Last week, New York federal judge Vincent L. Bricetti dismissed a data breach class action against Northeast Radiology PC (Northeast) and Alliance HealthCare Services (Alliance) because the plaintiffs failed to allege a cognizable injury.
In July 2021, Jose Aponte II and Lisa Rosenberg filed suit alleging that Northeast and Alliance failed to protect their sensitive health data from unauthorized access. The complaint alleged that more than 1.2 million patients’ medical records were exposed, including more than 60 million X-rays, CT scans, MRIs, medical test results, diagnoses, Social Security numbers, names, and addresses.
According to the complaint, in mid-2019, a third-party forensic firm discovered “major flaws” in the companies’ medical archiving system that exposed patients’ medical records to the general public. The plaintiffs alleged that the companies had inadequate security systems and that they failed to remediate the firm’s findings, which led to unauthorized parties accessing patient information for “at least nine months between April 14, 2019 and January 7, 2020.” However, Judge Bricetti dismissed the complaint based on the lack of standing. Judge Bricetti said the mere potential for exposure of their information did not establish that the plaintiffs were harmed from the incident. Judge Bricetti wrote, “Plaintiffs’ risk of future harm is too speculative to establish standing.” Aponte and Rosenberg were patients at Northeast Radiology, however, Northeast Radiology only confirmed that 29 patients’ information was accessed as a result of this incident and the plaintiffs were not included in that group. Therefore, said Judge Bricetti, the risk of having their data misused was too remote and the complaint warranted dismissal.