A federal judge recently held that mere allegations that a healthcare provider’s patient information portal failed to utilize sufficient security measures, without allegations of an actual breach, were insufficient to confer standing on the plaintiff. The case, Williams-Diggins v. Mercy Health—which was pending in the United States District Court for the Northern District of Ohio—centered around the plaintiff’s 2016 allegations that the defendant’s “use of software known as the Horizon Patient Folder WebStation portal  caused private and protected patient information to be exposed to unauthorized third parties.”
There, the plaintiff alleged that the defendant healthcare provider “knew or should have known [that the software] operated on an outdated Java-based computer server that could be easily accessed, permitting patient information to be removed or deleted.” Citing HIPAA and “industry standards,” the plaintiff alleged that Mercy Healthcare failed to satisfy its “duty to maintain the security and confidentiality of its patients’ medical information.” The plaintiff claimed breach of contract, unjust enrichment, breach of confidence, and violation of the Ohio Consumer Sales Protection Act.
On Mercy’s motion to dismiss for lack of standing, U.S. District Judge Jeffrey J. Helmick found that the “possibility [that a data breach may occur] is not sufficient to confer standing” and only references a possibility of future injury. In reaching his holding, Judge Helmick relied on the United States Supreme Court’s Spokeo decision. Spokeo, Inc. v. Robins, 136 S. Ct. 1540 (2016) (“[t]o establish injury in fact, a plaintiff must show that he or she suffered ‘an invasion of a legally protected interest’ that is ‘concrete and particularized’ and ‘actual or imminent, not conjectural or hypothetical’”). With regard to the plaintiff’s claim that he “overpaid” for services—by virtue of payments for what he believed to be a compliant data privacy program—the court found that is exactly what he received. Because his information was never disclosed, there was no failure by Mercy to meet its end of the bargain, and “[e]ven if Defendant’s approach to data security was clumsy, it also was harmless, and that is fatal to Plaintiff’s claims.”
In closing the court noted the now axiom that “‘[a]ny HIPAA claim [alleged by the plaintiff] fails as HIPAA does not create a private right of action for alleged disclosures of confidential medical information.’” (Quoting Wilkerson v. Shinseki, 606 F.3d 1256, 1267 n.4 (10th Cir. 2010)).
Although the court’s decision in this case certainly makes sense—there is no standing until an actual breach occurs—some think the Supreme Court may revisit, or refine, its Spokeo decision this term, if it grants certiorari in the matter of Zappos.com, Inc. v. Stevens, docket no. 18-225. There, the Court has been called upon to decide whether individuals whose personal information was contained in a database breached by hackers have Article III standing merely by virtue of the breach itself, without any resulting injury. The answer to that question is the basis of a circuit split of authority, wherein the United States Courts of Appeals for the 3rd, 6th, 7th, 9th and District of Columbia Circuits have held that such a scenario confers standing, while the U.S. Courts of Appeals for the 1st, 2nd, 4th and 8th Circuits have mandated some evidence of resulting “concrete” injury from the breach. We’ll be sure to keep you updated if the High Court decides to hear the Zappos matter.