District of Massachusetts Rejects Data Breach Lawsuit for Insufficiency of Injury

Nowadays, it is typical to file class action lawsuits because of a healthcare data breach. Although sensitive healthcare data theft can certainly create a lot of trouble for a data breach victim, the plaintiffs need to allege they have sustained an injury as a direct consequence of the breach in order for a lawsuit to stand in court. Last October, the District of Massachusetts dropped a class action lawsuit against Injured Workers’ Pharmacy, LLC, because the plaintiffs and class members did not show an injury in fact enough to have Article III standing.

Injured Workers’ Pharmacy is a pharmaceutical home delivery service provider. In May 2021, it found out that unauthorized individuals accessed parts of its system and potentially viewed or acquired the personally identifiable information (PII) of over 75,000 of its clients.

On behalf of Alexsis WebbMarsclette Charley, the lawsuit – Webb v. Injured Workers’ Pharmacy, LLC – was filed. Allegedly, the pharmacy failed to enforce proper data security procedures and committed unjust enrichment, breach of implied contract, and other charges. Webb and other persons likewise impacted by the breach claimed they had sustained an injury because of the data breach such as loss of sleep, anxiety, stress, and fear, and had expended a lot of time and effort checking their financial accounts and safeguarding themselves versus identity theft and fraudulence. Charley claimed she had consumed many hours handling the IRS as a result of a bogus tax return that was submitted in her name. The plaintiffs additionally claimed that because their personally identifiable information was accessible on the dark web, they had sustained harm to and diminution of the value of their PII, which costs around $1,000.

IWP wanted to disregard the lawsuit for insufficiency of standing because the plaintiffs didn’t assert a claim, and the lawsuit didn’t claim any tangible and specified injuries that are actual or certain. The District of Massachusetts decided and refused the factual accusations of the complaint since the plaintiffs didn’t allege they had sustained any particular harm due to the data breach.

The only claimed injury was the substantial time and effort that was expended checking accounts and dealing with the IRS since there weren’t any claims of financial loss, misuse of data, or even claims of theft of the plaintiffs’ PII. Although Charley got a bogus tax return submitted under her name, the court decided that there was no admissible allegation that linked the bogus tax return to the data breach. Concerning the assertion of diminution of the plaintiffs’ PII value, the court stated it was not clear how the decrease of PII black market value can cause an injury to the plaintiffs.

The Supreme Court had earlier decided that in a lawsuit for damages, the simple risk of future injury, could not confirm Article II standing, with the District of Massachusetts decision that [Plaintiffs] cannot establish standing simply by imposing harm on themselves based upon… theoretical future harm.