Breach, Incident Response, Governance, Risk and Compliance

Northeast Radiology breach lawsuit dismissed over lack of concrete harm

The Danbury, Conn., office of Northeast Radiology. A breach lawsuit against the radiology specialist and its vendor Alliance HealthCare was dismissed due to a lack of evidence detailing concrete harm. (Credit: Northeast Radiology)

The healthcare data breach lawsuit against Northeast Radiology and its vendor Alliance Healthcare Services has been dismissed by a judge in the U.S. Southern District of New York court, citing failure to provide evidence of imminent risk of fraud or actual harm.

In determining the dismissal, the judge referenced the June 2021 Supreme Court ruling and found that “to be concrete, an injury ‘must actually exist.’” Further, the breach victims must identify and provide evidence of “a close historical or common-law analogue for their asserted injury, although it need not be an exact duplicate.’”

“Regarding statutory harms, it is not enough to allege that a defendant violated the law,” according to the ruling. “‘Only those plaintiffs who have been concretely harmed by a defendant’s statutory violation will have standing.’”

Filed in July 2021, the class-action lawsuit stemmed from a nine-month data breach, which was caused by longstanding vulnerabilities in the vendor’s picture archiving and communication system. PACS are leveraged by health systems to readily share medical images and health information with connected partners, as well as data archiving purposes.

But the tech holds well-documented vulnerabilities, which can readily enable unauthorized access to sensitive data. The lawsuit itself followed a SC Media report detailing the risk of these flaws and a Department of Health and Human Services alert finding 130 health systems actively exposing images through these flaws.

For Northeast Radiology and Alliance Health, the overlooked PACs flaws enabled a threat actor to gain access to the legacy tech, exposing the data belonging to 298,532 patients. The data included names, dates of birth, exam descriptions, dates of service, medical images and details, and corresponding Social Security numbers.

Alliance began notifying those patients in March 2020, and the class-action followed on July 8, 2021. The lawsuit argued that the vendors’ “careless handling of e-PHI is prohibited by federal and state law,” and by failing to comply with the Health Insurance Portability and Accountability Act, both Northeast Radiology and Alliance Health caused direct harm to victims.

The purported injuries included ongoing, imminent risk of identity theft and fraud, “because, unlike a credit card, there is no way to cancel e-PHI.” The lawsuit argued the victims would demonstrate that the vendors’ security policies, provider communications, and disclosed vulnerabilities would shed light on the claims of harm.

In dismissal, judge says risk of future harm too speculative

However, the judge did not agree with those claims and explained that breach victims who seek injunctive relief to prevent future harm “may establish injury-in-fact if they demonstrate ‘the risk of future harm is sufficiently imminent and substantial,’” as noted in the Supreme Court’s ruling around harm.

Further, when seeking damages, the Supreme Court ruled that “the mere risk of future harm, standing alone, cannot qualify as a concrete harm — at least unless the exposure to the risk of future harm itself causes a separate concrete harm.’”

As such, the judge determined that the breach victims did not “allege an injury-in-fact sufficient to confer standing.”

Of note, the lawsuit did not allege that data of the impacted patients was misused. The judge then determined the allegations that the unauthorized actor “would have viewed” patients’ data in the list of file names to download a copy would be “extremely unlikely” and “too remote to establish that [patients]’ risk of future harm from identity theft is substantial or imminent.”

Further, the judge struck down the notion that the breached PACS system was targeted for the express purpose of identity theft, as the victims did not provide evidence of alleged or suspected data misuse.

Patients’ “claim that they would not have used defendants’ services had defendants disclosed their insufficient security practices also does not allege an injury-in-fact,” the judge ruled. The patients “do not allege any misuse or attempted misuse of their data resulting from the breach.” And even if they “lost some measure of privacy,” they still failed to prove alleged concrete harm.

“Claims of conceivable harm without factual support are not sufficient,” according to the ruling. In addition, patients’ “risk of future harm is too speculative to establish standing,” and the breach victims’ “efforts and expense to monitor their accounts is not a sufficient injury-in-fact to confer standing.”

The dismissal can help to provide standing for future healthcare data breach lawsuits, an issue recently detailed by BakerHostetler data and SC Media reporting around the concerning number of law firms jumping to advertise around healthcare data breaches.

Jessica Davis

The voice of healthcare cybersecurity and policy for SC Media, CyberRisk Alliance, driving industry-specific coverage of what matters most to healthcare and continuing to build relationships with industry stakeholders.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.