United States: New Jersey Federal Court Applies Supreme Court’s Clapper Decision and Dismisses Data Breach Class Action

Last Updated: January 13 2014
Article by Judy Selby

Relying in part on the recent United States Supreme Court's ruling in Clapper v. Amnesty International, a federal judge in New Jersey dismissed a putative data breach class action against three healthcare entities and a vendor retained by each the entities.  Bobbi Polanco v. Omnicell, Inc., Civ. No. 13-1417 (NLH/KMW) (December 26, 2013).  The defendants were Sentara Healthcare1, which owns hospitals throughout Virginia, South Jersey Health System, Inc. (SJHS, now known as Inspira), which provided medical care to the named plaintiff's daughter, the University of Michigan Health System (UMHS)2, and Omnicell, a vendor hired to manage and dispense medications. Because the Plaintiff only alleged injury based on anticipation of future harm, she lacked standing and the Defendants' motions to dismiss were granted.

Background

The plaintiff, Bobbi Polanco (Polanco), alleged that she brought her daughter to two Inspira hospitals for medical treatments on five occasions since 2011.  During those visits, Polanco either supplied to Inspira, or confirmed the accuracy of, confidential information including her social security number, insurance information, and medical information.

Polanco alleged that she received a December 31, 2012 letter from Omnicell, advising her of the November 14, 2012 theft of a laptop from an Omnicell employee's car and stating that "Omnicell is entrusted with patient information."  (Id. at 9-10)  Polanco alleged that the laptop contained unencrypted Personal Confidential Data (PCI) relating to thousands of Sentara, Inspira and UMHS patients.

Following receipt of the Omnicell letter, Polanco alleged that she did not receive reassurances from the Defendants that her PCI would be adequately secured from subsequently losses.  Consequently, she alleged that she sought medical treatment for her daughter at more distant hospitals, thereby incurring increased expenses.

Polanco brought her putative class action on behalf of herself and all others similarly situated, asserting claims for (1) breach of state data security notification laws; (2) violations of consumer fraud statutes of New Jersey, Virginia and Michigan; (3) fraud; (4) negligence; and (5) conspiracy.  Plaintiffs alleged that she was seeking "to remedy the harmful effects of the breach of .... privacy interests of Plaintiff and the Class, the failure to timely and reasonably notify [Plaintiff and the Class] of such breach ..., and the misleading and deceptive notification sent on December 31, 2012."  (Id. at  10).

Sentara's Motion to Dismiss

Sentara moved to dismiss on three primary grounds: (1)  pursuant to FRCP 12(b)(1),  Polanco lacked Article III standing because she did not allege a concrete injury-in-fact traceable to conduct on the part of Sentara; (2) pursuant to FRCP 12(b)(2), the Court lacked personal jurisdiction over Sentara because it had no meaningful contacts with New Jersey; and (3) pursuant to FRCP 12(b)(6), Polanco failed to state a claim upon which relief could be granted.

Article III Standing

Addressing Sentara's motion, the Court reiterated the bedrock principles that, "First, the plaintiff must suffer an injury-in-fact that is concrete and particularized and actual or imminent, as opposed to conjectural or hypothetical.  Second, there must be a causal connection between the injury and the conduct complained of — the injury has to be fairly traceable to the challenged action of the defendant, and not the result of the independent action of some third party not before the court.  Third, it must likely, as opposed to merely speculative, that the injury will be redressed by a favorable decision."  (Id. at 25).

Sentara argued that Polanco lacked standing to sue Sentara, a legal stranger, because she had no relationship with Sentara and that it was never entrusted with her PCI. Sentara, joined by Inspira and Omnicell, also argued that Polanco's "self-imposed increased costs based on pure speculation" were the "sort of speculative and manufactured damages prohibited" by the Supreme Court's Clapper  decision and the Third Circuit's ruling in Reilly v. Ceridian Corporation, a data breach case.  The Court agreed with both arguments and granted the Defendants' motions, without addressing any remaining issues.

