The Delaware Superior Court dismissed a legal action filed on behalf of affected individuals of a Brandywine Urology Consultants data breach because the plaintiffs failed to present proof showing they had experienced harm because of the breach.
Brandywine Urology Consultants encountered a ransomware attack on January 27, 2020 The attack was identified after two days and the succeeding investigation affirmed the attackers got access to a network that secured patient records.
Brandywine Urology Consultants deduced from its investigation that the ransomware attack was carried out to extort money instead of to get patient information, although unauthorized data access and data theft can’t be ruled out. The hackers probably accessed the protected health information (PHI) of 130,000 patients and might have viewed or gotten names, Social Security numbers, medical record numbers, financial records, claims information, and other details.
The lawsuit was submitted in May 2020. Allegedly, Brandywine Urology Consultants was irresponsibe for its failure to stop the attack, had breached its fiduciary obligation, and violated the Delaware Computer Security Breach Act and the Delaware Consumer Fraud Act.
The lawsuit alleged the breach victims were facing imminent risk of harm, had experienced a loss of privacy, anxiety due to the theft of their PHI, a failure to obtain the benefit of a bargain, and disruption to medical care. The lawsuit desired damages to pay the value of mitigations and out of pocket expenditures that had been sustained.
Brandywine Urology Consultants submitted a motion to dismiss the legal action for insufficient standing. The defendant said the plaintiffs did not allege an injury in fact, the economic loss doctrine bars any recovery, and the court was missing jurisdiction for the subject matter of breach of fiduciary duty claim.
Brandywine Urology Consultants contended that the claim it had violated the Delaware Computer Security Breach Act didn’t have standing because it had followed the statute’s notice requirement, and the Delaware Consumer Fraud Act violation allegation must be sacked since the plaintiffs didn’t state a claim under the statute.
The Honorable Mary M. Johnston stated in the ruling that a plaintiff alleging that it is going to experience potential injuries from a defendant’s allegedly inappropriate conduct should show that such injuries are definitely impending,” and should show “a probability that the injury will be redressed by a positive decision.
Because the plaintiffs could not offer proof of harm, there was just a potential that their sensitive information was compromised, and the quick and proper steps that were done by the defendant to look into it and abate the breach, the motion to dismiss was approved.
Although the plaintiffs maintained to have suffered costs due to the breach, the judge ruled that expenses sustained in response to a supposed threat are not enough, in itself, to make an injury enough to confer standing.