A district court judge in Arizona has tossed several claims against Banner Health brought by patients affected by a 2016 data breach.
But the judge allowed portions of the case to move forward, ruling that the plaintiffs had sufficiently demonstrated that the breach presents an impending injury.
The class-action lawsuit was filed in August 2016 on behalf of the 3.7 million individuals affected by a data breach in which hackers gained access to Banner’s network through its payment processing system at food and beverage outlets. The intruders ultimately gained access to servers containing patient and health plan data.
The plaintiffs, including a former ophthalmologist at Banner Thunderbird Hospital in Glendale, Arizona, alleged the health system failed “to take adequate precautions” like multi-factor authentication, firewalls and encryption. Although some of the plaintiffs said their information had already been misused to open up fraudulent accounts or credit cards, others argued that the increased risk of identity theft was enough to claim harm from the data breach.
The judge dismissed breach of contract, good faith and implied duty of care claims, ruling that portions of the employee handbook that addressed patient confidentiality and privacy are a duty owed to Banner Health by its employees, not vice versa.
But the judge allowed the class-action suit to move forward with its claims of unjust enrichment, negligence and violation of the Arizona Consumer Fraud Act.
“There is at least a plausible inference that the identity theft alleged by two of the Plaintiffs would not have happened but-for Defendant’s inadequate data security,” Judge Susan R. Bolton wrote, citing a similar ruling in Anthem’s data breach litigation. “Furthermore, there is a plausible inference that the rest of Plaintiffs are now at an increased risk of identity theft which they are incurring costs to prevent.”
The case adds to a growing number of legal decisions about whether the identity theft risks associated with a data breach constitutes harm, even if an individual's information has not been used inappropriately. That’s a question CareFirst has petitioned to the Supreme Court citing “growing uncertainty” among circuit courts regarding the level of harm associated with a data breach.