Wednesday, June 08, 2016

The Hospital, the Hackers and Personal Identifying Information

This post examines an opinion from the U.S. District Court for the District of Maryland:  Khan v. Children’s National Health System, 2016 WL 2946165 (2016). The judge begins the opinion by explaining that
Khan receives treatment at Children's Hospital in Washington, D.C., a hospital operated by CNHS. Khan provided CNHS with personally identifiable information such as her date of birth, Social Security number, address, and telephone number. CNHS also maintains records containing Khan's private health care information such as diagnoses, treatment records, and health insurance information.

On or about July 26, 2014, hackers gained access to the email accounts of certain CNHS employees when those employees responded to `phishing' emails.  The hackers' infiltration was not detected until December 26, 2015. During the five intervening months, the `email accounts had been potentially exposed in a way that may have allowed hackers to access information contained in those email accounts.’ Compl. ¶ 13.

The email accounts contained certain patient information, such as names, addresses, dates of birth, Social Security numbers, and telephone numbers, as well as private health care information. On February 26, 2015, CNHS sent a letter to approximately 18,000 patients, including Khan, notifying them that their personal data may have been contained in these email accounts. CNHS stated that the data breach did not extend to its electronic medical records system or patient charts and professed to have `no evidence that the information in the emails has been misused or even accessed.’ Def.'s Motion to Dismiss Ex. A, Data Breach Letter.
Khan v. Children’s National Health System, supra.
The opinion goes on to note that Khan
alleges that her sensitive personal information was `compromised, viewed, and/or stolen’ because CNHS did not take sufficient steps to protect it through encryption, passwords, or other measures. Complaint ¶¶ 20-21; 109. Upon learning of the breach, she placed passwords on her bank and credit card accounts. She remains concerned that her personal information will be misused, but she does not claim that she or anyone else affected by the data breach has learned of any misuse to date.
Khan v. Children’s National Health System, supra.
The judge explained that Khan originally
filed suit in the Circuit Court for Montgomery County, Maryland on June 1, 2015, alleging violations of the Maryland Consumer Protection Act, Md. Code Ann., Com. Law §§ 13–301 to 13–501 (2013), and the District of Columbia Consumer Protection Procedures Act, D.C. Code Ann., §§ 28–3901 to 28–3913 (2013), as well as negligence, breach of implied contract, and unjust enrichment.

On July 21, 2015, CNHS removed the case to this Court under the Class Action Fairness Act, 28 U.S.C. § 1332(d) (2012). On September 8, 2015, CNHS filed a Motion to Dismiss. On October 16, 2015, Khan submitted an Opposition to the Motion. . . .
Khan v. Children’s National Health System, supra.  As Wikipedia explains, in the United States, removal jurisdiction
refers to the right of a defendant to move a lawsuit filed in state court to the federal district court for the federal judicial district in which the state court sits. This is a general exception to the usual American rule giving the plaintiff the right to make the decision on the proper forum. Removal occurs when a defendant files a `notice of removal’ in the state court where the lawsuit is filed and the federal court to which the defendant would like to remove the case.

