Khan v. Children's National Health System
188 F. Supp. 3d 524
D. Maryland2016Background
- Khan, a patient at Children’s National Health System (CNHS), alleges hackers accessed employee email accounts via phishing from July–Dec 2014, potentially exposing patient PII and health information.
- CNHS notified ~18,000 patients in Feb 2015, stating its electronic medical records were not affected and that there was no evidence the email data was misused.
- Khan alleges increased risk of identity theft, mitigation expenses, loss of privacy, diminished value of personal data and services, and misleading/delayed notice; she seeks to represent a class.
- CNHS removed the case to federal court under CAFA; it moved to dismiss for lack of Article III standing and for failure to state a claim.
- The court considered standing (Rule 12(b)(1)) only and found Khan lacked a concrete, imminent injury; it remanded the case to state court rather than dismissing.
Issues
| Issue | Plaintiff's Argument | Defendant's Argument | Held |
|---|---|---|---|
| Article III injury-in-fact from increased risk of identity theft | Khan: breach placed her at substantial, imminent risk of identity theft | CNHS: alleged risk is speculative; no concrete or imminent injury shown | No standing — risk of future identity theft not certainly impending or shown by misuse |
| Standing based on mitigation costs | Khan: out-of-pocket time and expenses to monitor/secure accounts constitute injury | CNHS: mitigation costs cannot create standing absent a certainly impending harm | Costs insufficient absent imminent harm |
| Loss of privacy / diminished value of services or data | Khan: privacy loss and diminished value of PII/services are injuries | CNHS: Plaintiff identifies no concrete damages or market loss tied to services/PII | No concrete, particularized injury shown |
| Statutory/common-law violations confer federal standing | Khan: statutory and common-law claims establish injury | CNHS: statutory claim does not substitute for Article III concrete injury | Violations of state law do not avoid Article III requirement; no standing |
Key Cases Cited
- Clapper v. Amnesty Int’l USA, 133 S. Ct. 1138 (2013) (future injury must be certainly impending; possible harms insufficient)
- Lujan v. Defenders of Wildlife, 504 U.S. 555 (1992) (plaintiff bears burden to prove Article III standing)
- Spokeo, Inc. v. Robins, 136 S. Ct. 1540 (2016) (statutory violation must still involve a concrete injury to satisfy Article III)
- Steel Co. v. Citizens for a Better Environment, 523 U.S. 83 (1998) (court must resolve jurisdictional questions before reaching merits)
- Krottner v. Starbucks Corp., 628 F.3d 1139 (9th Cir. 2010) (data-breach victims may have standing where breach creates credible, immediate risk or actual misuse)
- Remijas v. Neiman Marcus Group, LLC, 794 F.3d 688 (7th Cir. 2015) (standing where data breach led to known fraudulent charges or showed clear intent to misuse data)
- Reilly v. Ceridian Corp., 664 F.3d 38 (3d Cir. 2011) (no standing where alleged access was speculative and no misuse occurred)