In Re Horizon Healthcare Services Inc. Data Breach Litigation
846 F.3d 625
| 3rd Cir. | 2017Background
- Horizon Healthcare stored unencrypted personally identifiable information (PII) and protected health information (PHI of ~839,000 members) on two laptops stolen from its Newark headquarters in Nov. 2013; Horizon notified members about a month later and offered one year of credit monitoring.
- Four named plaintiffs (Horizon members) sued on behalf of a class, alleging willful and negligent violations of the Fair Credit Reporting Act (FCRA) and multiple state-law claims based on Horizon’s failure to safeguard their data.
- Plaintiffs alleged unauthorized disclosure of their information (and increased risk of identity theft); one named plaintiff (Rindner) also alleged actual identity-fraud-related harms (fraudulent tax return, delayed refund, attempted credit card fraud).
- District Court dismissed under Fed. R. Civ. P. 12(b)(1) for lack of Article III standing, concluding plaintiffs had not alleged a concrete injury beyond speculative risk of future harm.
- Third Circuit vacated and remanded, holding that an unauthorized disclosure in violation of FCRA can constitute a concrete, particularized injury for Article III standing, even without proof of downstream misuse.
Issues
| Issue | Plaintiff's Argument | Defendant's Argument | Held |
|---|---|---|---|
| Whether plaintiffs have Article III standing after a data breach | FCRA violation (unauthorized disclosure) itself is a concrete, particularized injury; alternatively, breach created imminent increased risk of identity theft | No cognizable injury: plaintiffs allege only statutory/procedural violations or speculative future harm from third-party misuse | Yes. Court held unauthorized disclosure under FCRA is a cognizable injury in fact sufficient for standing; plaintiffs need not allege further misuse to satisfy concreteness |
| Role of Spokeo on intangible harms | Spokeo permits statutory violations to supply concreteness when Congress intended to protect the interest | Horizon argued Spokeo requires additional concrete harm or a material risk of harm beyond a statutory breach | Spokeo does not foreclose standing here; congressional judgment protecting personal data and privacy supports concreteness; Spokeo’s limitations acknowledged but inapplicable |
| Whether increased risk of identity theft alone suffices | Plaintiffs also argued increased risk is sufficient for standing | Horizon argued risk is speculative/attenuated and depends on third-party action | Court relied on statutory violation theory primarily; noted risk-of-harm theory can support standing in appropriate factual settings but was not required here |
| Class standing implications | Named plaintiffs must have individual standing to represent class; their alleging unauthorized disclosure satisfies particularization | Horizon warned of floodgates from allowing suits for technical/statutory violations | At least one named plaintiff’s statutory injury suffices for class to proceed; particularization and concreteness limit frivolous suits |
Key Cases Cited
- Safeco Ins. Co. of Am. v. Burr, 551 U.S. 47 (2007) (explains FCRA purposes including consumer privacy protection)
- Lujan v. Defenders of Wildlife, 504 U.S. 555 (1992) (articulates Article III standing elements)
- Spokeo, Inc. v. Robins, 136 S. Ct. 1540 (2016) (clarifies concreteness and particularization for intangible harms; Congress may elevate intangible harms but bare procedural violations may not suffice)
- Fed. Election Comm’n v. Akins, 524 U.S. 11 (1998) (Congress may create statutory rights whose invasion constitutes injury in fact)
- Havens Realty Corp. v. Coleman, 455 U.S. 363 (1982) (statutory misrepresentations can be the precise injury the statute protects)
- In re Google Inc. Cookie Placement Consumer Privacy Litig., 806 F.3d 125 (3d Cir. 2015) (unconsented data collection can constitute a concrete privacy injury)
- In re Nickelodeon Consumer Privacy Litig., 827 F.3d 262 (3d Cir. 2016) (unauthorized disclosure of legally protected information is a de facto injury)
- Reilly v. Ceridian Corp., 664 F.3d 38 (3d Cir. 2011) (increased risk of identity theft from breach of common-law duties may be too speculative for standing)
- Remijas v. Neiman Marcus Group, LLC, 794 F.3d 688 (7th Cir. 2015) (data-breach plaintiffs can have standing where unlawful disclosure creates a credible risk of identity theft)