Removal is governed by statute, 28 U.S. Code § 1441 et seq. With rare exceptions, a case may be removed only if, at the time of the initial filing, the case could have been filed in federal court. Removal requires an independent ground for subject-matter jurisdiction such as diversity jurisdiction or federal question jurisdiction. A case must be removed to the federal district court that encompasses the state court where the action was initiated.
And as Wikipedia also explains, in U.S. law, a “motion is a procedural device for decision. It is a request to the judge (or judges) to make a decision about the case.”  Khan responded to CNHS’s motion to dismiss by filing an “Opposition to the Motion”, to which CNHS “filed a Reply.”  Khan v. Children’s National Health System, supra. 
The judge began his analysis of the issues raised by the motion to dismiss and Khan’s opposition to the motion by explaining that CNHS
argues that the Complaint should be dismissed for lack of subject matter jurisdiction under Federal Rule of Civil Procedure 12(b)(1) because Khan lacks standing, or, in the alternative, for failure to state a claim under Rule 12(b)(6). Because the Court finds, for the reasons stated below, that Khan lacks standing and that the Court thus lacks subject matter jurisdiction, it does not address the merits of Khan's claims. See Steel Co. v. Citizens for a Better Environment, 523 U.S. 83 (1998).
Khan v. Children’s National Health System, supra. 
The judge began his analysis motion by explaining that
[i]t is the plaintiff's burden to show that subject matter jurisdiction exists. Evans v. B.F. Perkins Co., Div. of Standex Int'l Corp., 166 F.3d 642, 647 (U.S. Court of Appeals for the 4th Circuit 1999). Federal Rule of Civil Procedure 12(b)(1) allows a defendant to move for dismissal based upon the belief that the plaintiff has failed to make that showing. When, as in this case, a defendant asserts that the plaintiff has failed to allege facts sufficient to establish subject matter jurisdiction, the allegations in the complaint are assumed to be true under the same standard as in a Rule 12(b)(6) motion, and `the motion must be denied if the complaint alleges sufficient facts to invoke subject matter jurisdiction.’ Kerns v. United States, 585 F.3d 187 (U.S. Court of Appeals for the 4th Circuit 2009).
Khan v. Children’s National Health System, supra. 
He goes on to explain that
Article III of the Constitution limits the judicial power of the federal courts to actual `Cases’ and `Controversies.’ U.S. Const. art. III, § 2, cl. 1. To invoke this power, a litigant must have standing. Hollingsworth v. Perry, 133 S.Ct. 2652 (2013). The plaintiff bears the burden of proving standing. Lujan v. Defenders of Wildlife, 504 U.S. 555 (1992). A plaintiff must establish (1) an injury in fact (2) fairly traceable to the challenged conduct (3) that is likely to be `redressed by a favorable judicial decision.’  Hollingsworth v. Perry, supra.  In a class action, the court analyzes the injuries alleged by the named plaintiffs, not unnamed members of the potential class, to determine whether the plaintiffs have Article III standing. Warth v. Seldin, 422 U.S. 490 (1975)O'Shea v. Littleton, 414 U.S. 488 (1974).
Khan v. Children’s National Health System, supra. 
The judge also pointed out that
CNHS limits its attack on Khan's standing to the first element: injury in fact. An injury in fact requires `an invasion of a legally protected interest which is (a) concrete and particularized, and (b) actual or imminent, not conjectural or hypothetical.” Lujan v. Defenders of Wildlife, supra. . . . The United States Supreme Court articulated the standard for a future injury qualifying as an injury in fact in Clapper v. Amnesty International USA,133 S.Ct. 1138, (2013), a case in which the Court held that attorneys and human rights, labor, legal, and media organizations lacked standing to challenge a foreign intelligence surveillance program based on possible future interception of their phone calls, because the plaintiffs' alleged injury depended upon an `attenuated chain of possibilities’: the government would have to select the plaintiffs' clients and sources for surveillance, the Foreign Intelligence Surveillance Court would have to approve the proposed surveillance, and the plaintiffs' communications would actually have to be intercepted. Clapper v. Amnesty International USA, supra. The Court held that a threatened future injury `must be certainly impending to constitute an injury in fact” and that allegations of “possible future injury are not sufficient.’ Clapper v. Amnesty International USA, supra (emphasis in original).

The Court noted, however, that plaintiffs need not demonstrate that it is `literally certain’ that they will suffer harm, and it acknowledged that `we have found standing based on a ‘substantial risk’ that the harm will occur.’ Clapper v. Amnesty International USA, supra (quoting Monsanto Co. v. Geertson Seed Farms, 561U.S. 139 (2010)). Thus, `[a]n allegation of future injury may suffice if the threatened injury is certainly impending, or there is a substantial risk that the harm will occur.’ Susan B. Anthony List v. Driehaus, 134 S.Ct.2334 (2014) (quoting Clapper v. Amnesty International USA, supra).
Khan v. Children’s National Health System, supra. 
The opinion notes that “Khan alleges several injuries that she contends establish Article III standing”, the first of which was that “she faces an imminent threat of identity theft”. Khan v. Children’s National Health System, supra.  The judge began his analysis of this issue as a basis for Article III standing, explaining that
Khan's most promising argument that she has an injury in fact to support Article III standing is that the data breach has placed her at an increased risk of identity theft. Neither the United States Court of Appeals for the Fourth Circuit nor any district court within the Fourth Circuit has addressed the standing of data breach victims. The issue, however, has been frequently litigated in federal courts in recent years, with different results. Two circuits, the United States Courts of Appeals for the Seventh and Ninth Circuits, have found standing for victims of data breaches based on the increased risk of identity theft.

