On December 6, 2018, in Williams-Diggins v. Mercy Health, an Ohio district court granted the defendant’s motion to dismiss a putative class action related to a cybersecurity vulnerability in the Ohio-based medical provider’s computer systems that allegedly left patient health information publicly accessible online for years.  United States District Judge Jeffrey Helmick dismissed the case for lack of jurisdiction (among other reasons), finding that the plaintiff’s theories of harm—overpayment and risk of future exposure or breach of his sensitive health information—were insufficient to create Article III standing.

Plaintiff initially brought the action in August 2016, seeking to represent a nationwide class comprised of Mercy Health (“Mercy”) patients.  He alleged that the defendant’s document management software suffered from a security vulnerability that left confidential patient health information, including treatment records, diagnoses, and lab results, exposed to unauthorized disclosure and breach.[1]  The plaintiff also claimed that this vulnerability was known in the cybersecurity industry for years and required limited time and money to correct.  However, the plaintiff did not allege that the vulnerability had actually been exploited at Mercy or that confidential patient information was compromised.[2]  Alleging that Mercy breached its duty “to keep its patients’ private medical information confidential” that was “created by HIPAA, industry standards, and promises [Mercy] made to its patients” in privacy policies and statements of corporate values posted on its website,[3] the plaintiff brought claims for breach of contract, breach of confidence, unjust enrichment, and violations of Ohio’s consumer protection act.[4]

The operative complaint identified two alleged harms arising from the security vulnerability.  First, the plaintiff alleged that patients’ private medical information was “exposed and was at a great risk of further unauthorized disclosure and breach” in the future.[5]  Although Mercy patched the vulnerability within days of the complaint being filed, the plaintiff asserted that “Mercy’s patients remain[ed] at risk of suffering further harm . . . until a third party is able to confirm that . . . patient data was not compromised.”[6]  His second theory of harm was an alleged economic injury:  that Mercy “injured its patients by charging and collecting market‑rate medical fees without providing industry standard protections for patient data confidentiality.”[7]

The court flatly rejected these injuries as bases for standing.  First, the court found that the plaintiff failed to “establish standing by alleging [Mercy’s] software put his personal information at risk because it could have easily been accessed without permission by a third party.”[8]  According to the court, “[a]llegations of possible future injury do not rise to the level of an imminent injury” sufficient to create Article III standing; the plaintiff’s future harm theory therefore failed because it “only alleged that his personal information might be accessed improperly, not that it actually was.”[9]

The court found the “overpayment” theory similarly unpersuasive, holding that the plaintiff “paid for healthcare services with the expectation that the personal information he provided or that was created through the care he received would not be disclosed to third parties who were not entitled to obtain it.  This is what he received.”[10]  In sum, the court explained, while Mercy’s “approach to data security was clumsy, it was also harmless.”[11]

Judge Helmick’s ruling is the latest in a string of cases this year that have grappled with whether alleged injuries arising from data breaches, security vulnerabilities, and other cybersecurity incidents are sufficient to establish standing.  As long as the circuits remain split on this question, an issue the Supreme Court has thus-far declined to resolve, potential defendants should expect this to continue to be a heavily-litigated issue in cybersecurity-related actions.

[1] Amended Comp’l ¶¶ 14, 29-31.

[2] Amended Comp’l ¶¶ 2-3.

[3] Amended Comp’l ¶ 17.

[4] Amended Comp’l ¶¶ 79-112.

[5] Amended Comp’l ¶ 2.

[6] Amended Comp’l ¶ 4.

[7] Amended Comp’l ¶ 5.

[8] Order at *3.

[9] Order at *3-4 (internal quotation marks and citation omitted).

[10] Order at *4.

[11] Order at *4.