Judge Dismisses Brandywine Urology Breach Lawsuit, Citing Lack of Harm

A healthcare data breach lawsuit against Brandywine Urology Consultants has been dismissed by the Delaware Superior Court, as the victims failed to provide evidence of injuries or losses caused by the 2020 security incident.

The lawsuit stemmed from a ransomware attack discovered by the Delaware specialist on January 27, 2020, which occurred on the network for two days before it was detected and isolated by the IT team.

Once the attack was neutralized, a scan was performed on the central server to ensure the malware was completely removed from the network. Officials found the attack was confined to the network and did not infect the electronic medical record system.

The investigation led with support from an outside cybersecurity team determined the attack was likely designed to encrypt data and extract a ransom demand from Brandywine consultants, rather than a data theft attempt.

The 130,000 patients potentially impacted by the event were still sent breach notification letters, as the investigation could not conclusively rule out access. The infected server contained patient names, Social Security numbers, medical file numbers, claims data, and other financial and personal information.

In May 2020, the breach victims filed a lawsuit against the Delaware provider, alleging negligence and breach of contract.

The patients also claimed imminent risk of future harm, a loss of privacy, anxiety, failure to receive the benefit of a bargain, a loss of value of property in personally identifying information, and disruption to medical care. The lawsuit sought mitigation expenses incurred by the breach.

The provider soon filed a motion to dismiss based on claims that the individuals lacked standing to bring the case to federal court.

Brandywine Consultants’ arguments for dismissal included that the individuals’ claims of economic loss barred any recovery, a lack of subject matter jurisdiction, and a lack of standing due to previous satisfaction of the statute’s notice requirement, among others.

Under Federal laws, plaintiffs are tasked with the burden of demonstrating acutal injuries of fact and a relationship between the alleged injury and conduct of the entity.

As noted in the lawsuit, individuals are also required to demonstrate “a likelihood that the injury will be redressed by a favorable decision…. And the requisite injury-in-fact must be concrete, particularized, and actual or imminent—not conjectural or hypothetical”

“Delaware courts have not addressed the question of whether the imminent risk of future harm from a data breach constitutes an injury-in-fact sufficient to confer standing. [Brandywine] argues that it does not,” according to the suit.

“Various federal courts have held that a plaintiff lacks standing to sue the party who failed to protect its data—in a lost data or potential identity theft case— where there is no proof of actual misuse or fraud,” it added. “Although some lower courts have disagreed, those courts still require a plaintiff to allege a ‘credible threat.’”

As such, the judge ruled that as the breach notification specified that it was only a possible compromise of personal and financial information during the ransomware attack. It was not a concession of plausible, concrete, imminent, or certain threat.

The judge also determined that Brandywine Consultants appeared to act swiftly in its response and investigation with appropriate measures.

The decision asserted that the provider should not be “punished” for sending breach notifications for a possible data compromise, stressing the court’s reluctance to “make any ruling that would chill efforts to notify patients or clients of security breaches out of an abundance of caution.”

The judge also alleged the injury purported by the individuals was “nothing more than conjecture and a collection of hypothetical risks.”

“Plaintiffs in this case have failed to allege that any of them have been victims of any actual harm stemming from the attack,” according to the ruling. “As almost a year has now passed without any harm occurring, it appears unlikely that Plaintiffs would be harmed in the near future.”

“The mere fact that the Attack occurred, without more, is insufficient to confer standing on Plaintiffs,” it added. “Under the facts of this case, the ‘imminent risk of future harm’ alleged by Plaintiffs is not concrete, particularized, actual or imminent. Therefore, Plaintiffs have failed to meet their burden for showing that they have standing.”

In light of a spate of breach lawsuits in recent years, the court’s decision could help shape future rulings around actual and imminent harm brought on by ransomware-related incidents and other security events.

Many of these lawsuits are settled out of court, rather than through years of litigation and court-room arguments. The ruling could thus set an example for future decisions.