The Fourth Circuit recently affirmed the dismissal of two class actions brought against the Secretary of Veteran Affairs for violations of the Privacy Act of 1974, 5 U.S.C. § 552a et seq., and the Administrative Procedure Act, 5 U.S.C. § 701 et seq. The plaintiffs are veterans who had received treatment at the Wm. Jennings Bryan Dorn VA Medical Center in Columbia, South Carolina. Officials at the Dorn Medical Center were also named as defendants.
The first class action, brought on behalf of 7,400 patients, stemmed from a missing laptop containing unencrypted personal information of the plaintiffs, including names, dates of birth, the last four digits of social security numbers, and physical descriptors (age, race, gender, height, and weight). The plaintiffs sought declaratory relief and monetary damages, claiming that the defendants’ loss of the laptop violated the Privacy Act and caused the plaintiffs “‘embarrassment, inconvenience, unfairness, mental distress, and the threat of current and future substantial harm from identity theft and other misuse of their Personal Information.’” Furthermore, the plaintiffs asserted that the “‘threat of identity theft’ required them to frequently monitor their ‘credit reports, bank statements, health insurance reports, and other similar information, purchas[e] credit watch services, and [shift] financial accounts.’” Plaintiffs also sought injunctive relief under the Administrative Procedure Act (APA): to require the VA to account for all Privacy Act records in the possession of the Dorn Medical Center; to recover and permanently destroy any improperly maintained records; and to enjoin the defendants from transferring patient information from computer systems to any portable device until they can “‘demonstrate to the Court that the adequate information security has been established.’”
The trial court granted the defendants’ second motion to dismiss on the basis that the plaintiffs lacked standing under the Privacy Act as they could not demonstrate a genuine issue of material fact “as to whether they face a ‘certainly impending’ risk of identity theft” and the plaintiffs’ “fear of harm from future identity theft…was too speculative….because it was ‘contingent on a chain of attenuated hypothetical events and actions by third parties independent of the defendants’” nor could the plaintiffs satisfy the “‘lesser standard’ of ‘substantial risk’ of future harm”. The court also did not find that the plaintiffs’ purchase of credit-monitoring services amounted to an injury-in-fact as such purchase was made to mitigate any possible future harm. The court also declined to grant injunctive relief as it was speculative that plaintiffs’ personal information would be compromised by a future violation of the Privacy Act. Despite this, the court found that the fact “that ‘there have been at least seventeen data breaches at Dorn [VAMC] during the course of th[e] [Beck] litigation’ was ‘undoubtedly concerning.’”
The second class action stemmed from the disappearance of four boxes of pathology reports, which contained identifying information of over 2,000 patients, including names, social security numbers, and medical diagnoses. The plaintiffs—the patients whose information was included in the missing reports—sought monetary, declaratory, and injunctive relief, alleging the same harm as the plaintiffs in the first class action. The trial court granted the defendants’ motion to dismiss for lack of subject-matter jurisdiction as it “’ha[d] not [been] alleged that there ha[d] been any actual or attempted misuse of [plaintiffs’] personal information.’” The court also declined to find that the plaintiffs were “‘in real and immediate danger of sustaining a direct injury as a result of some official conduct.’”
In affirming the trial court’s findings of lack of standing, the Fourth Circuit relied mainly on Clapper v. Amnesty International USA, 133 S.Ct. 1138 (2013). The Fourth Circuit reiterated the Supreme Court’s holding that a “’highly attenuated chain of possibilities’ could not ‘satisfy the requirement that threatened injury must be certainly impending.’” The Court found that the plaintiffs failed to establish a “substantial risk” of harm and declined “to infer a substantial risk of harm of future identity theft from an organization’s offer to provide free credit monitoring services to affected individuals” as “such a presumption would surely discourage organizations from offering these services to data-breach victims.” The court also relied on Clapper for the propositions that a threatened event “‘reasonabl[y] likel[y]’ to occur” may “still be insufficiently ‘imminent’ to constitute an injury-in-fact” and that “self-imposed harms cannot confer standing.” Lastly, the Circuit Court found that the plaintiffs did not have standing under the APA as past violations of the Privacy Act by the Dorn Medical Center do not establish an ongoing case or controversy.