The U.S. District Court for the Western District of New York has proposed the dismissal of a class action data breach legal action versus Practicefirst Medical Management Solutions concerning a ransomware attack in 2020.
Medical management services company Practicefirst located in Amherst, New York offers coding, bookkeeping, credentialing, billing, and compliance services to health care providers. On December 30, 2020, Practicefirst uncovered that unauthorized persons had acquired access to its system, exfiltrated sensitive files, then tried to install ransomware. The following data was exfiltrated from its systems: names, Social Security numbers, email addresses, addresses, usernames and passwords, financial data, and medical data. PracticeFirst had talks with the ransomware group and contracted for the return of the information and obtained confirmation that the taken files were deleted and were not further exposed. The incident report was sent to government bodies as impacting more than 1.2 million persons, which include patients and personnel, and affected people were mailed notifications concerning the data breach beginning July 2021. Free 2-year membership to credit monitoring and identity theft protection services was given to persons impacted by the breach.
A couple of days after mailing the notification letters, legal action was filed by plaintiffs Karen Cannon And Peter Tassmer, who were patients of medical practices serviced by PracticeFirst. The lawsuit wanted damages and injunctive relief and demanded that PracticeFirst is going to make considerable security upgrades. The legal action alleged PracticeFirst’s security breakdowns led to the unauthorized disclosure of sensitive information of the plaintiffs and other class members, which put them at a higher and imminent threat of identity theft, economic damages, and other setbacks and hurt. The lawsuit stated the plaintiffs and class members had endured actual traumas in the form of a breach of their privacy rights, a decreased value of their personal details and time and money was spent to handle the breach that might have been used on other things.
The District Court proposed the lawsuit be sacked because the plaintiffs could not prove they had endured definite harm due to the security breach. The threat of identity theft, scam, and other injury was regarded to be too assuming and not certain. The plaintiffs claimed that their sensitive information was breached and because they were compromised that data would be utilized for identity theft and fraudulence. The judge stated in his judgment the accusations were speculative considering that this was a ransomware attack that involved the transaction of money for access to data, not stealing of files for identity theft.
The legal action claimed damage to the value of the plaintiffs’ personal information and protected health information (PHI); nonetheless, evidence was not given to support that claim. Though there are organizations that offer to buy personal and healthcare records, the plaintiffs failed to state they had tried to sell their information and were compelled to settle for a smaller price because of the ransomware attack.
The decision ensues the decisions of various circuit and district courts not to allow Article III standing for cases dependent on the impending risk of future identity theft when the plaintiffs failed to produce proof of improper use of their personal data and specific damage. The Judge’s decision referred to the June 2021 decision of the Supreme Court in the case Transunion LLC v. Ramirez, whereby the Supreme Court decided that the threat of harm cannot be regarded as definite harm itself, at least unless of course the exposure to the danger of future damage itself brings about independent tangible harm.
The Supreme Court has explained that accusations of definite harm that are connected to assuming or likely future injury are not enough considering that plaintiffs cannot create standing simply by imposing harm on themselves based upon their doubts of hypothetical potential harm that is surely impending, mentioned the ruling judge. The parties have 14 days to submit objections, then a final ruling will be released.