Federal Court Proposes PracticeFirst Data Breach Lawsuit Dismissal

The U.S. District Court for the Western District of New York has suggested the dismissal of a class action data breach suit against Practicefirst Medical Management Solutions regarding a ransomware attack in 2020.

Medical management services provider Practicefirst based in Amherst, New York provides bookkeeping, coding, billing, credentialing, and compliance services to medical practices. On December 30, 2020, Practicefirst found out that unauthorized individuals had obtained access to its network, exfiltrated sensitive information, then made an attempt to deploy ransomware. The following records were exfiltrated from its systems: names, Social Security numbers, addresses, email addresses, usernames and passwords, financial data, and healthcare details. PracticeFirst entered into negotiations with the ransomware gang and had a deal for the return of the files and got confirmation that the taken files had been destroyed and were not further shared. The breach report was submitted to authorities as affecting over 1.2 million persons, including patients and workers, and affected people were sent notifications about the data breach starting July 2021. A no-cost 2-year membership to credit monitoring and identity theft protection services was provided to people impacted by the incident.

Several days after sending the breach notification letters, a lawsuit was filed by plaintiffs Peter Tassmer and Karen Cannon, who were patients of medical practices in partnership with PracticeFirst. The legal action sought damages and injunctive relief and expected that PracticeFirst will make substantial security enhancements. The lawsuit alleged PracticeFirst’s security problems caused the unauthorized exposure of sensitive data of the plaintiffs and other class members, which placed them at a greater and imminent risk of future identity theft, economic losses, and other harm and problems. The lawsuit alleged the plaintiffs and class members had experienced actual harm in the form of a violation of their privacy rights, a reduced value of their personal details, and time and money needed to be spent to address the breach that may have been expended on other activities.

The District Court advised the legal action be dismissed since the plaintiffs were not able to show they had sustained real harm due to the data breach. The danger of identity theft, fraudulence, and other injury was considered to be too speculative and not imminent. The plaintiffs stated that their sensitive information was stolen and because they were compromised that information would be employed for identity theft and fraud. The judge mentioned in his decision the claims were assuming given that this was a ransomware attack that concerned the exchange of money for access to information, not theft of information for identity theft.

The lawsuit claimed loss of the value of the plaintiffs’ personal data and protected health information (PHI); nevertheless, evidence was not presented to back up that claim. Although there are firms that offer to purchase personal and healthcare records, the plaintiffs didn’t assert they had attempted to sell their data and were pushed to take a lesser price because of the ransomware attack.

The recommendation comes after the decisions of many circuit and district courts not to grant Article III standing for legal cases based upon the impending risk of future identity theft when the plaintiffs could not show proof of misuse of their personal information and real harm. The Judge’s judgment referenced the June 2021 decision of the Supreme Court in the case Transunion LLC v. Ramirez, wherein the Supreme Court ruled that the threat of harm cannot be as tangible harm by itself, at least except if the exposure to the danger of future hurt itself leads to distinct definite harm.

The Supreme Court has clarified that allegations of tangible harm that are linked to speculative or probable future injury are inadequate since plaintiffs cannot produce standing just by inflicting harm on themselves according to their worries of hypothetical future harm that is definitely impending, stated the ruling judge. The parties were given 14 days to file objections, and a final ruling will be given.

About Christine Garcia 1192 Articles
Christine Garcia is the staff writer on Calculated HIPAA. Christine has several years experience in writing about healthcare sector issues with a focus on the compliance and cybersecurity issues. Christine has developed in-depth knowledge of HIPAA regulations. You can contact Christine at [email protected]. You can follow Christine on Twitter at https://twitter.com/ChrisCalHIPAA