Share this article on:
A lawsuit filed on behalf of victims of a Brandywine Urology Consultants data breach has been dismissed by the Delaware Superior Court after plaintiffs failed to provide evidence demonstrating they had suffered harm as a result of the breach.
Brandywine Urology Consultants experienced a ransomware attack on January 27, 2020 The attack was detected after two days and the subsequent investigation confirmed the attackers had access to a network which contained patient information.
Brandywine Urology Consultants concluded from its investigation that the attack was conducted to extort money rather than to obtain patient data, although unauthorized data access and data theft could not be ruled out. The attackers potentially accessed the protected health information of 130,000 patients, and may have viewed or obtained names, medical record numbers, Social Security numbers, financial data, claims data, and other information.
The lawsuit was filed in May 2020 alleging Brandywine Urology Consultants was negligent for failing to prevent the attack, had breached its fiduciary duty, and was in violation of the Delaware Computer Security Breach Act and the Delaware Consumer Fraud Act.
The lawsuit alleged victims of the breach were at imminent risk of harm, had suffered a loss of privacy, anxiety as a result of the theft of their protected health information, a failure to receive the benefit of a bargain, and disruption to medical care. The lawsuit sought damages to cover the cost of mitigations and out of pocket expenses that had been incurred.
Brandywine Urology Consultants filed a motion to dismiss the lawsuit due to lack of standing. The defendant claimed the plaintiffs failed to allege an injury in fact, the economic loss doctrine bars any recovery, and the court lacked subject matter jurisdiction for the breach of fiduciary duty claim.
Brandywine Urology Consultants argued that the claim it had violated the Delaware Computer Security Breach Act lacked standing as it had satisfied the statute’s notice requirement, and the Delaware Consumer Fraud Act violation claim should be dismissed because the plaintiffs failed to state a claim under the statute.
“A plaintiff alleging that it will suffer future injuries from a defendant’s allegedly improper conduct must show that such injuries are certainly impending,” and must demonstrate “a likelihood that the injury will be redressed by a favorable decision,” said the Honorable Mary M. Johnston in the ruling.
Since the plaintiffs were unable to provide evidence of harm, there was only a possibility that their sensitive data had been compromised, and the swift and appropriate measures that were taken by the defendant to investigate and mitigate the breach, the motion to dismiss was granted.
While the plaintiffs claimed to have incurred expenses as a result of the breach, the judge ruled that costs incurred in response to a speculative threat is not sufficient, in itself, to create an injury sufficient to confer standing.