No Injury Traceable to Sentara

Evaluating Sentara's motion, the Court noted that "the facts alleged in the Amended Complaint3 fail to demonstrate any causal connection between the alleged injury and any conduct on the part of Sentara."  (Id.  26).  The "fact that a suit may be a class action adds nothing to the question of standing, for even named plaintiffs who represent a class must allege and show that they personally have been injured, not that injury has been suffered by other, unidentified members of the class to which they belong and which they purport to represent.  (Id. at  26-27). "[Polanco] is required to establish standing with respect to each separate Defendant named in this suit, and she cannot rely on conduct by Sentara that relates to unidentified, potential class members."  (Id. at fn.  14).

In addition, a "plaintiff may not maintain an action on behalf of a class against a specific defendant if the plaintiff is unable to assert an individual cause of action against that defendant, whether for reasons of lack of standing or for lack of Rule 23(a)(3) typicality."  (Id. at  27).  Here, because Polanco could not show an injury traceable to Sentara's conduct, the Court ruled that she lacked standing to sue Sentara.  (Id. at  29).

Conclusory Allegations Are Legally Insufficient to Create Standing

The Court then turned to the Defendants' subject matter jurisdiction argument.  "As Defendants point out, in Clapper, the Supreme Court analyzed Article III standing, noting it has 'repeatedly reiterated that 'threatened injury must be certainly impending to constitute injury in fact,' and that 'allegations of possible future injury' are not sufficient.  The Third Circuit similarly articulated in Reilly that allegations of 'possible future injury are not sufficient to satisfy Article III.  The Court's review of Reilly  and Clapper  indicates that these two cases are controlling for purposes of evaluating [Polanco's] standing in the present action." (Id. at  32).

Polanco tried to convince the Court that her "claim is different" from the data breach cases cited by the Defendants. (Id. at  35). However, the Court noted that Polanco "essentially concedes that she has not alleged either: (1) any misuse of her PCI or PHI [personal health information]; or (2) that she is now at an increased risk for the misuse of her information in the future based on the theft of the laptop.  (Id. at  34 – 35).  Polanco also "expressly denies that she has any fear of what the thief who allegedly stole the Omnicell laptop might do with her PHI and PCI.  Instead, [Polanco] summarizes that her claims involve the actual loss of personal property, the failure to secure such property forward, and monies lost due to Inspira's failure to fulfill its express promises made to [Polanco]."  (Id. at  34-35).

Polanco asserted that "because of Inspira's refusal to acknowledge its failings, and to take steps to remedy such failings, she has sued to prevent any further dissemination of her PHI and PCI by Inspira, and to force Inspira and Omnicell to purge their files of her sensitive information (or to secure it going forward)."  (Id. at  35).  The Court rejected Polanco's position, stating:

[Polanco's] arguments seeking to distinguish her case from the data breach security cases cited by Defendants based on the allege[d] "loss" of her PCI and PHI are unpersuasive here.  At the outset, [the] Amended Complaint makes only limited references to the purported "loss" of her information.  Moreover, to the extent [Polanco] alleges that the injury she suffered here is the "loss" (or presumably, disclosure) of her information in violation of HIPAA and Defendants' failure to secure her information going forward as required by HIPAA, the Court notes that HIPAA does not provide a private right of action to remedy HIPAA violations."  . . .  Consequently, Polanco cannot establish a concrete and particularized injury sufficient to confer standing here related to the "loss" of her PCI and PHI.

More importantly though, [Polanco's] assertions in the Amended Complaint and in her opposition that her PCI and PHI were "lost" are directly contradicted by the December 31, 2012 letter from Omnicell [in which] Omnicell explicitly confirms that "the patient's medical records were not on the device ... and that the patient's medical information has not been lost."  Omnicell's letter goes on to state that there is "no reason to believe that the device was taken for the information it contained, or that the information has been accessed or used improperly."  Thus, to the extent [Polanco] claims that the injury she suffered was the "loss" of her information, [those allegations] are belied by the representations made in the December 31, 2012 letter."  (Id. at  36-39).

