New York Team Obtains Complete Dismissal of Data Breach Class Action

(October 2020) - New York Partners Jeffrey Spiegel and Bradley J. Bartolomeo, along with Associate Ariadne Panagopoulou, recently obtained the dismissal of a putative class action pending in the New York Supreme Court, Westchester County. In this matter, Lewis Brisbois represented a laboratory that was affected by the 2019 American Medical Collection Agency (AMCA) data breach, which allegedly exposed the personal health information and personal identifiable information of approximately 25 million individuals.

In the underlying case, the client laboratory had contracted with AMCA to provide debt collection services. Then, in one of the largest healthcare data breaches to date, unauthorized third-party malicious actors accessed individuals’ personal data, including payment information, medical testing information, and personally identifiable information. The plaintiff allegedly had visited the client laboratory for blood tests, and her personal information was subsequently provided to AMCA for debt collection.

The plaintiff filed a class action lawsuit, claiming that the client laboratory had been negligent in its oversight of AMCA, and that it was likely that hers and other class members’ private information would be or had been disclosed already on the Darknet due to AMCA’s data breach. She alleged that this disclosure would make them vulnerable to identity theft or security fraud. The plaintiff asserted causes of action for negligence, negligence per se, breaches of implied and express contract, and several violations of the New York General Business Law.

We then moved to dismiss the plaintiff’s suit, arguing that she lacked standing to pursue her claims. The motion demonstrated that the complaint was devoid of any allegations of an actual injury and, instead, included only allegations regarding an increased risk of injury, which was insufficient for standing. The motion also argued that the plaintiff’s complaint failed to plead facts stating a claim under each cause of action asserted. For example, we successfully established that the plaintiff failed to state a claim for negligence because there was no duty of care, whether common law or contractual, that bound the client laboratory to safeguard the plaintiff’s personal information against a third-party cyber attack or a resulting data breach occurring inside a vendor’s database.

In its nine-page decision, the court dismissed the complaint in its entirety. It first held that the plaintiff had no standing because “she failed to establish that she and the class members have suffered injuries or that the alleged injuries are imminent." The court also opined that "even assuming that Plaintiff established standing, the Court must dismiss the Complaint based upon a failure to state a cause of action." In addition, the court agreed that neither the Health Insurance Portability & Accountability Act (HIPAA) nor common law required the laboratory to monitor the privacy safeguards of its business associates, by finding that the plaintiff failed to cite to any contractual provision that explicitly or implicitly required our client to otherwise safeguard her protected health information and personally identifiable information, which were in the control of the vendor.