In Foster v. Health Recovery Servs., No. 2:19-CV-4453, 2020 U.S. Dist. LEXIS 186508 (S.D. Ohio Oct. 7, 2020), Judge Marbley found that at least one claim of damages for a data breach victim satisfied Art. III standing.
In a recent data breach case brought pursuant to the FCRA, the [*14] Third Circuit examined both the congressional judgment and common law factors in determining whether plaintiffs alleged an Article III injury where laptops containing the plaintiffs’ unencrypted personal information were stolen from the defendant-insurer’s headquarters. In re Horizon Healthcare Services Inc. Data Breach Litig., 846 F.3d 625 (3d Cir. 2017). In Horizon, the Third Circuit determined that Plaintiffs had standing to pursue their claims based on the defendant’s alleged violation of the FCRA. Id. at 641. With respect to congressional judgment, the Third Circuit determined that in enacting the FCRA, Congress “established that the unauthorized dissemination of personal information by a credit reporting agency causes an injury in and of itself—whether or not the disclosure of that information increased the risk of identity theft or some other future harm.” Id. at 639. The Third Circuit also observed that the common law factor was easily satisfied since “the ‘intangible harm’ that FCRA seeks to remedy ‘has a close relationship to a harm [i.e. invasion of privacy] that has traditionally been regarded as providing a basis for a lawsuit in English or American courts.” Id. at 639-40. This Court finds the Third Circuit’s reasoning in Horizon persuasive. The disclosure of plaintiff’s sensitive medical information to a third party—even where, as here, that third party is a hacker—constitutes an invasion of privacy, the very type of injury that Congress enacted the FCRA to remedy. While Defendant argues that “one cannot infer from mere access … that Plaintiff’s information was accessed, then stolen,” Defendant has provided no evidence to support this assertion and indeed acknowledges in the data breach notice that it is “unable to definitively rule out” the possibility that patient information was accessed or stolen. (ECF No. 9-1 at 2). Defendant has failed to provide factual evidence that would definitively disprove Plaintiff’s allegation of injury. Accordingly, in addition to stating an injury in fact by alleging emotional distress, Plaintiff has also alleged an Article III injury by pleading a violation of the FCRA through the disclosure of his sensitive medical information to a third party.