166 F. Supp. 3d 1315
S.D. Fla.2016Background
- Plaintiff Kellie Lynn Case sued Aventura Hospital/Miami Beach Healthcare Group and HCA-Emcare Holdings after a data breach (records of >85,000 patients allegedly removed by an employee) that occurred during 2012 and was disclosed in 2014.
- Case alleges breach of express contract (alternatively implied contract or unjust enrichment), claiming defendants promised to protect her sensitive health information and provide healthcare services in exchange for payment.
- Case asserts she received diminished-value healthcare because defendants failed to protect her data, and therefore she paid more than she otherwise would have paid.
- Defendants moved to dismiss under Fed. R. Civ. P. 12(b)(1) (lack of Article III standing) and 12(b)(6), and to strike class allegations; court considered jurisdictional challenge facially and with supporting documents.
- The court found Case alleged no actual misuse of her data (no identity theft or concrete economic harm) and that documents did not show charges included data-protection as part of service value; Case paid only a de minimis portion of the billed amount.
- Court dismissed the Second Amended Complaint for lack of subject-matter jurisdiction (standing) and denied consideration of other arguments; case closed.
Issues
| Issue | Plaintiff's Argument | Defendant's Argument | Held |
|---|---|---|---|
| Article III standing to sue after data breach | Case: breach of contract and diminished-value theory (paid more because data not protected) confers injury-in-fact | Defendants: plaintiff alleges only speculative harm; no actual misuse or concrete injury | Dismissed for lack of standing — plaintiff failed to allege concrete, particularized injury |
| Whether alleged diminished value of healthcare is a concrete injury | Case: loss in value of services due to inadequate data security | Defendants: billing and payment records show no priced data-protection term; injury speculative and de minimis | Court: diminished-value theory insufficiently concrete/particularized; records undermine claim |
| Reliance on other data-breach precedents (Adobe/Target) | Case: those decisions support standing for data-breach plaintiffs asserting increased risk/costs/loss of value | Defendants: those cases involved actual misuse, unlawful charges, or evidence of surfaced data; distinguishable | Court: distinguished — unlike Adobe/Target/Resnick, Case alleged no misuse or concrete harms, so precedents do not save standing |
| Class allegations (atypicality) | Case: seeks class treatment on common contract-based theory | Defendants: class should be stricken as atypical if individual issues predominate | Court: did not reach class certification/striking because dismissed for lack of jurisdiction |
Key Cases Cited
- Resnick v. AvMed, Inc., 693 F.3d 1317 (11th Cir. 2012) (plaintiffs who alleged actual identity theft and monetary loss had Article III standing after a health-data breach)
- Clapper v. Amnesty Int'l USA, 133 S. Ct. 1138 (U.S. 2013) (Article III requires concrete, particularized, actual or imminent injury)
- Friends of the Earth, Inc. v. Laidlaw Envtl. Servs., 528 U.S. 167 (U.S. 2000) (standing requires injury fairly traceable to defendant and redressable)
- Williamson v. Tucker, 645 F.2d 404 (5th Cir. 1981) (court may resolve jurisdictional challenges using complaint plus evidence and disputed fact resolution)