In April 2019, this site reported on a breach disclosed by Health Recovery Services (HRS). In October, 2019, Troy Foster sued them over the breach. I noted at the time that I was surprised at the claim concerning delayed notification when he had been notified in 60 days. I was not surprised to now read that the court dismissed that claim for failure to show that there was an incremental harm associated with any delay.

In any event, HRS moved to dismiss Foster’s complaint on a number of grounds, including, of course, an argument that Foster lacked standing. A summary from the court’s opinion provides a good recap:

Defendant argues that Plaintiff’s complaint must be dismissed for lack of subject matter jurisdiction because Plaintiff has not suffered an injury in fact. Defendant argues that Plaintiff has failed to: (1) allege that he suffered any harm resulting from a delayed notification; (2) to allege that his information was actually stolen or that he has suffered any injury; and (3) to allege that he actually provided sensitive health information about himself to HRS. (ECF No. 9 at 6-10). Plaintiff argues he has standing to bring his claims personally and on behalf of a class and that he has sufficiently alleged the threat of a substantial risk of harm. (ECF No.15 at 3-4).

One of the most interesting parts of the opinion on standing concerned the disclosure of sensitive medical information to a third party constituting a violation of FCRA and hence, an invasion of privacy that constitutes an alleged injury:

This Court finds the Third Circuit’s reasoning in Horizon persuasive. The disclosure of plaintiff’s sensitive medical information to a third party—even where, as here, that third party is a hacker— constitutes an invasion of privacy, the very type of injury that Congress enacted the FCRA to remedy. While Defendant argues that “one cannot infer from mere access … that Plaintiff’s information was accessed, then stolen,” Defendant has provided no evidence to support this assertion and indeed acknowledges in the data breach notice that it is “unable to definitively rule out” the possibility that patient information was accessed or stolen. (ECF No. 9-1 at 2). Defendant has failed to provide factual evidence that would definitively disprove Plaintiff’s allegation of injury. Accordingly, in addition to stating an injury in fact by alleging emotional distress, Plaintiff has also alleged an Article III injury by pleading a violation of the FCRA through the disclosure of his sensitive medical information to a third party.

When all was said and done, the court denied the motion to dismiss in part and granted it in part.  But the case survived and has a long way to go.

Foster v. Health Recovery Services
Case No. 2:19-CV-4453
United States District Court, S.D. Ohio, Eastern Division.

Opinion

Thanks to @JohnBrownnjr for alerting me to the opinion.