As more and more ransomware attacks affect companies large and small, such as the recent, well-known attacks on the Colonial Pipeline and the meat processing company JBS, industrious plaintiffs’ counsel will continue to attempt to leverage these attacks to bring class action suits against the companies suffering the attacks. The majority of these attacks are focused on companies in the healthcare industry. A ransomware attack is when an attacker uses malicious software that blocks access to a computer system or data, usually by encrypting it, until the victim pays a fee to the attacker. While these companies not only need to investigate these attacks to prevent them from occurring in the future and allow the companies to gain access to their computer systems, the possibility of a class action can cause even more disruption and concern for such businesses. However, recent courts have looked unfavorably on such suits filed in federal court due to a lack of Article III standing.
In Travis v. Assured Imaging, LLC, 2021 WL 1862446 (D. Ariz. May 10, 2021), the plaintiff brought a class action arising out of a May 2020 ransomware attack that led the defendant’s computer network inaccessible for several days. The defendant conducted an investigation of the ransomware attack and determined that certain limited data was exfiltrated from the systems while other data simply became inaccessible. While the defendant sent a Notice of Data Breach to certain plaintiffs out of an abundance of caution, the defendant never acknowledged that the plaintiffs’ information had been stolen. The court determined that the information accessed (the plaintiffs’ full names, address, date of birth, treating clinician, medical history, service performed, and assessment of service performed), would not lead to an increased risk of a certainly impending identity theft or fraud injury and dismissed such claims. The court also found that monitoring costs were not sufficient to confer Article III standing because there was no imminent risk of future harm and plaintiffs cannot manufacture standing by inflicting harm based upon fears of hypothetical injury. Plaintiffs also failed to properly allege that their protected health information (“PHI”) became less valuable as a result of the attack, that the attack impacted the value of the services received by the defendant, and that the attack caused the plaintiffs emotional harm.
In Graham v. Universal Health Service, Inc., 2021 WL 1962865 (E.D. Penn. May 17, 2021), the plaintiffs brought a putative class action arising out of a Sept. 2020 ransomware attack on one of the largest health care companies in North America. The plaintiffs allege that the defendant failed to safeguard their protected health care information (“PHI”) and that the defendant’s systems were inaccessible because of the attack. The issue presented to the court was whether the plaintiffs can show injuries sufficient to confer standing in federal court. Two of the three named plaintiffs only alleged increased risk of identity theft as well as expenditures of time and money involved in monitoring the plaintiffs’ financial accounts. The third plaintiff alleged that that the ransomware attack delayed his surgery and in the interim, his employer-provided health care insurance lapsed requiring him to purchase alternative insurance at a higher premium.
The court analyzed United States Supreme Court and Third Circuit precedent to determine whether the plaintiffs alleged Article III standing to bring the case in federal court. The court determined that the one plaintiff who alleged an increase in health care insurance premiums alleged an injury-in-fact to confer standing in federal court and denied the defendant’s motion to dismiss on this basis. However, the court granted the defendant’s motion to dismiss as to the first two plaintiffs, reasoning that an increased risk of identity theft was not enough to confer standing in federal court. While the plaintiff argued that other circuits (the Sixth, Seventh, Ninth, and Tenth) have found an increased risk of harm sufficient to confer standing in other data breach actions, prior Third Circuit law mandated dismissal under this theory. The court also rejected plaintiffs’ argument that the cost to monitor their financial accounts was enough to confer standing. See also Blahous v. Sarrell Reg. Dental Ctr. For Public Health, Inc., 2020 WL 4016246 (M.D. Ala. July 16, 2020) (dismissing class action arising out of ransomware attack); Keach v. BST & Co. CPAs, LLP, 71 Misc.3d 1204(A) (N.Y. Sup. Ct. Mar. 30, 2021) (granting motion to dismiss plaintiffs’ class action ransomware suit); Abernathy v. Brandywine Urology Consultants, P.A., 2021 WL 211144 (Del. Sup. Ct. Jan. 21, 2021) (same).
These cases have led certain plaintiffs to file ransomware (and other data breach) class actions in state courts because many state courts do not have the same Article III standing limitations applicable to federal courts. While most defendants would prefer to litigate class actions in federal court, defendants likely will continue to move to dismiss such claims at the outset of the case (as a court can always raise Article III standing sua sponte). While the United States Supreme Court is expected to rule on Article III standing in a pending Fair Credit Reporting Act class action appeal in the next few months (See TransUnion v. Ramirez, 20-297) which may impact pending and future ransomware and data breach cases, it is only a matter of time before the Supreme Court takes up the issue of Article III standing specifically in a ransomware or data breach class action.