Massachusetts Court: Patients Have Standing to Sue for Data Breach Based on Data Exposure Alone
A Massachusetts Superior Court judge held that a plaintiff has standing to sue for money damages based on the mere exposure of plaintiff’s private information in an alleged data breach. The court concluded that the plaintiff had pleaded a “real and immediate risk” of injury despite failing to allege that any unauthorized persons had even seen or accessed that information. The Massachusetts decision adopts a more relaxed approach to standing than has generally been followed in the federal courts. The holding, however, may not have broad applicability outside of Massachusetts state court, and does not eliminate potential obstacles to proving the claims asserted.
In Walker et al v. Boston Medical Center Corp., No. 2015-1733-BLS 1 (Mass. Super. Ct. Nov. 19, 2015), plaintiffs alleged that Boston Medical Center Corp. (“BMC”) notified them that their medical records “were inadvertently made accessible to the public through an independent medical record transcription service’s online site.” Although BMC did not know how long the information had been vulnerable to access by unauthorized individuals, BMC notified the plaintiffs by letter that it had no reason to suspect that any patient data had been misused as a result of the breach. Plaintiffs do not allege that any unauthorized persons actually viewed, accessed or misused their private information. Plaintiffs seek to recover money damages under a host of statutory and common law theories.
BMC moved to dismiss for lack of standing. A robust line of federal authority, following the Supreme Court’s decision in Clapper v. Amnesty International USA, 113 S. Ct. 1138 (2013), holds that alleging mere exposure of private data, without any resulting harm or injury, is insufficient to establish standing to sue for money damages in federal court. Without citing to or distinguishing these federal cases, the Massachusetts court denied BMC’s motion to dismiss, reasoning that pleading a “real and immediate risk” of injury was sufficient for a plaintiff to demonstrate standing. Although the Walker plaintiffs did not allege that their medical records had been accessed, or their personal information used, by any unauthorized person, the court’s holding indicates that the mere exposure of patient data to the potential to be accessed by unauthorized persons may still adequately plead an injury. In this case, the plaintiffs alleged facts that, if true “suggest[ed] a real risk of harm from the data breach at BMC” (internal quotations omitted) because BMC’s letter notifying the plaintiffs of the data breach supported an inference that “plaintiffs’ medical records were available to the public on the internet for some period of time and that there is a serious risk of disclosure.” Based on this inference, the court found it was reasonable to draw the further inference that the records “either were accessed or likely to be accessed by an unauthorized person.” This “general allegation of injury from the data breach” was sufficient to demonstrate standing.
This decision is significant for several reasons. First, Walker represents a comparatively lax approach to standing, in which alleging the mere exposure of information with the potential for access and misuse by unauthorized persons pleads sufficient injury to establish standing and survive a motion to dismiss. In contrast, in Clapper, the U.S. Supreme Court held that plaintiffs who alleged that the National Security Agency (“NSA”) actually had access to their private telephone and email conversations through its surveillance program still lacked Article III standing to sue based on the theory that their communications would be obtained at some future point. In other words, the threat of future injury was insufficient to support Article III standing even where access, not just exposure, to private information was actually alleged. 113 S. Ct. 1138, 1143 (2013).
Walker’s adoption of the relaxed “real risk of harm” standard for establishing standing in a data breach claim also leaves in question whether there may be real, meaningful differences in standing doctrine between the federal courts and Massachusetts’ Trial Court. While the federal courts are subject to the constitutional restrictions of Article III’s “case or controversy” requirement, Massachusetts’ highest court has suggested in other cases that standing doctrine in state courts is not so exacting: “State courts…are not burdened by” the federal courts’ “same jurisdictional concerns and, consequently, may determine, particularly when class actions are involved, that concerns other than standing in its most technical sense may take precedence.” Weld v. Glaxo Wellcome Inc., 434 Mass. 1, 88-89 (2001). Given this comparatively lax application of standing doctrine in Massachusetts state courts, Walker’s holding may not actually move the needle much and may have limited force beyond Massachusetts Superior Court.
As the Walker case proceeds through discovery, the parties will have the opportunity to build a fulsome record demonstrating the actual breadth of the exposure, if any, resulting from the data breach, and whether, and to what extent, the breach posed a risk of harm to the plaintiffs, including the likelihood of any nefarious use of the plaintiffs’ personal information. Accordingly, any longer lasting principles that develop out of this case may have to await further proceedings to establish what, if any, harm resulted from the breach.