New York Judge Drops Class Action PACS Data Breach Case for Insufficient Standing

A New York Federal Judge dismissed a class-action lawsuit filed against Alliance HealthCare Services and NorthEast Radiology PC because of a data breach that compromised the protected health information (PHI) of above 1.2 million people for insufficient standing.

The lawsuit was submitted last July 2021 on behalf of plaintiffs Jose Aponte II and Lisa Rosenberg, whose PHI was exposed due to a wrong setting of the companies’ Picture Archiving Communication System (PACS), which comprised medical images and connected patient information. At the end of 2019, security researchers discovered the exposed data and advised the impacted firms — Northeast Radiology as well as its vendor, Alliance HealthCare Services.

As per the lawsuit, over 61 million medical photos were compromised together with the sensitive information of 1.2 million people. Northeast Radiology sent the breach report to the HHS’ Office for Civil Rights indicating that 298,532 persons were affected. The lawsuit alleged the defendants had put in place not enough security measures to protect the privacy of patient data, which made it possible for unauthorized individuals to access the medical photos and other PHI between April 14, 2019 and January 7, 2020. The plaintiffs claimed that they are confronting a continuing and impending threat of identity theft and fraud because protected health information can’t be canceled. They assert they now must regularly keep an eye on their accounts and make use of credit and identity theft monitoring services, and spend extra time and energy to avert and mitigate against probable future deficits.

It is prevalent at this time for lawsuits to be filed against healthcare establishments right after data breaches, nevertheless, the lawsuits normally fail as a result of the inability to produce information of harm on account of the breach or theft of personal information, like the case here. Federal Judge for the Southern District of New York, Judge Vincent L. Bricetti, dropped the legal case since the plaintiffs didn’t assert a cognizable injury. The judge decided that the simple exposure of sensitive data didn’t prove that the plaintiffs were hurt by the occurrence and that the possibility of future hurt from the compromise of their sensitive information was overly speculative to build standing.

Though the data breach report was submitted to the HHS’ Office for Rights stating that approximately 298,532 persons were impacted, NorthEast Radiology was merely able to verify that the records of 29 individuals had absolutely been exposed to unapproved access, and the two victims referred to in the legal action were not involved in that small group.

Judge Bricetti based the judgment of the Second Circuit Court’s decision in McMorris v. Carlos Lopez & Associates, LLC, which set up a three-factor check for finding out if accusations of harm from a security breach resulted in a cognizable Article III injury-in-fact:

  • was the plaintiffs’ information compromised due to a targeted attempt to access that data
  • was any part of the dataset misused, though the plaintiffs did not encounter identity theft or fraud
  • was the type of exposed data sensitive so that there’s a high possibility of identity theft or fraud

Judge Bricetti refused all of the plaintiffs’ allegations for breach of implied contract, breach of contract, negligence, negligence per se, intrusion upon seclusion, and breach of New York General Business Law Section 349.

About Christine Garcia 1299 Articles
Christine Garcia is the staff writer on Calculated HIPAA. Christine has several years experience in writing about healthcare sector issues with a focus on the compliance and cybersecurity issues. Christine has developed in-depth knowledge of HIPAA regulations. You can contact Christine at [email protected]. You can follow Christine on Twitter at