companies Responding to Potential Data Breach Lawsuits
Although there continues to be a split among courts as to whether a plaintiff must allege actual damages resulting from a breach as opposed to alleging only an increased risk of harm due to the breach, this case highlights the critical importance of a thorough and prompt response on the part of the compromised entity. The plaintiff here alleged that the ransomware attack was a direct consequence of Sarrell’s failure to employ appropriate cybersecurity measures and standards to protect its patients’ personal and sensitive information. Even though the court accepted this allegation as true, it still dismissed the case because Sarrell promptly shut down its systems, closed its practice locations, and hired an independent cybersecurity firm to investigate the incident—which revealed that none of the vulnerable information had been copied, downloaded, removed, or misused.
The judge’s ruling also reinforced Sarrell’s decision to issue notices to its patients given that it could not rule out the possibility of a breach with 100% certainty. Because Sarrell had taken the necessary steps to address and investigate the incident, it was able to notify its patients not only that there was an incident that may have affected their personal information, but also that it had conducted an investigation and found no evidence of misuse.
Regardless of the jurisdiction, a company responding to a potential data breach lawsuit has its strongest defense when it can point to an effective and timely response to a data incident demonstrating that access to its patients’ information was limited or did not actually occur or that the information accessed was not sensitive.
That is not to undercut the necessity of reasonable security measures before the incident and any necessary or responsible remedial steps taken after the incident. Ultimately, a company will be best positioned to defend itself against any litigation that results from a breach when it takes preventative steps on the front end, responds quickly and thoroughly to a data security incident, and takes appropriate remedial action.