defendant’s actions were materially misleading or that the plaintiffs had suffered injury directly as a result of any deceptive practices. The court also determined that the plaintiffs failed to adequately establish that they had relied on the privacy policy prior to the breach. For the Texas consumer protection claims, the court noted that Mata, the plaintiff from Texas, similarly did not specify which provisions of the Texas Deceptive Trade Practices Act were violated. Accordingly, the court granted the defendant’s motion to dismiss. In Maser, et al. v. CommonSpirit Health , 2024 U.S. Dist. LEXIS 102196 (D. Colo. Apr. 16, 2024), the plaintiff filed a class action alleging that the defendant failed to properly secure sensitive health and personal information of herself and over 623,000 other individuals after it was subject to a data breach when cybercriminals infiltrated CommonSpirit’s servers, accessing sensitive data such as names, addresses, medical records, and other personal information. The plaintiff asserted that the breach exposed her PHI and PII to unauthorized parties, which potentially resulted in fraud. She asserted that as a direct consequence of the breach, criminals accessed her bank account, leading to over $3,000 in fraudulent charges and ultimately causing her to lose her housing due to inability to pay rent. The plaintiff also alleged that she was subjected to a significant drop in her credit score and ongoing difficulties in recovering from the financial losses. The plaintiff brought claims for negligence, breach of implied contract, breach of the implied covenant of good faith and fair dealing, and unjust enrichment. The defendant filed a motion to dismiss pursuant to Rule 12(b)(1) or Rule 12(b)(6). The court granted the motion. The court first noted that unlike many other circuits, the Tenth Circuit has not yet ruled on Article III standing in data breach cases. The court stated that here, the plaintiff failed to alleged that the sensitivity of the exposed data, and whether there was actual misuse of the data sufficient to establish that there was an injury- in-fact to confer standing. The plaintiff argued that she suffered harm in the form of the bank account fraud that resulted in financial and emotional distress. However, the court ruled that the plaintiff failed to specify when the fraud occurred in relation to the data breach, or connect how the stolen information could have directly led to unauthorized access to her financial accounts. Regarding the risk of future harm, the plaintiff argued that the stolen data could enable “social engineering” attacks. Id. at *18. However, the court concluded that the plaintiff’s theory was too tenuous, as it would require the additional, independent action of someone being deceived by the social engineering attack to materialize any potential fraud. Accordingly, the court concluded that the plaintiff failed to allege a sufficient injury-in-fact to support Article III standing, and granted the defendant’s motion to dismiss. In 2022, in Henderson, et al. v. Reventics LLC, Case No. 23-CV-586 (D. Colo. Sept. 30, 2024), the defendant learned that cybercriminals exfiltrated its network and obtained the “names, dates of birth, Social Security numbers, and clinical data” of 250,000 of its clients’ patients. Id. at 3. Two months later, after its investigation of the cybercrime was completed, the defendant sent out notices regarding the incident to the potentially affected individuals. Within the next few weeks, the defendant was sued seven times, by 15 different plaintiffs, each alleging that the cyber security incident constituted a breach of their PII and PHI. These plaintiffs all alleged that they suffered injuries in the form of: “(1) public disclosure of private information, including Social Security numbers and medical information; (2) increased spam communications; (3) diminution of the value their PHI/PII; (4) emotional distress; (5) actual fraud; and (6) future impending injury.” Id. at 9. Despite the existence of 15 separate plaintiffs, none of these individuals could plausibly allege that they lost any money as a result of the cyber security incident. Consequently, once all these class actions where consolidated into one proceeding, Omega moved to dismiss on the grounds that the plaintiffs lacked Article III standing to sue. The court granted Omega’s motion to dismiss. The court rejected the plaintiffs’ theory that the public disclosure of their so-called “private information” constitutes a compensable injury in fact. The plaintiffs argued that public disclosure of their alleged PII and PHI would cause them to voluntarily spend money on future credit monitoring services. However, the court found that the plaintiffs “cannot manufacture standing by choosing to make expenditures based on hypothetical future harm that is not certainly impending.” Id. at 10-11. In the absence of imminent risk of harm, the court concluded proactive credit monitoring cannot constitute an injury. Second , the court found that the plaintiffs’ allegations of increased spam communications were also not an injury in fact. But even if they were, the court held that the plaintiffs could not plausibly allege that they received those spam communications because of the defendant’s conduct. Third , the court dispensed with the idea that the plaintiffs’ personal information “has independent monetary value” sufficient to support a claim for diminution of value as to that information. Id. at 13. Even still, the court ruled that because the plaintiffs lacked the means to sell their own personal information at a lower price, this theory failed as well. Fourth, as to the plaintiffs’ claims of emotional distress, the court agreed with other rulings around the country and found that “[e]motional distress does not constitute a cognizable injury-in-fact in data privacy litigation.” Id. at 14. Fifth , the court dismissed the plaintiffs’
11
© Duane Morris LLP 2025
Duane Morris Data Breach Class Action Review – 2025
Made with FlippingBook - professional solution for displaying marketing and sales documents online