Two federal judges recommended the dismissal of proposed class action lawsuits against CommonSpirit, a Catholic hospital chain, over a cyberattack and data breach affecting 624,000 individuals. The judges ruled that plaintiffs failed to demonstrate harm resulting from the breach, highlighting the difficulty in establishing Article III standing in health data breach lawsuits. U.S. Magistrate Judge Susan Prose’s recommendation to dismiss plaintiff Bonnie Maser’s lawsuit was based on the lack of evidence tying recent bank fraud to the CommonSpirit breach. Another federal judge previously dismissed a consolidated case of proposed class action lawsuits against CommonSpirit, citing similar standing issues.
Regulatory attorney Paul Hales noted that health data breach lawsuits often fail due to lack of standing, which necessitates plaintiffs to prove concrete harm resulting from the breach. In Maser’s case, despite claiming theft from her credit union account, the judge found insufficient evidence linking it to the CommonSpirit breach. The challenge lies in demonstrating concrete or imminent harm to support Article III standing, as claims of future speculative harm are insufficient for maintaining federal lawsuits.
CommonSpirit’s response to the dismissed lawsuits and any potential pending litigation related to the cyberattack remains unclear. The organization did not immediately comment on the matter. The dismissals underscore the complexities surrounding healthcare data breach litigation and the high burden of proof required to establish standing. Despite the setbacks, the challenges highlight the importance of robust cybersecurity measures and proactive risk management in healthcare organizations to mitigate the impact of cyberattacks and subsequent legal ramifications.
