Federal court allows data breach suit to go forward against oncology center

The United States District Court for the Middle District of Florida denied a motion to dismiss by 21st Century Oncology Holdings, Inc. and its subsidiaries in a consolidated class action brought by former patients claiming injuries stemming from a 2015 data breach in which an unauthorized party gained access to a database containing the information of 2.2 million patients, and then attempted to sell the compromised data online.  Plaintiffs asserted several theories of injury in connection with the breach, including the “imminent and certain impending injury flowing from fraud and identity theft post by their PII/PHI being placed in the hands of hackers and being offered for sale on the Dark Web.”  21st Century moved to dismiss the complaint, in part, on the grounds that an increased risk of future identity theft after a data breach does not constitute an injury in fact sufficient to establish standing.  In denying 21st Century’s motion to dismiss, the Court considered “three non-exhaustive guiding factors” for determining when such an increased risk constitutes an injury in fact pursuant to the two-prong test set forth in Spokeo, Inc. v. Robins, 136 S. Ct. 1540 (2016), and an emerging post-Spokeo circuit split:  (1) the motive of the third party who obtained the plaintiff’s personal information, (2) the type of information obtained, and (3) whether information was actually accessed or misused in connection with the breach.   The Court concluded that the plaintiffs in this case sufficiently pleaded injury in fact based on an increased risk of future identity theft and related mitigation expenses.  At the same time, the Court rejected theories of injury based on (1) overpayment for data protection services, (2) loss of monetary value of PII and PHI, and (3) an increased risk of bodily injury or death.

Order