Beverly T. Peters v. St. Joseph Services Corporation d/b/a St. Joseph Health System, et al.

Peters, the plaintiff, brought a class action against St. Joseph Services Corporation for damages after a data breach of St. Joseph’s computer network. While purchasing health care services, Peters had provided her personally identifiable and protected health information to St. Joseph, including her name, social security number, birthdate, address, medical records, and bank information. In 2014, St. Joseph announced a security breach of its computer system had occurred where hackers potentially gained access of the personal information of Peters and around 405,000 other patients, employees, and employees’ beneficiaries.

Peters alleged violations of the Fair Credit Reporting Act and state and common law claims sounding in tort and contract. She alleged that hackers accessed and stole her information and disseminated it into the public domain where it was misused by unauthorized and unknown third parties. Someone attempted to make a purchase on her Discover card, to which she declined approval for the transaction upon receiving a fraud alert. On another occasion, someone attempted to access her Amazon.com account by using her son’s name. Peters claims this could only have been obtained by the information she provided St. Joseph. Additionally, she alleged the data breach was the reason for daily telephone solicitations which she received.

The issue of this case was “whether the heightened risk of future identity theft or fraud posed by a data security breach confers Article III standing on persons whose information may have been accessed.” (page 1).

Article III of the United States Constitution limited federal jurisdiction to actual cases and controversies, and every party bore the burden of establishing the existence of an injury that was “concrete, particularized, and actual or imminent; fairly traceable to the challenged action; and redressable by a favorable ruling.” (page 8). The Court quoted the Supreme Court, which had repeatedly stated that although “imminence is a somewhat elastic concept, it is not so elastic that it reaches allegations of ‘possible future injury.’” (p. 8). A future injury allegation may suffice if the threatened injury is “certainly impending” or there is a “substantial risk” that the harm will occur.” (p. 8-9). The Court did not agree that Peters faced a “certainly impending” or “substantial risk of identity fraud as required by Article III because her alleged future injuries were speculative. The Court also found that the fact that any injury would be caused by opportunistic third parties broke the causative chain linking Peter’s potential future injury to St. Joseph’s failure. Finally, the Court noted that Peters had not yet alleged any quantifiable damage as a result of the data breach.

The Court granted St. Joseph’s 12(b)(1) motion to dismiss for want of subject matter jurisdiction and dismissed the complaint without leave to amend. However, the Court expressed no opinion about the state or common law claims, and dismissed those without prejudice, granting Peters 30 days to raise her remaining claims in state court.

“”Unless and until these conjectures come true,” Reilly, 644 F.3d at 42, Peters’ alleged future injuries are speculative—even hypothetical—but certainly not imminent. Critically, Peters “cannot describe how [she] will be injured without beginning the explanation with the word ‘if.’” Id. at 43 (quoting Storino v. Borough of Point Pleasant Beach, 322 F.3d 293, 298 (3d Cir. 2003)) (internal quotation marks omitted). For example, Peters might be able to demonstrate harm if third parties become aware of her exposed information and reveal their interest in it; if they form an intent to misuse her information; and if they take steps to acquire and actually use her information to her detriment. The misuse of her information could take any number of forms, at any point in time. The risk of future harm is, no doubt, indefinite. It may even be impossible to determine whether the misused information was obtained from exposure caused by the Data Breach or from some other source. Ultimately, Peters’ theory of standing “relies on a highly attenuated chain of possibilities.” Clapper, 133 S. Ct. at 1148. As such, it fails to satisfy the requirement that “threatened injury be certainly impending to constitute injury in fact.” Id. at 1147 (quoting Whitmore v. Arkansas, 495 U.S. 149, 158 (1990)).” (Page 10)

“The incidents identified by Peters as evidence of actual identity theft/fraud fail to meet the causation and redressability elements of the standing test. Peters essentially argues that her injuries are traceable to the FCRA because they stem from St. Joseph’s failure to comply with the requirements of the statute. She contends that as a result of this failure, acts of identity theft/fraud were (and continue to be) perpetrated against her, albeit by unknown third parties, for which St. Joseph should be held responsible: the attempted charge to her credit card; the attempted access to her Amazon.com account; the telephone solicitations she has received from medical products and services companies; the spam email sent from her account; and the physical and electronic materials she has received targeting her recorded medical conditions.

Although it is alleged that St. Joseph’s failures “proximately caused” these injuries, the allegation is conclusory and fails to account for the sufficient break in causation caused by opportunistic third parties. The injuries, to the extent that they meet the first prong, are “the result of the independent action of a third party” and therefore not cognizable under Article III. S. Christian Leadership Conference, 252 F.3d at 788 (citing Lujan, 504 U.S. [at 56061]).” (p. 14)