Webb v. Injured Workers Pharmacy, LLC, 72 F.4th 365

Background

IWP, a Massachusetts home‑delivery pharmacy, suffered a January 2021 data breach that exposed PII (including names and Social Security numbers) of over 75,000 patients; IWP learned of the breach in May 2021 and began notifying patients in February 2022 after a prolonged investigation.
Named plaintiffs Webb (former patient) and Charley (current patient) allege harms including anxiety, time spent monitoring accounts, and that Webb’s stolen PII was used to file a fraudulent 2021 tax return.
Plaintiffs filed a putative class action in May 2022 asserting state‑law claims (negligence, breach of implied contract, unjust enrichment, invasion of privacy, breach of fiduciary duty) seeking damages and injunctive/declaratory relief.
The district court dismissed for lack of Article III standing, finding the complaint failed to plausibly allege an injury in fact and that future harm was not imminent.
The First Circuit held the complaint plausibly alleged Article III standing for damages (Webb: actual misuse; both plaintiffs: imminent risk plus concrete present harm from time spent mitigating) but lacked standing to seek injunctive relief because requested injunctions would not likely redress the alleged injuries.

Issues

Issue	Plaintiff's Argument	Defendant's Argument	Held
Standing for damages based on actual misuse (Webb)	Webb: false tax return was filed using PII obtained in the IWP breach, constituting concrete injury	IWP: complaint fails to plausibly connect the false return to the breach	Court: plausible temporal and factual link; actual misuse of PII is a concrete injury giving standing for damages
Standing for damages based on risk of future misuse (Charley and alternative basis for Webb)	Plaintiffs: targeted theft of sensitive data + some actual misuse creates imminent, substantial risk; time spent monitoring is a present, concrete injury	IWP: risk is speculative/not imminent; mitigation/time spent cannot manufacture standing	Court: targeted attack, misuse of some records, and exposure of SSNs/DOBs plausibly show imminent risk; lost time/opportunity costs are concrete injuries tied to that risk
Traceability and redressability of damages claims	Plaintiffs: injuries flow from IWP’s inadequate security and are remediable by monetary relief	IWP: (generally contested causation/redress)	Court: injuries are fairly traceable to IWP and money damages would redress them
Standing for injunctive relief	Plaintiffs: seek injunctions to fix security and stop deceptive statements	IWP: injunctions would not redress plaintiffs’ present harms from already‑exfiltrated data or alleged past statements	Court: plaintiffs lack standing for injunctive relief because the requested relief would not likely prevent the injuries they allege

Key Cases Cited

TransUnion LLC v. Ramirez, 141 S. Ct. 2190 (U.S. 2021) (clarifies concreteness, distinguishes injunctive relief based on risk from damages requiring a separate concrete injury)
Spokeo, Inc. v. Robins, 578 U.S. 330 (U.S. 2016) (intangible harms may be concrete when analogous to historically actionable injuries)
Katz v. Pershing, LLC, 672 F.3d 64 (1st Cir. 2012) (no standing absent actual access or misuse of nonpublic data)
In re Equifax Inc. Customer Data Sec. Breach Litig., 999 F.3d 1247 (11th Cir. 2021) (identity theft and resulting damages are concrete injuries)
Attias v. CareFirst, Inc., 865 F.3d 620 (D.C. Cir. 2017) (identity theft is a concrete, particularized injury)
McMorris v. Carlos Lopez & Assocs., LLC, 995 F.3d 295 (2d Cir. 2021) (factors for assessing imminence of future misuse after a breach)
Clemens v. ExecuPharm Inc., 48 F.4th 146 (3d Cir. 2022) (applies similar imminence factors post‑TransUnion)
Lujan v. Defenders of Wildlife, 504 U.S. 555 (U.S. 1992) (standing requires injury, causation, redressability)
Evenflo Co. v. In re: Marketing, Sales Practices & Prods. Liab. Litig., 54 F.4th 28 (1st Cir. 2022) (procedural standards for standing at the pleading stage)
Anderson v. Hannaford Bros. Co., 659 F.3d 151 (1st Cir. 2011) (mitigation costs and actual misuse can constitute cognizable harms after a serious data breach)