No harm, no foul, says judge in Express Script data breach case

A federal court in Missouri has thrown out a consumer class-action lawsuit that was brought against pharmacy benefits company Express Scripts over a 2008 data breach in which millions of customer records were believed to have been illegally accessed.

In dismissing the lawsuit, Magistrate Judge Frederick Buckles reiterated a position that has been taken by a number of other judges in similar cases in the past: Without any actual harm being done, there can be no damages sought.

In a 22-page ruling last week, Judge Buckles said that the plaintiff in the case, John Amburgy had failed to show how exactly the data breach had caused him any direct injury or even put him in imminent danger of any injury.

"Abstract injury is not enough to demonstrate injury-infact," Judge Buckles wrote. "The injury or threat of injury must be concrete and particularized, actual and imminent; not conjectural or hypothetical."

Express Scripts, which is worth $22 billion, disclosed in October 2008 that extortionists were threatening to publicly release millions of patient records that they had apparently accessed from the company's databases if the company did not pay up an undisclosed amount of money.

Express Scripts, of St Louis, said it had received a letter with the names, birth dates, Social Security numbers and some prescription information for 75 patients, with the threat that more would be released if it did not pay up.

As of November this year, Express Scripts said it had notified about 700,000 individuals that their information may have been compromised in the incident.

In his lawsuit, Amburgy charged Express Scripts with negligence in its duty to protect customer records. He accused the company of breach of contract, breach of implied contract and violations of data breach notification laws in various states.

Amburgy claimed that as a result of Express Scripts' failure to maintain adequate security measures, he and others affected by the breach were at increased risk of identity theft fraud and extortion. He claimed that he and others similar affected had to spend time and money monitoring their credit accounts and reports, prescription records and other financial accounts.

But like other judges in similar cases , Judge Buckles brushed aside such contentions and noted that Amburgy had failed to show that he was directly impacted by the breach and that his claims relied on too many "ifs."

"Plaintiff alleges that he would be injured "if" his personal information was compromised, and "if" such information was obtained by an unauthorized third party, and "if" his identity was stolen as a result, and "if" the use of his stolen identity caused him harm." These multiple "if's" put his claims in the realm of the hypothetical, Judge Buckles noted.

Though numerous other cases have ended the same way, some courts have begun to show a willingness to at least hear the sort of claims raised by Amburgy. Just in October instance, a U.S. District Court judge in Maine asked the state's highest court to weigh in on the question of whether the time and effort spent in mitigating the fallout from a data breach constituted a cognizable injury under Maine law.

The question stemmed from a motion filed by plaintiffs in a data breach lawsuit involving supermarket chain Hannaford Bros . The judge had previously thrown out all other claims in the case.

In September, a federal court in Illinois allowed a couple's whose bank account had been depleted by cyber thieves to go ahead with their lawsuit against Citizens Financial Bank. The judge in the case noted the couple had shown that a reasonable basis existed to argue that the bank had failed in its duty to protect the couple's money.

Copyright © 2009 IDG Communications, Inc.

It’s time to break the ChatGPT habit
Shop Tech Products at Amazon