Relying in part on the recent United States Supreme Court’s ruling in Clapper v. Amnesty International, a federal judge in New Jersey dismissed a putative data breach class action against three healthcare entities and a vendor retained by each the entities.  Bobbi Polanco v. Omnicell, Inc., Civ. No. 13-1417 (NLH/KMW) (December 26, 2013).  The defendants were Sentara Healthcare[1], which owns hospitals throughout Virginia, South Jersey Health System, Inc. (SJHS, now known as Inspira), which provided medical care to the named plaintiff’s daughter, the University of Michigan Health System (UMHS)[2], and Omnicell, a vendor hired to manage and dispense medications. Because the Plaintiff only alleged injury based on anticipation of future harm, she lacked standing and the Defendants’ motions to dismiss were granted.

Background

The plaintiff, Bobbi Polanco (Polanco), alleged that she brought her daughter to two Inspira hospitals for medical treatments on five occasions since 2011.  During those visits, Polanco either supplied to Inspira, or confirmed the accuracy of, confidential information including her social security number, insurance information, and medical information.

Polanco alleged that she received a December 31, 2012 letter from Omnicell, advising her of the November 14, 2012 theft of a laptop from an Omnicell employee’s car and stating that “Omnicell is entrusted with patient information.”  (Id. at 9-10)  Polanco alleged that the laptop contained unencrypted Personal Confidential Data (PCI) relating to thousands of Sentara, Inspira and UMHS patients.

Following receipt of the Omnicell letter, Polanco alleged that she did not receive reassurances from the Defendants that her PCI would be adequately secured from subsequently losses.  Consequently, she alleged that she sought medical treatment for her daughter at more distant hospitals, thereby incurring increased expenses.

Polanco brought her putative class action on behalf of herself and all others similarly situated, asserting claims for (1) breach of state data security notification laws; (2) violations of consumer fraud statutes of New Jersey, Virginia and Michigan; (3) fraud; (4) negligence; and (5) conspiracy.  Plaintiffs alleged that she was seeking “to remedy the harmful effects of the breach of …. privacy interests of Plaintiff and the Class, the failure to timely and reasonably notify [Plaintiff and the Class] of such breach …, and the misleading and deceptive notification sent on December 31, 2012.”  (Id. at 10).

Sentara’s Motion to Dismiss

Sentara moved to dismiss on three primary grounds: (1)  pursuant to FRCP 12(b)(1),  Polanco lacked Article III standing because she did not allege a concrete injury-in-fact traceable to conduct on the part of Sentara; (2) pursuant to FRCP 12(b)(2), the Court lacked personal jurisdiction over Sentara because it had no meaningful contacts with New Jersey; and (3) pursuant to FRCP 12(b)(6), Polanco failed to state a claim upon which relief could be granted.

Article III Standing

Addressing Sentara’s motion, the Court reiterated the bedrock principles that, “First, the plaintiff must suffer an injury-in-fact that is concrete and particularized and actual or imminent, as opposed to conjectural or hypothetical.  Second, there must be a causal connection between the injury and the conduct complained of — the injury has to be fairly traceable to the challenged action of the defendant, and not the result of the independent action of some third party not before the court.  Third, it must likely, as opposed to merely speculative, that the injury will be redressed by a favorable decision.”  (Id. at 25).

Sentara argued that Polanco lacked standing to sue Sentara, a legal stranger, because she had no relationship with Sentara and that it was never entrusted with her PCI. Sentara, joined by Inspira and Omnicell, also argued that Polanco’s “self-imposed increased costs based on pure speculation” were the “sort of speculative and manufactured damages prohibited” by the Supreme Court’s Clapper decision and the Third Circuit’s ruling in Reilly v. Ceridian Corporation, a data breach case.  The Court agreed with both arguments and granted the Defendants’ motions, without addressing any remaining issues.

No Injury Traceable to Sentara

Evaluating Sentara’s motion, the Court noted that “the facts alleged in the Amended Complaint[3] fail to demonstrate any causal connection between the alleged injury and any conduct on the part of Sentara.”  (Id. 26).  The “fact that a suit may be a class action adds nothing to the question of standing, for even named plaintiffs who represent a class must allege and show that they personally have been injured, not that injury has been suffered by other, unidentified members of the class to which they belong and which they purport to represent.  (Id. at 26-27). “[Polanco] is required to establish standing with respect to each separate Defendant named in this suit, and she cannot rely on conduct by Sentara that relates to unidentified, potential class members.”  (Id. at fn. 14).

In addition, a “plaintiff may not maintain an action on behalf of a class against a specific defendant if the plaintiff is unable to assert an individual cause of action against that defendant, whether for reasons of lack of standing or for lack of Rule 23(a)(3) typicality.”  (Id. at 27).  Here, because Polanco could not show an injury traceable to Sentara’s conduct, the Court ruled that she lacked standing to sue Sentara.  (Id. at 29).

Conclusory Allegations Are Legally Insufficient to Create Standing

The Court then turned to the Defendants’ subject matter jurisdiction argument.  “As Defendants point out, in Clapper, the Supreme Court analyzed Article III standing, noting it has ‘repeatedly reiterated that ‘threatened injury must be certainly impending to constitute injury in fact,’ and that ‘allegations of possible future injury’ are not sufficient.  The Third Circuit similarly articulated in Reilly that allegations of ‘possible future injury are not sufficient to satisfy Article III.  The Court’s review of Reilly and Clapper indicates that these two cases are controlling for purposes of evaluating [Polanco’s] standing in the present action.” (Id. at 32).

