Judge Dismisses Most of Class-Action Lawsuit Over DOD Data Breach
May 13, 2014 in News
On Friday, a federal district judge dismissed the majority of a consolidated class-action lawsuit filed against the Department of Defense, its TRICARE health insurance program and a contractor following a 2011 data breach that affected 4.7 million individuals, Health Data Management reports (Goedert, Health Data Management, 5/12).
Background on Data Breach
Science Applications International Corporation — a Department of Defense contractor — reported the data breach on Sept. 14, 2011. SAIC said the incident involved the loss of backup computer tapes from an electronic health record system.
The tapes contained data on 4.9 million TRICARE beneficiaries who received care at military facilities between 1992 and Sept. 7, 2011. The affected beneficiaries were residents of TRICARE’s southern region.
According to officials, the patient data on the tapes included:
- Personal health information;
- Phone numbers; and
- Social Security numbers.
In October 2011, some of the affected individuals filed a class-action lawsuit against DOD, seeking $4.9 billion in damages. Since then, seven more lawsuits have been filed against DOD over the incident (iHealthBeat, 3/15/12).
In his ruling, U.S. District Judge James Boasberg wrote that the case raises “thorny standing issues regarding … when is a consumer actually harmed by a data breach — the moment data [are] lost or stolen or only after the data [have] been accessed or used by a third party?”
He noted that most courts “have agreed that the mere loss of data — without evidence that [the information] has been either viewed or misused — does not constitute an injury sufficient to confer standing,” adding, “This court agrees” (Kolbasuk McGee, GovInfoSecurity, 5/13).
Boasberg detailed the multiple steps someone who obtained the stolen backup computer tapes would have to go through in order to access, decrypt, understand and then misuse or sell the data. He concluded, “The vast majority of plaintiffs has not alleged that any of those things happened — because they cannot. Those events are entirely dependent on the actions of an unknown third party — namely, the thief” (Health Data Management, 5/12).
However, he acknowledged that two of the 33 plaintiffs “plausibly assert that their data [were] accessed or abused, and those victims may move forward with their claims” (GovInfoSecurity, 5/13).
Boasberg also ruled against the plaintiffs on several other issues in the lawsuit, including:
- Invasion of privacy allegations, which he ruled were speculative until harm can be proven;
- Loss of value of personal and medical information, ruling that no harm exists; and
- Claims of identity theft, saying plaintiffs’ personal information was not breached.
He concluded, “Since the majority of plaintiffs has been dismissed — potentially altering the scope of the remaining litigants’ claims moving forward, the court will pause to confer with the parties before determining which, if any, of the complaint’s 20 counts has been properly alleged” (Health Data Management, 5/12).
Adam Greene, a privacy attorney and partner at Davis Write Tremaine, said Boasberg’s ruling “adds to the majority of court cases that have held that plaintiffs must demonstrate actual harm, not merely a heightened risk of identity theft, to prevail on a claim related to a data breach.”
He noted, “There are still some statutes, like the California Confidentiality of Medical Information Act, which award ‘nominal damages’ in the absence of demonstrating actual damages. Cases under such laws are potentially distinguishable from the TRICARE/SAIC case” (GovInfoSecurity, 5/13).