Table of Contents
District Court Found That an Increased Risk of Identity Theft Is a Cognizable Injury in Fact
On March 11, 2019, U.S. District Judge Mary S. Scriven denied 21st Century Oncology Holdings Inc.’s motion to dismiss a class action lawsuit over a 2015 data breach. The judge ruled that the increased risk of identity theft subsequent to a data breach is a cognizable injury in fact. This is significant because the Eleventh Circuit has not yet addressed this issue.
In October 2015, an unauthorized third party gained access to 21st Century Oncology’s database containing patients’ personal information. The data breach affected more than 2.2 million patients. The compromised information included patients’ names, Social Security numbers, diagnoses and treatment information. The lawsuit alleged that 21st Century Oncology “failed to maintain reasonable and/or adequate security measures to protect Plaintiffs’ and other Class members’ [personally identifiable information (PII) and protected health information (PHI)] from being released, disclosed, and rendered publicly accessible to unauthorized parties.” It also claims that the FBI learned that “an unauthorized party was attempting to sell compromised 21st Century Oncology data,” which “was advertised, in Russian, as approximately 10 million patient records from 21st Century Oncology available to purchase for $10,000.”
Scriven identified three benchmarks to analyze if an increased risk of identity theft qualifies as an injury in fact and found that the claims fulfilled all three: (1) the motive of the party that stole or accessed the sensitive personal information, (2) the type of personal information exposed, and (3) whether the sensitive information was actually accessed and if there have been instances of misuse stemming from the same breach. (In Re: 21st Century Oncology Customer Data Security Breach Litigation MDL, case number 8:16-md-2737-MSS-AEP, in the U.S. District Court for the Middle District of Florida.)