The Delaware Superior Court dismissed a legal case filed on behalf of affected persons of a Brandywine Urology Consultants data breach after plaintiffs were unable to produce information proving they had sustained harm because of the breach.
Brandywine Urology Consultants suffered a ransomware attack on January 27, 2020 The attack was discovered after two days and the following investigation established the attackers acquired access to a system that included patient data.
Brandywine Urology Consultants determined from its inquiry that the cyber attack was done for extortion and not just to acquire patient records, though unauthorized data access and data theft cannot be eliminated. The hackers possibly accessed the protected health information (PHI) of 130,000 patients, and could have seen or acquired names, Social Security numbers, medical record numbers, financial information, claims records, and other data.
The lawsuit was submitted in May 2020. Allegedly, Brandywine Urology Consultants had been negligent for its inability to avert the attack, had committed violations of its fiduciary responsibility, the Delaware Computer Security Breach Act and the Delaware Consumer Fraud Act.
The lawsuit claimed the breach victims had an impending risk of hurt, had encountered a loss of privacy, anxiety due to the stealing of their PHI, unable to get the benefit of a bargain, and interruption to health care. The lawsuit wanted damages to cover the expense of mitigations and out of pocket costs that had been accrued.
Brandywine Urology Consultants sent in a motion to dismiss the legal action because of not enough standing. The defendant maintained the plaintiffs didn’t claim a factual injury, the economic loss doctrine prevents any recovery, and the court didn’t have jurisdiction for the subject matter of violation of fiduciary duty claim.
Brandywine Urology Consultants asserted that the claim it had breached the Delaware Computer Security Breach Act was lacking standing since it had met the statute’s notice requirement, and the Delaware Consumer Fraud Act violation allegation ought to be sacked considering that the plaintiffs were unable to point out a claim as per the statute.
The Honorable Mary M. Johnston explained in the ruling that a plaintiff alleging that it could suffer from upcoming injuries from a defendant’s purportedly poor conduct ought to demonstrate that such problems are surely upcoming,” and have to present “a possibility that the injury is going to be redressed by a good decision.
Given that the plaintiffs failed to present facts of harm, there was merely a likelihood that their sensitive information was breached, and the fast and correct actions that were undertaken by the defendant to inspect and offset the breach, the motion to dismiss was issued.
Though the plaintiffs stated to have suffered expenditures because of the breach, the judge decided that expenditures sustained in response to an assumed threat aren’t adequate, in itself, to establish an injury acceptable to confer standing.