A federal judge of the U.S. New York Western District has recommended to support a motion to dismiss a potential class-action lawsuit against Practicefirst, as the breach victims who filed the case did not provide evidence of actual harm, as required by a June Supreme Court decision.
Practicefirst is a medical management company tasked with data processing, billing, and coding services for healthcare provider organizations.
The lawsuit stems from a July 2021 notification about the theft of data belonging to 1.2 million patients and employees, accessed from the Practicefirst network ahead of a ransomware attack deployed on Dec. 25, 2020. The attack wasn’t discovered until Dec. 30. Practicefirst did not explain the six-month delay in notifying patients.
An investigation into the incident revealed the mass data exfiltration tied to personal and protected health information of patients and employees. The data was highly sensitive in nature, including Social Security numbers, driver’s licenses, financial account details, employee credentials, security questions and answers, patient identification, and medical data.
Some medical provider clients of Practicefirst were also affected by the data theft, including UPMC.
Practicefirst negotiated the release of the data “with confirmation the data was destroyed and not shared. Industry leaders have long-stressed that attack victims should not take the word of threat actors in these negotiations, as there is no way to confirm those claims.
Two of the breach victims, Peter Tassmer and Karen Cannon, responded to the breach notice by filing a lawsuit that alleged breach of contract and negligence caused by Practicefirst’s “unsecure and inadequate data security practices.”
“Due to Practicefirst’s carelessness and inadequate security, [breach victims] have suffered irreparable harm and are subject to an increased risk of identity theft,” according to the initial lawsuit filing. [Patient data] “has been compromised and they must now undertake additional ongoing security measures to minimize the risk of identity theft.”
The lawsuit sought both declaratory and injunctive relief, in response to what the breach victims claim was “harm” caused by the incident.
Claims of "future harm" insufficient
Calling it an “instant lawsuit,” the judge supports Practicefirst’s motion to dismiss the case as the breach victims did not provide evidence of actual harm. On June 21, the Supreme Court decision on a case filed by Sergio Ramirez and others impacted by a TransUnion breach, concluded only individuals “concretely harmed” by a breach have standing to seek damages.
The harm outlined in the Practicefirst lawsuit was confined to time and money spent “reviewing their account statements and credit reports for any indication of actual or attempted identity theft, and that this was valuable time which could have been spent on other activities.”
Other breach victims claimed their response efforts included fielding calls to sort through unsolicited spam, “verifying the legitimacy of the data breach, exploring credit monitoring and identity theft insurance options, and self-monitoring sensitive accounts.”
The actual harm provided as evidence was confined to damage and reduced value to their data, violation of their privacy rights, and “further imminent and impending injury arising from the increased risk of identity theft, and financial and medical fraud.”
Citing the Supreme Court case, the judge found these claims were not sufficient to support the lawsuit standing because it sought damages for “the mere risk of future harm.” On its own, risk of harm cannot qualify as concrete harm — “at least unless the exposure to the risk of future harm itself causes a separate concrete harm.”
Previous court decisions instruct that to establish standing in breach-related lawsuits, victims must “allege both a risk of future harm that is ‘actual and imminent’ or ‘certainly impending’, as well as separate, concrete harm that was caused by exposure to the imminent risk and is proportional to the actual likelihood of the future harm occurring.”
“The Supreme Court has made clear that allegations of a concrete harm that are tied to speculative or possible future injury are insufficient because plaintiffs ‘cannot manufacture standing merely by inflicting harm on themselves based on their fears of hypothetical future harm that is certainly impending,” according to the judge’s motion.
In short, spending time and funds to monitor accounts and exploring identity protection out of fear of theft, does not equate harm. It should be noted, Practicefirst did offer two years of these services to all those impacted by the incident.
The judge’s decision also reflects a lack of actual harm, as there have been no reported cases of identity theft or data misuse in the public, or by the plaintiffs. Namely, the lawsuit does not plausibly allege the initial hack was designed to steal and profit from data for purposes of identity theft or fraud.
Even though the data was stolen, the judge asserts that the plaintiffs are speculating that the attackers intend to use the data in the future as the initial hack took place more than a year ago and none of the data theft victims have come forward with actual misuse.
“In fact, the complaint is devoid of allegations that class members have experienced any type of fraud because of the breach, or even that attempts have been made to use their personal information for nefarious purposes,” according to the motion.
The judge’s motion and opinion have been filed with the Clerk of the Court, and objections to it must be filed within the next two weeks. In an era where every healthcare data breach is promptly followed by a law firm “investigating” the incident, the motion may serve as an example for future cases.