In Krottner v. Starbucks Corp., 628 F.3d 1139 (U.S. Court of Appeals for the 9th Circuit 2010), a case predating Clapper, a thief stole a laptop computer containing the unencrypted names, addresses, and Social Security numbers of 97,000 Starbucks employees, which led Starbucks to notify those employees of the theft and offer credit monitoring services, even though there had been `no indication that the private information has been misused.' Krottner v. Starbucks Corp., supra. One named plaintiff, however, alleged that in the month following the theft someone used his Social Security number to attempt to open a bank account. Krottner v. Starbucks Corp., supra. The court, noting that `the possibility of future injury may be sufficient to confer standing on plaintiffs,' held that the increased risk of identity theft was an injury in fact because the plaintiffs had alleged `a credible threat of real and immediate harm stemming from the theft of the laptop.’ Krottner v. Starbucks Corp., supra.
Khan v. Children’s National Health System, supra. 
The opinion goes on to explain that,
[f]ollowing Clapper, the Seventh Circuit found standing stemming from hackers' use of malware to collect credit card data from up to 350,000 credit card customers of Neiman Marcus, a luxury department store. Remijas v. Neiman Marcus Group, LLC, 794 F.3d 688 (U.S. Court of Appeals for the 7th Circuit 2015). In Remijas, Neiman Marcus learned that some of its customers had already found fraudulent charges on their credit cards before alerting the public about the data breach. Remijas v. Neiman Marcus Group, LLC, supra. Approximately 9,200 of those cards were known to have been used fraudulently in the wake of the breach. Remijas v. Neiman Marcus Group, LLC, supra. The court found that plaintiffs who alleged fraudulent charges on their credit cards had standing based on the time and expense necessary to resolve those charges. Remijas v. Neiman Marcus Group, LLC, supra.

Acknowledging that Clapper v. Amnesty International USA, supra requires a `certainly impending’ future injury, or at least a `substantial risk’ of injury, the court found that plaintiffs who had not experienced fraudulent charges also had standing because those plaintiffs knew, from the numerous cards already used fraudulently, that their personal information had been stolen by individuals who intended to misuse it. Remijas v. Neiman Marcus Group, LLC, supra (questioning why the hackers would `break into a store's database’ other than `to make fraudulent charges or assume those consumers' identities); see also Lewert v. P.F. Chang's China Bistro, Inc., 2016 WL 1459226 (U.S. Court of Appeals for the 7th Circuit 2016) (following Remijas  and holding that where hackers stole customer credit card and debit card data from a restaurant chain, and a named plaintiff had already received a fraudulent charge, plaintiffs had standing to sue).
Khan v. Children’s National Health System, supra. 
He went on to explain that, in in Reilly v. Ceridian Corp., 664 F.3d 38 (U.S. Court of Appeals for the Third 3dCircuit 2011), the U.S. Court of Appeals for the 3rd Circuit
held that plaintiffs alleging an injury in fact from an increased risk of identity theft lacked standing.  In Reilly, hackers `potentially gained access to personal and financial information’ of 27,000 individuals stored on the computer system of a payroll processing company. . . . It was unclear `whether the hacker read, copied, or understood’ the plaintiffs' data. Reilly v. Ceridian Corp., supra. After determining what information the hacker “may have accessed,” the company sent letters to the potential identity theft victims informing them of the breach and offering to provide one year of free credit monitoring and identity theft protection. Reilly v. Ceridian Corp., supra.

