Silvers v. HCA Healthcare, Inc.
3:23-cv-00684
| M.D. Tenn. | Aug 15, 2024Background
- HCA Healthcare suffered a cyberattack in July 2023, leading to unauthorized access and leak of patients’ personally identifiable information (PII) and protected health information (PHI).
- Hackers placed the stolen data (27.7 million records) on the dark web and made a ransom demand; after no response, the data was offered for sale.
- Plaintiffs allege harm from identity theft, fraudulent accounts, unauthorized charges, lost time, annoyance, and expenditures for mitigation.
- HCA provided some mitigation (credit monitoring, ID protection for two years); Plaintiffs contend these were insufficient.
- Plaintiffs, on behalf of a putative class, brought various tort, contract, unjust enrichment, and statutory claims under several states’ laws.
- HCA filed a motion to dismiss under Rule 12(b)(6); Plaintiffs opposed.
Issues
| Issue | Plaintiff's Argument | Defendant's Argument | Held |
|---|---|---|---|
| Cognizable Injury from Data Breach | Identity theft, fraud, costs, and ongoing risk justify injury-in-fact | No sensitive data taken; no plausible injury alleged | Plaintiffs sufficiently alleged injury |
| HCA's Duty & Alleged Wrongdoing | HCA failed to protect data, foresee breach, and use reasonable measures | No duty to prevent criminal acts; security measures were reasonable | Duty and wrongdoing plausibly alleged |
| Viability of Common Law/Contract Claims | Claims viable since HCA's actions/inactions led to foreseeable harms | Claims barred: no special relationship or explicit data-protection promise | Some common law/contract claims dismissed; negligence stands |
| Statutory Claims Under State Laws | Sufficient facts to show violation of statutory duties or consumer protections | Only criminal acts alleged; lack of pleading of specific statutory violations | Statutory claims under CA, FL, KS, KY, TN, VA survive |
Key Cases Cited
- Ashcroft v. Iqbal, 556 U.S. 662 (2009) (pleading standard for federal court, plausibility requirement)
- Bell Atlantic Corp. v. Twombly, 550 U.S. 544 (2007) (introduced plausibility for pleadings)
- Galaria v. Nationwide Mut. Ins. Co., [citation="663 F. App'x 384"] (6th Cir. 2016) (sufficient risk of harm for standing in data breach cases)
- Resnick v. AvMed, Inc., 693 F.3d 1317 (11th Cir. 2012) (data breach victims can claim injury even if not all info necessary for fraud was exposed)
- Bradshaw v. Daniel, 854 S.W.2d 865 (Tenn. 1993) (general duty to avoid foreseeable harm)
- Biscan v. Brown, 160 S.W.3d 462 (Tenn. 2005) (duty created by voluntarily acting)