Polanco tried to convince the Court that her “claim is different” from the data breach cases cited by the Defendants. (Id. at 35). However, the Court noted that Polanco “essentially concedes that she has not alleged either: (1) any misuse of her PCI or PHI [personal health information]; or (2) that she is now at an increased risk for the misuse of her information in the future based on the theft of the laptop.  (Id. at 34 – 35).  Polanco also “expressly denies that she has any fear of what the thief who allegedly stole the Omnicell laptop might do with her PHI and PCI.  Instead, [Polanco] summarizes that her claims involve the actual loss of personal property, the failure to secure such property forward, and monies lost due to Inspira’s failure to fulfill its express promises made to [Polanco].”  (Id. at 34-35).

Polanco asserted that “because of Inspira’s refusal to acknowledge its failings, and to take steps to remedy such failings, she has sued to prevent any further dissemination of her PHI and PCI by Inspira, and to force Inspira and Omnicell to purge their files of her sensitive information (or to secure it going forward).”  (Id. at 35).  The Court rejected Polanco’s position, stating:

[Polanco’s] arguments seeking to distinguish her case from the data breach security cases cited by Defendants based on the allege[d] “loss” of her PCI and PHI are unpersuasive here.  At the outset, [the] Amended Complaint makes only limited references to the purported “loss” of her information.  Moreover, to the extent [Polanco] alleges that the injury she suffered here is the “loss” (or presumably, disclosure) of her information in violation of HIPAA and Defendants’ failure to secure her information going forward as required by HIPAA, the Court notes that HIPAA does not provide a private right of action to remedy HIPAA violations.”  . . .  Consequently, Polanco cannot establish a concrete and particularized injury sufficient to confer standing here related to the “loss” of her PCI and PHI.

More importantly though, [Polanco’s] assertions in the Amended Complaint and in her opposition that her PCI and PHI were “lost” are directly contradicted by the December 31, 2012 letter from Omnicell [in which] Omnicell explicitly confirms that “the patient’s medical records were not on the device … and that the patient’s medical information has not been lost.”  Omnicell’s letter goes on to state that there is “no reason to believe that the device was taken for the information it contained, or that the information has been accessed or used improperly.”  Thus, to the extent [Polanco] claims that the injury she suffered was the “loss” of her information, [those allegations] are belied by the representations made in the December 31, 2012 letter.”  (Id. at 36-39).

In sum, the Court held that Polanco asserted “only broad and conclusory allegations of harm that fail to satisfy [her] burden to demonstrate that she suffered an invasion of a legally protected interest which is both ‘concrete and particularized’ — meaning she was injured in a personal and individual way — and ‘actual or imminent’ as opposed to conjectural and hypothetical.”  (Id. at 39).

Alleged Statutory Violations Do Not Confer Standing

The Court also ruled that Polanco’s allegations that the Defendants breached various statutes did not create standing.  “[M]erely asserting violations of certain statutes is not sufficient to demonstrate an injury-in-fact for purposes of establishing standing under Article III, and the Court rejects [Polanco’s] assertions on this point.”  (Id. at 40).  In addition, the Court rejected Polanco’s purported reliance on the New Jersey Consumer Fraud Act (CFA).  “[Polanco] cites no case law … and the Court’s research reveals no case where any state or federal court in New Jersey interpreted the CFA to serve as a backdoor remedy for HIPAA violations.”  (Id. at fn. 24).

Prophylactic Expenses Do Not Constitute Injury-In-Fact

The Court noted that “the only harm that [Polanco] alleges in the Amended Complaint is that she incurred unspecified increased out-of-pocket expenses in seeking treatment for her daughter at medical facilities other than Defendants’ because she was unwilling to return to SJHS and Inspira until such time as [h]er PCI is secure, her rights under HIPAA are protected, and the deficiencies that led to the November 14 incident have been corrected to her satisfaction.”  (Id. at 40).  The Court observed:  “Much like the Plaintiffs in Reilly, [Polanco] has prophylactically spent money to ease her fears of a future loss of her PCI and PHI by a HIPAA-compliant medical facility and therefore made an independent decision to seek treatment elsewhere.  [Her] decision to do so was based entirely on her speculative belief that her PCI or PHI would be ‘lost’ again by Defendants.  Therefore, her assertion is one that claims injury for expenses incurred in anticipation of future harm, and is not sufficient for purposes of establishing Article III standing.” (Id. at 40-41).

Conclusion

Fortunately, most individuals affected by a data breach do not suffer a legally cognizable injury as a result of that breach. In response, however, the plaintiff’s bar has attempted to manufacture new ways to show that data breach plaintiffs have sustained some type of injury.  This case represents an important step in thwarting such efforts.

 


[1] Sentara is represented by BakerHostetler in this matter.

[2] The Court granted UMHS’s motion to dismiss, ruling that it is entitled to Eleventh Amendment immunity.

[3] Pursuant to the Court’s sua sponte Order, Polanco was required to file an Amended Complaint to cure defective jurisdictional allegations in her original Complaint.