Supreme Court remand may signal end for data breach class actions

The Supreme Court’s decision to remand a Fair Credit Reporting Act (FCRA) case to the Ninth Circuit Court of Appeals may affect the future of class actions brought by victims of health care data breaches.  The High Court told the Ninth Circuit to determine whether the respondent in Spokeo, Inc. v. Robins (May 16, 2016) sustained a concrete injury for purposes of proceeding with FCRA allegations based on Spokeo’s alleged dissemination of incorrect information about the respondent.  The opinion emphasized the importance of the concreteness element of the injury-in-fact requirement of standing, and could endanger lawsuits filed by data breach victims based on impending injuries.


The respondent alleged that while he was “out of work” and “actively seeking employment,” Spokeo, a website that calls itself a “people search engine,” posted misinformation about him that was detrimental to his job search.  Specifically, he claimed that the misinformation stating that he was married with children, employed, and in “very strong” economic health made him appear overqualified for work, desirous of a higher salary, and unwilling to travel or relocate. He alleged that Spokeo’s actions violated the FCRA, which requires consumer reporting agencies to “follow reasonable procedures to assure maximum possibly accuracy.”

A district court determined that the respondent did not have standing to sue, but the Ninth Circuit reversed, noting that Spokeo violated the respondent’s individual statutory rights and that his interests regarding how his credit information was handled were “individualized rather than collective.”  Writing for the majority, Justice Alito noted that standing requires an injury in fact that is both “concrete and particularized,” in addition to being “actual or imminent.” While the Ninth Circuit’s analysis concluded that the respondent’s injury was particularized, affecting him “in a personal and individual way,” the Supreme Court determined that the appellate court did not perform a separate analysis to determine whether the injury was concrete, with Justice Alito noting that “not all inaccuracies cause harm or present any material risk of harm.” He also noted, however, that concrete injuries may be tangible or intangible.  Justice Thomas concurred, while Justice Ginsburg, joined by Justice Sotomayor, dissented.

Health care ramifications

The Supreme Court’s view on concreteness could affect the ability of data breach victims to file class actions against the entities that held their protected health information (PHI). Prior cases have dealt with the “actual or imminent” aspects of alleged injuries, with circuits disagreeing with one another. In 2015, for example, the U. S. Court of Appeals for the Seventh Circuit determined that retail customers whose credit card information had been hacked were subject to a “certainly impending” risk or future injury involving fraudulent charges and identity theft, even though they had not actually fallen victim to those actions (see Credit hacking case opens door to health care class actions, August 11, 2015).  It issued a similar decision in 2016  in Lewert v. P.F. Chang’s China Bistro, Inc. (April 14, 2016), another credit hacking case, noting that the injuries were concrete.

In Khan v. Children’s National Health System (May 18, 2016), decided after Spokeo, the U.S. District Court for the District of Maryland determined that the plaintiff had did not have an injury in fact.  It noted that, in the context of data breaches, victims allege “an injury in fact arising from increased identity theft if they put forth facts that provide either (1) actual examples of the use of the fruits of the data breach for identity theft, even if involving other victims; or (2) a clear indication that the data breach was for the purpose of using the plaintiffs’ personal data to engage in identity fraud.” In Khan, phishing emails targeted a hospital system’s employees’ emails that happened to contain some PHI, but the court found no evidence that hackers targeted PHI for the purposes of committing identity fraud.  The Khan court noted that the majority of district courts follow this line of reasoning. Stakeholders should follow the Spokeo case, as the ultimate decision may be an indication of the future trend of data breach class actions.

21st Century Oncology faces class actions in wake of data breach

Following a data breach of the nationwide cancer center, 21st Century Oncology, patients filed multiple class action lawsuits against the provider alleging that 21st Century failed to establish adequate cybersecurity measures in violation of federal and state law. Although the breach impacted an alleged 2.2 million patient records, the provider notified patients that it does not believe medical records were accessed or information was misused as a result of the breach. One of the class action complaints condemns the provider’s lack of control over protected health information (PHI), saying, “the last thing patients dealing with potentially deadly illnesses need is further harm and stress caused by the insecurity of their most private data and how it may be used by thieves.”


In a complaint filed on March 23, 2016, several patients alleged that the provider was not aware that it had been infiltrated until notified of the breach by the FBI. Although investigators informed the provider of the breach on November 12, 2016, 21st Century announced it was instructed not to inform patients until this month. The lawsuits allege that data stolen by thieves includes patients’ names, Social Security numbers, physicians’ names, medical diagnoses, treatment information, and insurance information. One lawsuit asserted that the content of the 2.2 million current and former patients may have been copied and transferred as a result of the breach. The complaints allege that the provider violated the Health Information Portability and Accountability Act (HIPAA) (P.L. 104-191) and industry data protocols, was negligent in its safeguarding of PHI, was in breach of the implied covenant of good faith and fair dealing, and, in some cases, violated state consumer protection laws.

Prior breach

One lawsuit alleges that 21st Century is not a stranger to data breaches. Specifically, the complaint alleged that between October 11, 2011 and August 8, 2012, a 21st Century employee provided PHI to a third party who used the information—names, Social Security numbers, and dates of birth—to file fraudulent tax refunds. The complaint alleged that 21st Century also failed to detect the earlier breach.

21st Century

According to 21st Century’s announcement on the more recent breach, the provider is notifying affected patients and offering them free one-year credit protection services. Some of the lawsuits acknowledge the provider’s offer and call it inadequate, suggesting that the threat and harm resulting from the breach is more serious than the compensation reflects and will last longer than a year. The lawsuits follow a settlement earlier this month, where 21st Century agreed to pay $34.7 million to settle claims that it billed Medicare and Tricare for medically unnecessary radiation tests between 2009 and 2015.