In sum, the Court held that Polanco asserted "only broad and conclusory allegations of harm that fail to satisfy [her] burden to demonstrate that she suffered an invasion of a legally protected interest which is both 'concrete and particularized' — meaning she was injured in a personal and individual way — and 'actual or imminent' as opposed to conjectural and hypothetical."  (Id. at  39).

Alleged Statutory Violations Do Not Confer Standing

The Court also ruled that Polanco's allegations that the Defendants breached various statutes did not create standing.  "[M]erely asserting violations of certain statutes is not sufficient to demonstrate an injury-in-fact for purposes of establishing standing under Article III, and the Court rejects [Polanco's] assertions on this point."  (Id. at  40).  In addition, the Court rejected Polanco's purported reliance on the New Jersey Consumer Fraud Act (CFA).  "[Polanco] cites no case law ... and the Court's research reveals no case where any state or federal court in New Jersey interpreted the CFA to serve as a backdoor remedy for HIPAA violations."  (Id. at fn.  24).

Prophylactic Expenses Do Not Constitute Injury-In-Fact

The Court noted that "the only harm that [Polanco] alleges in the Amended Complaint is that she incurred unspecified increased out-of-pocket expenses in seeking treatment for her daughter at medical facilities other than Defendants' because she was unwilling to return to SJHS and Inspira until such time as [h]er PCI is secure, her rights under HIPAA are protected, and the deficiencies that led to the November 14 incident have been corrected to her satisfaction."  (Id. at  40).  The Court observed:  "Much like the Plaintiffs in Reilly, [Polanco] has prophylactically spent money to ease her fears of a future loss of her PCI and PHI by a HIPAA-compliant medical facility and therefore made an independent decision to seek treatment elsewhere.  [Her] decision to do so was based entirely on her speculative belief that her PCI or PHI would be 'lost' again by Defendants.  Therefore, her assertion is one that claims injury for expenses incurred in anticipation of future harm, and is not sufficient for purposes of establishing Article III standing." (Id. at  40-41).

Conclusion

Fortunately, most individuals affected by a data breach do not suffer a legally cognizable injury as a result of that breach. In response, however, the plaintiff's bar has attempted to manufacture new ways to show that data breach plaintiffs have sustained some type of injury.  This case represents an important step in thwarting such efforts.

Footnote

1 Sentara is represented by BakerHostetler in this matter.

2 The Court granted UMHS's motion to dismiss, ruling that it is entitled to Eleventh Amendment immunity.

3 Pursuant to the Court's sua sponte Order, Polanco was required to file an Amended Complaint to cure defective jurisdictional allegations in her original Complaint.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

Authors
Judy Selby
Similar Articles
Relevancy Powered by MondaqAI
 
In association with
Related Topics
 
Similar Articles
Relevancy Powered by MondaqAI
Related Articles
 
Related Video
Up-coming Events Search
Tools
Print
Font Size:
Translation
Channels
Mondaq on Twitter
 
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).
 
Email Address
Company Name
Password
Confirm Password
Position
Mondaq Topics -- Select your Interests
 Accounting
 Anti-trust
 Commercial
 Compliance
 Consumer
 Criminal
 Employment
 Energy
 Environment
 Family
 Finance
 Government
 Healthcare
 Immigration
 Insolvency
 Insurance
 International
 IP
 Law Performance
 Law Practice
 Litigation
 Media & IT
 Privacy
 Real Estate
 Strategy
 Tax
 Technology
 Transport
 Wealth Mgt
Regions
Africa
Asia
Asia Pacific
Australasia
Canada
Caribbean
Europe
European Union
Latin America
Middle East
U.K.
United States
Worldwide Updates
Registration (you must scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions

Mondaq.com (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of www.mondaq.com

To Use Mondaq.com you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.

Disclaimer

The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.

General

Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions