In re 21ST Century Oncology Customer Data Sec. Breach Litig.
380 F. Supp. 3d 1243
M.D. Fla.2019Background
- In Oct–Nov 2015, 21st Century Oncology disclosed a data breach affecting ~2.2 million patients; stolen data was advertised for sale online and an FBI informant obtained a sample.
- Fourteen named plaintiffs (residing in multiple states) filed a consolidated/amended class action asserting common-law claims (negligence, negligent misrepresentation, breach of contract/implied duties, fiduciary duty, unjust enrichment, invasion of privacy, declaratory judgment) on behalf of a nationwide class.
- Plaintiffs allege PII/PHI was disclosed (including names, Social Security numbers, medical diagnoses, insurance data) and assert injuries including increased risk of identity theft, mitigation costs, time spent monitoring, emotional distress, and some actual misuse for several plaintiffs.
- Defendants moved to dismiss for lack of Article III standing (challenging seven “non-misuse” plaintiffs who allege no actual misuse) and for failure to state claims under Rule 12(b)(6).
- The court held that Plaintiffs adequately alleged an Article III injury based on (1) a substantial increased risk of identity theft and (2) mitigation expenses; it rejected other theories (overpayment, diminution-in-value, and speculative risk of bodily injury).
- The court denied dismissal for lack of subject-matter jurisdiction, and denied without prejudice the 12(b)(6) dismissal request, directing additional briefing on choice-of-law for the multi-state common-law claims.
Issues
| Issue | Plaintiff's Argument | Defendant's Argument | Held |
|---|---|---|---|
| Whether non-misuse plaintiffs have Article III injury from increased risk of identity theft | Data was targeted and sold; risk is substantial and imminent given sale/advertisement and some concrete misuse by other plaintiffs | Risk is speculative and insufficient under Clapper; mere possibility of future misuse lacks concreteness | Court: Plaintiffs pleaded sufficient facts (targeted sale, sensitive static data, evidence of access/use) to establish injury-in-fact based on increased risk of identity theft |
| Whether mitigation expenses confer standing | Plaintiffs incurred time and money to monitor and protect identity because of breach | Mitigation costs are not cognizable unless the underlying risk is certainly impending | Court: Because increased-risk injury was plausible, mitigation costs are cognizable and support standing |
| Whether plaintiffs can plead injury via "overpayment" for services | Plaintiffs paid for healthcare and would not have used defendant if informed about inadequate security; that is economic harm | No allegation that payments specifically purchased data-protection or that market value was reduced; overpayment theory is speculative | Court: Overpayment theory fails — insufficient facts showing payment allocated to security or diminished market value |
| Whether diminution in value of PII/PHI is a cognizable injury | PII/PHI has market value (black-market pricing); value diminished by breach | Courts routinely reject that personal data has independent monetary value without particularized allegation | Court: Diminution theory rejected for lack of particularized allegation of pre-/post-breach monetary value loss |
| Whether speculative risk of physical harm from medical identity theft confers standing | Misuse of PHI could cause medical records to be commingled, producing misdiagnosis and physical injury | Sequence of events leading to physical harm is speculative and attenuated | Court: Theory too speculative; chain of contingencies fails "certainly impending" or substantial-risk requirement |
Key Cases Cited
- Spokeo, Inc. v. Robins, 136 S. Ct. 1540 (U.S. 2016) (articulates injury-in-fact requirements for Article III standing and that intangible harms can be concrete)
- Lujan v. Defenders of Wildlife, 504 U.S. 555 (U.S. 1992) (foundational standing principles: injury in fact, traceability, redressability)
- Clapper v. Amnesty Int'l USA, 568 U.S. 398 (U.S. 2013) (future injuries must be certainly impending or present substantial risk; plaintiffs may not base standing on highly speculative chains)
- Remijas v. Neiman Marcus Grp., LLC, 794 F.3d 688 (7th Cir. 2015) (data-breach context recognizing inference of substantial risk when hackers target PII)
- In re Zappos.com, Inc., 888 F.3d 1020 (9th Cir. 2018) (held increased risk from data breach can be a concrete injury where data targeted and usable for fraud)
- Attias v. CareFirst, Inc., 865 F.3d 620 (D.C. Cir. 2017) (found standing where plaintiffs plausibly alleged access to highly sensitive PII and a substantial risk of misuse)
- Beck v. McDonald, 848 F.3d 262 (4th Cir. 2017) (refused standing where intrusion lacked evidence of malicious intent or actual access/misuse)
- In re SuperValu, Inc., 870 F.3d 763 (8th Cir. 2017) (rejected standing where compromised data did not include static identifiers and future harm was speculative)
- Reilly v. Ceridian Corp., 664 F.3d 38 (3d Cir. 2011) (declined to infer standing absent evidence that data was actually accessed or misused)
- Lewert v. P.F. Chang's China Bistro, Inc., 819 F.3d 963 (7th Cir. 2016) (recognized risk from stolen payment-card data could support standing where such data can be used to commit broader fraud)