New York Judge Dismisses Class Action PACS Data Breach Lawsuit for Lack of Standing

A class action lawsuit filed against NorthEast Radiology PC and Alliance HealthCare Services over a data breach that exposed the protected health information of more than 1.2 million individuals has been dismissed by a New York Federal Judge for lack of standing.

The lawsuit was filed in July 2021 on behalf of plaintiffs Jose Aponte II and Lisa Rosenberg, whose protected health information was exposed as a result of a misconfiguration of the companies’ Picture Archiving Communication System (PACS), which contained medical images and associated patient data. In late 2019, security researchers identified the exposed data and notified the affected companies, which included Northeast Radiology and its vendor, Alliance HealthCare Services.

According to the lawsuit, more than 61 million medical images were exposed along with the sensitive data of 1.2 million patients. Northeast Radiology reported the breach to the HHS’ Office for Civil Rights as affecting 298,532 individuals. The lawsuit alleged the defendants had implemented inadequate security safeguards to ensure the privacy of patient data, which allowed medical images and other protected health information to be accessed by unauthorized individuals between April 14, 2019, and January 7, 2020. The plaintiffs alleged that they face an ongoing and imminent risk of identity theft and fraud, as there is no way to cancel protected health information. They claim they now need to continuously monitor their accounts and use credit and identity theft monitoring services, and expend additional time and effort to prevent and mitigate against potential future losses.

It is now common for lawsuits to be filed against healthcare organizations following data breaches, but the lawsuits often do not succeed due to the failure to provide evidence that harm as a result of the exposure or theft of personal data, as was the case here. Judge Vincent L. Bricetti, Federal Judge for the Southern District of New York, dismissed the lawsuit as the plaintiffs failed to allege a cognizable injury. The judge ruled that the mere exposure of sensitive data did not establish the plaintiffs had been harmed by the incident, and that the risk of future harm from the exposure of their sensitive data was too speculative to establish standing.

While the data breach was reported to the HHS’ Office for Rights as affecting up to 298,532 individuals, NorthEast Radiology was only able to confirm that the data of 29 patients had definitely been subjected to unauthorized access, and the two plaintiffs named in the lawsuit were not part of that small group.

Judge Bricetti referred to the decision of the Second Circuit Court’s decision in McMorris v. Carlos Lopez & Associates, LLC, which established a three-factor test for determining whether allegations of an injury from a data breach gave rise to a cognizable Article III injury-in-fact:

“(1) whether the plaintiffs’ data has been exposed as the result of a targeted attempt to obtain that data; (2) whether any portion of the dataset has already been misused, even if the plaintiffs themselves have not yet experienced identity theft or fraud; and (3) whether the type of data that has been exposed is sensitive such that there is a high risk of identity theft or fraud.”

Judge Bricetti rejected all of the plaintiffs’ claims for negligence, negligence per se, breach of contract, breach of implied contract, violations of New York General Business Law Section 349, and intrusion upon seclusion.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.