A federal district judge has dismissed the majority of a consolidated class action lawsuit that was filed against TRICARE, the military health program, and Science Applications International Corp. in the wake of a 2011 data breach that affected nearly 5 million individuals. The incident is the largest data breach reported to federal regulators under the HIPAA breach notification rule.
Of the 33 plaintiffs in the eight class action suits that were consolidated, only two "do plausibly assert that their data was accessed or abused, and those victims may move forward with their claims," writes U.S. District Judge James Boasberg in his May 9 ruling from the U.S. District Court in D.C.
However, the majority of the plaintiffs have not shown evidence that their data has been either viewed or misused, the judge says.
The court will hold a status hearing to assess those dismissed parties' intentions about appealing the judge's decision "before taking up the question of whether the two remaining plaintiffs have stated a legal claim," he writes.
The lawsuits stemmed from the September 2011 theft of unencrypted backup computer tapes containing information on about 4.9 million individuals. The tapes were stolen from the car of an SAIC employee who was to transport them between federal facilities on behalf of TRICARE.
The consolidated cases include five filed in the District of Columbia, two in California and one in Texas. The cases alleged harm from an increased likelihood of identity theft and from an invasion of privacy, among other things. The ruling notes that recently, SAIC and the three government defendants - TRICARE, the Department of Defense, and its Secretary, Chuck Hagel, moved to dismiss the now-consolidated complaint.
In his ruling, the judge wrote: "This case presents thorny standing issues regarding when, exactly, the loss or theft of something as abstract as data becomes a concrete injury. That is, when is a consumer actually harmed by a data breach - the moment data is lost or stolen, or only after the data has been accessed or used by a third party?"
The ruling continues: "As the issue has percolated through various courts, most have agreed that the mere loss of data - without evidence that it has been either viewed or misused - does not constitute an injury sufficient to confer standing. This court agrees. Mere loss of the data is all that most plaintiffs allege here, so the majority must be dismissed from this case. Two plaintiffs, however, do plausibly assert that their data was accessed or abused, and those victims may move forward with their claims."
Analysis of Ruling
Privacy attorney Adam Greene, a partner at the law firm Davis Wright Tremaine, says the ruling "adds to the majority of court cases that have held that plaintiffs must demonstrate actual harm, not merely a heightened risk of identity theft, to prevail on a claim related to a data breach.
"This ruling likely won't bring an end to these cases, as it is in a U.S. district court and is not binding on other courts," he notes. "The recent settlements in the AvMed and Stanford cases likely provide plenty of incentive for class action plaintiffs to continue bring claims. Nevertheless, it adds to the weight of authority finding that a data breach itself is insufficient to demonstrate damages."
A class action lawsuit against AvMed, a health plan company, stemming from a 2009 data breach, was recently settled for $3 million. The settlement is significant because it awards payments to those who were not victims of identity theft.
A class action suit against Stanford Hospital & Clinics and two business associates related to a 2011 breach affecting 20,000 patients was recently settled for $4 million.
Also, Greene notes: "There are still some statutes, like the California Confidentiality of Medical Information Act, which award "nominal damages" in the absence of demonstrating actual damages. Cases under such laws are potentially distinguishable from the TRICARE/SAIC case."