Credit hacking case opens door to health care class actions

A July 2015 appellate decision handed down in a credit card hacking case could open the door to more class actions for health care data breaches. In Remijas v. Neiman Marcus Group, LLC, the Seventh Circuit Court of Appeals held that consumer class action plaintiffs had standing to bring suit against a national retailer based on injuries associated with resolving fraudulent charges and protecting themselves against identity theft. The decision changes interpretation within the circuit of when a potential injury is “certainly impending” and highlights a split in interpretation between judicial circuits. Based on the decision, patients whose health care information has been hacked will likely have standing to bring class actions against providers and other Health Insurance Portability and Accountability Act (HIPAA) (P.L. 104-191) covered entities or business associates, even when there is no evidence that their information has been misused.

Remijas

In December 2013, Neiman Marcus discovered that some of its customers had accrued fraudulent credit card charges. An investigation revealed malware in its computer systems that had attempted to collect data from credit card accounts between July 16, 2013 and October 30, 2013. Three hundred fifty thousand cards were potentially exposed, 9,200 of which were known to have been used fraudulently. The retailer offered all customers who shopped at its stores between January 2013 and January 2014 one year of free credit monitoring and identity-theft protection.

Consumers filed class action complaints that were eventually consolidated; some consumers had incurred fraudulent charges on their credit cards, while others had not. The class alleged that members lost time and money resolving fraudulent charges and protecting themselves against future identity theft and that injuries in the form of heightened fraud and identity theft risk were imminent. Neiman Marcus challenged the consumers’ standing, arguing that those consumers with fraudulent charges had already been reimbursed and thus did not have cognizable claims and that the alleged future harm was too speculative to be a legally cognizable injury. A district court agreed and dismissed the case.

The Seventh Circuit, however, determined that consumers with fraudulent charges had standing, noting “there are identifiable costs associated with the process of sorting things out.” Of greater significance was the court’s determination that the risk of future injury related to fraudulent charges and identity theft was “certainly impending,” in accordance with the U.S. Supreme Court’s decision in Clapper v. Amnesty International USA (133 S.Ct. 1138, 1147 (2013)), as opposed a mere “allegation[ ] of possible future injury.” The court noted, “the Neiman Marcus customers should not have to wait until hackers commit identity theft or credit-card fraud in order to give the class standing, because there is an ‘objectively reasonable likelihood’ that such an injury will occur.” As evidence, the appellate court noted that the retailer offered credit monitoring and identity theft protection to all consumers who shopped at its stores during a one-year time period. “It is unlikely that it did so because the risk is so ephemeral that it can safely be disregarded.” The court declined to address the class’ contentions of injury based on overpayment for Neiman Marcus products and loss of private information at this stage of proceedings. It also rejected Neiman Marcus’ argument that the class could not trace its injuries to Neiman Marcus, as opposed to another retailer that experienced hacking, such as Target, noting that the burden of proof would simply shift to Neiman Marcus to prove that it was not responsible for the injuries. Neiman Marcus has filed a petition for en banc review before the Seventh Circuit.

Departure from precedent

Other courts within and without the Seventh Circuit have interpreted Clapper to mean that victims whose personal information has been accessed by hackers do not have standing to bring suit against the company charged with protecting their information, unless their information has actually been fraudulently used. In a 2011 payroll hacking case, the Third Circuit held “allegations of an increased risk of identity theft as a result of the security breach are hypothetical, future injuries, and are therefore insufficient to establish standing” (Reilly v. Ceridian Corporation). The United States District Court for the District of New Jersey court recently cited Reilly in dismissing allegations brought by a class of consumers whose protected health information (PHI) was accessed by hackers (In re Horizon Healthcare Services, Inc. Data Breach Litigation).

Health care impact

As health care data breaches become more frequent, or are at least reported more frequently due to HIPAA requirements, providers and other holders of PHI subject to Seventh Circuit jurisdiction may find themselves the subject of class action lawsuits filed by consumers whose data has been accessed, but not used. This summer, for example, an Indiana company, Medical Informatics Engineering (MIE), discovered that it was the victim of a data breach that compromised the data of certain clients utilizing electronic health records, personal health records, and patient portals. The data of nearly 4 million people were exposed. The company began notifying affected individuals in July; the first lawsuits have already been filed. MIE, along with consumers, will undoubtedly be following the Seventh Circuit’s actions in the Neiman Marcus case closely.