Fear Created by Data Breach Suffices for Class-Action Suit to Proceed, 1st Circuit Rules
Former customers of Injured Workers Pharmacy whose personal information was stolen by hackers and allegedly used to file a fake tax return may pursue a class-action lawsuit against the company, a panel of the 1st District Court of Appeal ruled Friday, reversing a trial court decision.
The appellate panel said that Alexsis Webb and Marsclette Charley had plausibly alleged they were injured by a 2021 data breach that exposed their personal information. Both were clients of IWP in January 2021, when hackers breached the company’s computer network, exposing the personally identifiable information of 75,000 customers.
“We do not hold that individuals face an imminent and substantial future risk in every case in which their information is compromised in a data breach. But on the facts alleged here, the complaint has plausibly demonstrated such a risk,” the opinion says.
Injured Workers’ Pharmacy, a Massachusetts company that mails medications prescribed for work injuries and illnesses to workers’ compensation claimants, discovered it had been hacked in May 2021, four months after the actual data breach. The company admitted that the hackers compromised multiple employee email accounts and had unfettered access to its network during the months the breach was undetected.
IWP did not begin notifying customers of the hack until February 2022, and even then did not reveal the scope of the breach. The company encouraged its customers to monitor their account statements and credit reports for suspicious activity, but did not offer to pay for credit monitoring and identity protection services to the impacted patients.
Webb, a resident of Ohio, alleges that the “cybercriminals” behind the hack used her information to file a fake tax return, which forced her to expend personal time to deal with the Internal Revenue Service and caused “anxiety, sleep disruption, stress, and fear.” Charley, a Georgia resident, says she is “experiencing feelings of rage and anger, anxiety, sleep disruption, stress, fear, and physical pain.”
In May 2022, the two woman filed a putative class-action lawsuit in the US District Court for Massachusetts seeking damages for negligence, breach of contract, unjust enrichment, invasion of privacy and breach of fiduciary duty. They also asked for an injunction from the court requiring IWP to improve its cybersecurity and ordering the company to cease its unfair practices.
The lawsuit requested certification of a class of United States residents whose personally identifiable information was compromised by the data breach.
District Court Judge Richard G. Stearns dismissed the complaint, finding that Webb and Charley lacked standing because they failed to state an injury in fact. The judge found that Webb did not sufficiently allege a connection between the data breach and the fake tax return filed in her name. The judge found that the allegation of potential misuse of personal information was not sufficiently imminent to establish an injury in fact.
The appellate panel disagreed. The panel noted that in a 2021 decision, TransUnion LLC v. Ramirez, the US Supreme Court ruled that plaintiffs must demonstrate they have suffered a “concrete injury” in order to assert a claim for damages by a data breach.
“Intangible harms can also be concrete, including when they ‘are injuries with a close relationship to harms traditionally recognized as providing a basis for lawsuits in American courts,’ such as ‘reputational harms, disclosure of private information, and intrusion upon seclusion,'” the opinion says, citing a different Supreme Court ruling.
The panel said Webb’s allegations that her information was used to file a false tax return suffice to state a concrete injury. Charley’s allegation of a material risk of harm due to potential misuse of her personal information was also sufficient to give her standing, the opinion says.
“Plaintiffs face a real risk of misuse of their information following a data breach when their information is deliberately taken by thieves intending to use the information to their financial advantage — i.e., exposed in a targeted attack rather than inadvertently,” the opinion says.
The panel reversed the District Court’s decision that Webb and Charley lacked standing, but affirmed its ruling not to issue the requested injunctions. The panel said the plaintiffs failed to show how the injunctions would redress their injuries.