Share this article on:
The U.S. District Court for the Western District of New York has recommended a class action lawsuit against Practicefirst Medical Management Solutions be dismissed. The lawsuit was filed on behalf of victims of a 2020 ransomware attack whose sensitive information was stolen in the attack.
Practicefirst, an Amherst, New York-based medical management services provider, provides billing, credentialing, bookkeeping, coding, and compliance services to medical practices. On December 30, 2020, Practicefirst discovered unauthorized individuals had gained access to its network, exfiltrated sensitive data, then attempted to deploy ransomware. The files exfiltrated from its systems included names, addresses, email addresses, Social Security numbers, usernames and passwords, financial information, and healthcare information. PracticeFirst entered into negotiations with the ransomware gang and arranged for the return of the data and received confirmation that the stolen files had been destroyed and were not further disclosed. The breach was reported to regulators as affecting more than 1.2 million individuals, including patients and employees, and affected individuals started to be notified about the data breach in July 2021. A complimentary 2-year membership to credit monitoring and identity theft protection services was offered to individuals affected by the incident.
A few days after the notification letters were sent, a lawsuit was filed naming Peter Tassmer and Karen Cannon as plaintiffs, who were patients of medical practices contracted with PracticeFirst. The lawsuit sought damages and injunctive relief and required PracticeFirst to make significant security improvements. The lawsuit alleged PracticeFirst’s security failures resulted in the unauthorized release of the plaintiffs’ and other class members’ sensitive data, which placed them at an increased and imminent risk of future identity theft, economic damages, and other injury and harm. The lawsuit claimed the plaintiffs and class members had suffered actual injuries in the form of a violation of their privacy rights, a diminished value of their personal information, and time and money had to be spent in response to the breach that could have been spent on other activities.
The District Court recommended the lawsuit be dismissed as the plaintiffs were unable to demonstrate they had suffered concrete harm as a result of the data breach. The risk of identity theft, fraud, and other injury was deemed to be too speculative and not imminent. The plaintiffs alleged that their sensitive data were stolen and because they were stolen that information would be used for identity theft and fraud. The judge said in his decision the allegation was speculative since this was a ransomware attack that was concerned with the exchange of money for access to data, not theft of data for identity theft.
The lawsuit alleged loss of value of the plaintiffs’ personal and protected health information; however, evidence was not provided to back up that claim. While there are companies that offer to purchase personal and healthcare data, the plaintiffs did not allege they had attempted to sell their information and were forced to accept a lower price as a result of the ransomware attack.
The recommendation follows the decisions of numerous circuit and district courts not to grant Article III standing for lawsuits based on the imminent risk of future identity theft when the plaintiffs have been unable to provide evidence of misuse of their personal information and actual harm. The Judge’s decision referenced the June 2021 decision of the Supreme Court in the case Transunion LLC v. Ramirez, in which the Supreme Court ruled that the risk of harm cannot qualify as concrete harm on its own, at least unless the exposure to the risk of future harm itself causes a separate concrete harm.
“The Supreme Court has made clear that allegations of a concrete harm that are tied to speculative or possible future injury are insufficient because plaintiffs cannot manufacture standing merely by inflicting harm on themselves based on their fears of hypothetical future harm that is certainly impending,” said the judge in the ruling. The parties have been provided with 14 days to file objections, after which a final ruling will be issued.