New York Judge Dismisses Class Action PACS Data Breach Lawsuit for Lack of Standing

A New York Federal Judge dismissed a class-action lawsuit filed against Alliance HealthCare Services and NorthEast Radiology PC because of a data breach that exposed the protected health information (PHI) of over 1.2 million people for lack of standing.

The lawsuit was submitted in July 2021 on behalf of plaintiffs Lisa Rosenberg and Jose Aponte II, whose PHI was compromised due to a wrong configuration of the firms’ Picture Archiving Communication System (PACS), which included medical images and related patient data. In late 2019, security researchers found the compromised information and informed the affected organizations — Northeast Radiology along with its vendor, Alliance HealthCare Services.

Based on the lawsuit, more than 61 million medical photos were exposed along with the sensitive data of 1.2 million individuals. Northeast Radiology submitted the breach report to the HHS’ Office for Civil Rights indicating that 298,532 persons were impacted. The lawsuit alleged the defendants had applied insufficient security safeguards to keep the privacy of patient information safe, which enabled unauthorized persons to access the medical pictures and other PHI from April 14, 2019 to January 7, 2020. The plaintiffs claimed that they are facing an ongoing and imminent danger of identity theft and fraud since protected health information cannot be canceled. They state they now have to continually keep track of their accounts and utilize credit and identity theft monitoring services, and expend more time and effort to avoid and mitigate against possible future losses.

It is common nowadays for lawsuits to be filed against healthcare companies subsequent to data breaches, however, the lawsuits usually do not succeed because of the failure to present proof of harm resulting from the compromise or theft of personal data, just like the case here. Federal Judge for the Southern District of New York, Judge Vincent L. Bricetti, dropped the legal case because the plaintiffs did not claim a cognizable injury. The judge made a decision that the mere exposure of sensitive information could not establish that the plaintiffs were harmed by the incident and that the threat of future harm from the exposure of their sensitive data was very assuming to make standing.

Although the data breach report was filed with the HHS’ Office for Rights stating that about 298,532 individuals were affected, NorthEast Radiology was just able to affirm that the information of 29 patients had certainly been subjected to unauthorized access, and the two victims named in the legal action were not included in that small group.

Judge Bricetti used as reference the decision of the Second Circuit Court’s decision in McMorris v. Carlos Lopez & Associates, LLC. He used the three-factor test established for figuring out if allegations of harm related to a data breach resulted to a cognizable Article III injury-in-fact:

  1. whether the plaintiffs’ information was exposed because of a targeted attempt to acquire that data;
  2. whether any part of the dataset was misused, even though the plaintiffs themselves haven’t encountered identity theft or fraud; and
  3. whether the type of exposed information is sensitive such that the risk of identity theft or fraud is high.

Judge Bricetti turned down all of the plaintiffs’ claims for breach of contract, breach of implied contract, negligence, negligence per se, intrusion upon seclusion, and violations of New York General Business Law Section 349.