A federal judge has dismissed a Missouri man’s lawsuit against pharmacy benefit management firm Express Scripts, which suffered a data breach that exposed sensitive customer data.
John Amburgy alleged that Express Scripts was negligent because it did not secure its database, leaving the system vulnerable to hackers who stole customer data, including names, Social Security numbers, birth dates and prescription information, according to court documents.
Due to the breach, Amburgy contended that he and other victims faced an increased risk of becoming the victims of identity theft. He sought damages for the time and money he spent protecting his identity after the breach.
The case was dismissed last week by U.S. Magistrate Judge Frederick Buckles because Amburgy could not prove that his information was actually used fraudulently.
“In short, [the] plaintiff does not claim that his personal information has in fact been stolen and/or his identity compromised,” Buckles wrote in his decision dismissing the case. “Rather, the plaintiff surmises that, as a result of the security breach, he faces an increased risk of identity theft at an unknown point in the future.”
For the case to go forward, the judge ruled that Amburgy would have had to meet the “threshold requirement” imposed by Article III of the U.S. Constitution, which states that a plaintiff must prove that he or she suffered injury that is “actual or imminent, not conjectural or hypothetical.”
In November 2008, Express Scripts said it received an anonymous letter that included sensitive customer information. The writer threatened to release millions of more records if the business failed to pay an unspecified sum of money.
Over the last several months, based on new information from the extortionists, Express Scripts began notifying more than 700,000 victims that their personal information may have been compromised.
The FBI is investigating.