A federal court in Missouri has thrown out a class-action lawsuit that was brought against pharmacy benefits company Express Scripts over a 2008 data breach in which millions of customer records were believed to have been illegally accessed. In a 22-page ruling last week, Buckles said that the plaintiff in the case, John Amburgy, failed to show how the data breach caused him any direct injury or even put him in imminent danger of any injury. "Abstract injury is not enough to demonstrate injury-in fact," Buckles wrote. "The injury or threat of injury must be concrete and particularized, actual and imminent; not conjectural or hypothetical." The $22 billion Express Scripts in October 2008 disclosed that extortionists were threatening to publicly release millions of patient records that they had accessed from the company's databases unless the company paid an undisclosed amount of money. In dismissing the lawsuit, Magistrate Judge Frederick Buckles reiterated a position that has been taken by other judges in similar cases: Without any actual harm done, there can be no damages sought. St. Louis-based Express Scripts said it had received a letter with the names, birth dates, Social Security numbers and some prescription information for 75 patients, with the threat that more would be released if it did not pay up.
In his lawsuit, Amburgy accused Express Scripts of negligence in its duty to protect customer records. As of November, Express Scripts said it had notified about 700,000 individuals that their information may have been compromised in the incident. He accused the company of breach of contract, breach of implied contract and violations of data breach notification laws in various states. He claimed that he and others similarly affected had to spend time and money monitoring their credit accounts and reports, prescription records and other financial accounts. Amburgy claimed that as a result of Express Scripts' failure to maintain adequate security measures, he and others affected by the breach were at increased risk of identity theft fraud and extortion. But like other judges in similar cases , Buckles brushed aside those contentions and said Amburgy failed to show that he was directly affected by the breach and that his claims relied on too many "ifs." "Plaintiff alleges that he would be injured 'if' his personal information was compromised, and 'if' such information was obtained by an unauthorized third party, and 'if' his identity was stolen as a result, and 'if' the use of his stolen identity caused him harm." These multiple "ifs" put his claims in the realm of the hypothetical, the judge noted.
In October, for instance, a U.S. District Court judge in Maine asked the state's highest court to weigh in on the question of whether the time and effort spent in mitigating the fallout from a data breach constituted a cognizable injury under Maine law. Though other cases have ended the same way, some courts have begun to show a willingness to at least hear the sort of claims raised by Amburgy. The question stemmed from a motion filed by plaintiffs in a data breach lawsuit involving supermarket chain Hannaford Bros. In September, a federal court in Illinois allowed a couple's whose bank account had been depleted by cyber thieves to go ahead with their lawsuit against Citizens Financial Bank. The judge had previously thrown out all other claims in the case. The judge in the case noted the couple had shown there was a reasonable basis for arguing that the bank had failed in its duty to protect the couple's money.