Most DOD Health Plan Breach Plaintiffs Can't Show Injury Based Merely on Fears

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

May 12 --The loss of data without actual misuse doesn't constitute an injury that would provide standing to plaintiffs who sued federal government contractor Science Applications International Corp. following a 2011 data breach, the U.S. District Court for the District of Columbia ruled May 9 (In re Science Applications Int'l Corp. Backup Tape Data Theft Litig., D.D.C., No. 1:12-mc-00347-JEB,partially dismissed 5/9/14).

Most courts that have addressed the issue of standing in data breach cases “have agreed that the mere loss of data--without evidence that it has been either viewed or misused--does not constitute an injury sufficient to confer standing,” Judge James E. Boasberg said.

In September 2011, an employee of McLean, Va.-based SAIC reported backup tapes containing electronic health records as stolen from his vehicle . Those backup tapes contained the personal information and medical records of nearly 5 million individuals enrolled in TRICARE, the Department of Defense health insurance system for military members, dependents and retirees.

The majority of the plaintiffs have alleged “mere loss of data” and must be dismissed, the court said. But it allowed the claims of two plaintiffs to proceed because they sufficiently alleged that their information was “accessed or abused.”

Increased Risk of Harm Not Enough.

Citing Clapper v. Amnesty International USA, 133 S. Ct. 1138 (2013) , the district court concluded that an increased risk of harm by itself doesn't constitute an injury in fact.

“At this point, the likelihood that any individual Plaintiff will suffer harm remains entirely speculative,” the court said. The plaintiffs' alleged injuries depend on the actions of an independent third party, the thief who stole the backup tapes, it said.

Nor do measures taken to prevent a speculative future harm, such as credit monitoring, confer standing, the court concluded.

Most of the plaintiffs fared no better with their claim that they were injured because the data breach invaded their privacy. With the exception of a few plaintiffs who alleged that their data were used, the majority of the plaintiffs haven't alleged that the personal information was viewed or disclosed, the court said.

The plaintiffs also alleged that they were injured by the loss of value of their information and the forfeiture of the value of their insurance premiums. But they didn't allege that they intended to sell their information, and they failed to allege that the market value of their insurance coverage was less than what they paid, the court said.

Only Two Left Standing.

Only two plaintiffs plausibly alleged injuries causally connected to the breach, the court said.

Following the breach, one plaintiff received notices from American Express thanking him for applying for loans he never applied for, and loan applications typically require personal information such as that contained on the lost backup tapes, the court said. Another plaintiff, whose phone number was unlisted, received unsolicited phone calls targeting a medical condition in her medical records following the breach.

The plausibility of those two plaintiffs' allegations, “however, does not lead to the conclusion that wide-scale disclosure and misuse of all 4.7 million TRICARE customers' data is plausibly 'certainly impending,' ” the court said.

Finkelstein Thompson LLP and the Coffman Law Firm served as interim co-lead class counsel. Arnold & Porter LLP and Reed Smith LLP represented SAIC. The Department of Justice represented the federal defendants.

Full text of the court's opinion is available at

Request Bloomberg Law Privacy and Data Security