Spotlight on Recent Decisions 2021
The Delaware Superior Court recently dismissed a healthcare data breach lawsuit against Brandywine Urology Consultants (“Brandywine”) because it ruled that the victims of the breach failed to provide evidence of injuries or losses caused by a 2020 security incident and, therefore, lacked standing to sue. The suit, Abernathy, et al. v. Brandywine Urology Consultants, P.A., C.A. No. N20C-05-057 MMJ CCLD, resulted from a ransomware attack that was discovered by Brandywine in January 2020, and which was reportedly live on the network for two days before it was detected and isolated by the IT team. Interestingly, during the attack, cyberthieves accessed and encrypted records that included patient names, addresses, Social Security numbers, medical file numbers, claim data, and other financial and personal data but at no time did the cyberthieves attempt to extract a ransom. According to the Delaware Superior Court’s January 21, 2021 Opinion, Brandywine notified all of its patients of the attack via breach notification letters.
In May 2020, the breach victims filed suit against Brandywine, alleging negligence, invasion of privacy, breach of express contract, breach of implied contract, negligence per se, breach of fiduciary duty, noncompliance with the Delaware Computer Security Breach Act, and violation of the Delaware Consumer Fraud Act. In July 2020, Brandywine filed a motion to dismiss arguing that the plaintiffs lacked standing to sue—essentially that victims suffered no concrete, particularized, and actual or imminent injury-in-fact. In order to demonstrate “injury-in-fact” the victims alleged imminent risk of future harm, a loss of privacy, anxiety, failure to receive the benefit of the bargain, a loss of value to the property in personally identifying information, and disruption in medical care. The lawsuit sought mitigation expenses caused by the breach. In July 2020, Brandywine filed a motion to dismiss arguing that the plaintiffs lacked standing to bring the case to federal court—essentially that plaintiffs suffered no concrete, particularized, and actual or imminent injury-in-fact.
In its January 21, 2021 Opinion, the Delaware Superior Court stated that in “data breach cases [in Delaware], [p]laintiffs must provide at least some plausible specific allegations of actual or likely misuse of data to satisfy the standing requirement and avoid dismissal under [Superior Court Civil] rule 12(b)(1).” The court also noted that Delaware courts have not yet addressed the question of whether the imminent risk of future harm from a data breach constitutes an injury-in-fact sufficient to confer standing. Brandywine argued that it did not.
The court found that Brandywine’s breach notification specified that the breach was only a possible compromise of personal and financial information during the ransomware attack. It did not concede that it was a concrete and imminent threat. The court also determined that Brandywine appeared to act quickly in response to the breach and took the appropriate steps to investigate what had transpired. Ultimately, the court decided that Brandywine should not be punished for having notified individuals about a possible compromise of their data. In fact, the court expressed hesitancy about making any ruling that would chill efforts to notify patients or clients of security breaches out of an abundance of caution. The court stated that the mere fact that the attack occurred, without more, is insufficient to confer standing on plaintiffs. The court also found that mitigation costs, including credit monitoring and placing freezes and alerts with credit reporting agencies, do not create an injury sufficient to confer standing on plaintiffs who allege speculative harms resulting from a data breach.
In a similar case in the Middle District of Pennsylvania, cited in the Delaware Superior Court’s Opinion, the court also found that “[p]laintiffs’ alleged harm—that they are now at an increased risk of identity theft—does not suffice to allege an imminent injury.”
Though the courts remain fragmented on the issue of standing in data breach cases, the Delaware Superior Court’s opinion lays the groundwork for what may become the norm: a heightened pleading requirement for Article III standing in such cases.
