Healthcare Data Breach Victims’ Lawsuit Tossed When They Can’t Show Harm–Paul v. Providence

By Eric Goldman

Paul v. Providence Health Systems–Oregon, SC S059131 (Ore. Sup. Ct. Feb. 24, 2012)

A Providence employee left disks/tapes containing records for 365,000 patients in his/her car, and they were stolen. The opinion implicitly assumes that the data wasn’t encrypted. The opinion doesn’t explain why the employee had unencrypted patient data for a third of a million people lying around in a car. Unlike a deliberate security intrusion, there’s no evidence that the thief sought the data or had criminal intent towards the data.

Nevertheless, the Oregon Attorney General couldn’t ignore a data loss of this magnitude/ineptitude, and Providence settled with the AG by agreeing:

to contract with a credit monitoring company to provide two years of credit monitoring and restoration services to any patient who requested it, to reimburse any patient for any financial loss resulting from the misuse of credit or identity theft, and to establish a website and toll-free call center to assist patients with questions related to the theft. Under the agreement, defendant also paid the Attorney General more than $95,000. Defendant estimated the cost of the credit monitoring and other services that it agreed to provide at approximately $7 million.

Apparently, the AG’s deal wasn’t good enough for the privacy plaintiff’s bar (at least, not to their personal fortunes), because 6 years after the settlement–the breach occurred in 2005; the AG settlement in 2006–the Oregon Supreme Court finally kiboshed the class action lawsuit.

The plaintiffs marshaled the following statements of loss:

* “financial injury in the form of past and future costs of credit monitoring, maintaining fraud alerts, and notifying various government agencies regarding the theft, as well as possible future costs related to identity theft”

* “noneconomic damages for the emotional distress caused by the theft of the records and attendant worry over possible identity theft”

However, the plaintiffs had to contend with the following facts:

* the AG settlement already provided some meaningful relief to affected patients, including some credit monitoring and a promise to financially compensate patients for adverse data misuse

* there was no evidence that any patient had suffered any financial loss or other adverse consequence due to the data loss. Indeed, there’s no evidence that anyone had ever accessed the data on the disks/tapes (the court says doing so would require “specialized equipment”).

The latter bullet point proves to be fatal to the plaintiffs’ claims for common law negligence and the Oregon consumer protection act. Under both doctrines, the plaintiffs didn’t allege a legally cognizable loss. The economic losses alleged by plaintiffs are simply mitigation steps to reduce the risk of future harm, and negligence law doesn’t recognize these anticipatory steps:

the cost of credit monitoring that results…from the risk of possible future harm…is insufficient to state a negligence claim

Citing (among others) the Third Circuit’s Reilly case and Ruiz v. Gap, the court continues:

Every court that has addressed damage claims for credit monitoring following the theft of computer records containing personal information — but no wrongful use of that information — has reached a similar conclusion.

The Ninth Circuit’s Krottner v. Starbucks opinion doesn’t get a mention, but it supports this outcome too. The court distinguished the First Circuit’s Hannaford case on the basis that some data breach victims had actually experienced bogus credit card charges.

The nonfinancial harm allegations don’t fare any better. Citing (among others) the Reilly, Amburgy and Pinero cases, the court summarizes:

We are aware of no other jurisdiction that has allowed recovery for negligent infliction of emotional distress in circumstances where the alleged distress is based solely on concern over the increased risk that a plaintiff’s personal information will, at some point in the future, be viewed or used in a manner that could cause the plaintiff harm.

Just to clarify, the court dismissed the claims based on the substantive elements, not on standing grounds. Article III standing doesn’t apply given this was in state court. However, this ruling is consistent with the numerous cases dismissing data breach claims on Article III grounds.

I’d like to think we’re nearing the tail end of data breach lawsuits like this where, irrespective of the data holder’s malfeasance, nothing bad actually happened to the victims or (at this late date) is likely to happen. The plaintiffs’ lawyers who brought this claim might be partially excused for their optimism because they filed the case so long ago, when it wasn’t totally clear they would lose. Newly filed lawsuits can’t claim that excuse. Going forward, I hope plaintiffs’ lawyers are getting the very clear message from the courts: Make sure you have at least one truly injured data breach victim, or don’t waste your time and money.

More of our extensive coverage of this topic.