Although Reilly predated Clapper, the Third Circuit applied the same standard later endorsed in Clapper, that the `threatened injury must be ‘”certainly impending”’ in order to support standing. Reilly v. Ceridian Corp., supra (quoting Whitmore v. Arkansas, 495 U.S. 149 (1990)). The court found that the increased risk of identity theft was “too speculative” to establish standing. Reilly v. Ceridian Corp., supra. Distinguishing Krottner v. Starbucks Corp., supra, in which someone had already attempted to open a bank account using stolen personal information, the court noted that there was no indication that the personal data had been or ever would be misused. Reilly v. Ceridian Corp., supra. Rather, the threat of future injury was premised on the `speculation’ that the hackers had (1) `read, copied, and understood’ the personal information; (2) intended `to commit future criminal acts by misusing the information’; and (3) were able to use that information to the detriment of the plaintiffs. Reilly v. Ceridian Corp., supra. The court thus found that this `string of hypothetical injuries’ did not establish an `actual or imminent’ injury necessary to confer standing. Reilly v. Ceridian Corp., supra.
Khan v. Children’s National Health System, supra. 
The judge concluded his analysis of this issue by explaining that
[a]lthough these courts reached conflicting results, the difference appears to arise not from the application of a different legal standard, but rather from crucial distinctions in the underlying facts. In Krottner and Remijas, the allegations included either actual examples of the use of the fruits of the data breach for identity theft, even if involving victims other than the named plaintiffs, or a clear indication that the data breach was for the purpose of using the plaintiffs' personal data to engage in identity fraud. In Krottner, one of the plaintiff's credit card numbers had been fraudulently used. . . . In Remijas, the cyberattack involved malware that specifically sought to collect customer credit card data, and 9,200 credit card numbers had already been used fraudulently. . . . By contrast, in Reilly, neither of these factors was present. `A firewall was penetrated,’ and hackers had `potentially gained access to personal and financial information,’ but it was not known if the hackers `read, copied, or understood the data.’ Reilly v. Ceridian Corp., supra.
Khan v. Children’s National Health System, supra. 
The District Court Judge therefore found that
in the data breach context, plaintiffs have properly alleged an injury in fact arising from increased risk of identity theft if they put forth facts that provide either (1) actual examples of the use of the fruits of the data breach for identity theft, even if involving other victims; or (2) a clear indication that the data breach was for the purpose of using the plaintiffs' personal data to engage in identity fraud. Under this framework, Khan's allegations fall short. Unlike in Krottner or Remijas, Khan alleges no facts indicating that the hackers have attempted to engage in any misuse of CNHS patients' personal information since the breach was discovered. She alleges no suspicious activity: no unauthorized bank accounts or credit cards, no medical fraud or identity theft, and no targeted solicitations for health care products or services.

Nor do the circumstances of the data breach clearly indicate that the hackers' purpose was to use patients' personal data to engage in identity fraud. Unlike in Remijas, where malware was deployed on Neiman Marcus's computer system in an attempt to collect credit card data, . . . here the data breach consisted of the use of phishing emails to gain access to the email accounts of certain CNHS employees, not its electronic medical records system or some other centralized database of personal data. Although these email accounts contained some patients' personal information, there is no indication that the patients' personal data was actually viewed, accessed, or copied, or was even the target of the phishing scheme.

Tellingly, Khan, although at times referring to the data as `stolen,’ alleges only that hackers had `unauthorized access’ to the email accounts, that the accounts were `potentially exposed in a way that may have allowed hackers to access information contained in those email accounts,’ and that the data was `readily able to be copied.’
Complaint ¶¶ 13-22 (emphases added).

Thus, the allegations are more akin to those in Reilly, where the hackers `potentially gained access to personal and financial information,’ but it was unclear `whether the hacker read, copied, or understood’ the plaintiffs' personal data, and there was no indication of actual misuse. Reilly, supra. . . .  

Khan's more general allegations—that data breach victims are 9.5 times more likely to suffer identity theft and that 19 percent of data breach victims become victims of identity theft—do not alter this conclusion. These specific statistics, which are cited in numerous other cases, do not by themselves establish that there is `certainly impending’ harm under the specific facts of a given case. See, e.g., Strautins v. Trustwave Holdings, Inc., 27 F.Supp.3d 871, 877 (U.S. District Court for the Northern District of Illinois 2014). . . . Because the Complaint does not allege either actual misuse of the personal data or facts indicating a clear intent to engage in such misuse with plaintiffs' data, the Court finds that Khan has not alleged a `certainly impending’ injury or `substantial risk’ of imminent injury sufficient to establish Article III standing. See Clapper v. Amnesty International USA, 133 S.Ct. 1138 (2013). . . .
Khan v. Children’s National Health System, supra. 
The District Court Judge therefore held that 
CNHS's Motion to Dismiss is GRANTED IN PART and DENIED IN PART. The Court finds that Khan lacks standing, but it does not dismiss her claims. Instead, the case is REMANDED to state court. 
Khan v. Children’s National Health System, supra. 


No comments: