DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

OH: Potential class action against Health Recovery Services survives motion to dismiss

Posted on October 16, 2020 by Dissent

In April 2019, this site reported on a breach disclosed by Health Recovery Services (HRS). In October, 2019, Troy Foster sued them over the breach. I noted at the time that I was surprised at the claim concerning delayed notification when he had been notified in 60 days. I was not surprised to now read that the court dismissed that claim for failure to show that there was an incremental harm associated with any delay.

In any event, HRS moved to dismiss Foster’s complaint on a number of grounds, including, of course, an argument that Foster lacked standing. A summary from the court’s opinion provides a good recap:

Defendant argues that Plaintiff’s complaint must be dismissed for lack of subject matter jurisdiction because Plaintiff has not suffered an injury in fact. Defendant argues that Plaintiff has failed to: (1) allege that he suffered any harm resulting from a delayed notification; (2) to allege that his information was actually stolen or that he has suffered any injury; and (3) to allege that he actually provided sensitive health information about himself to HRS. (ECF No. 9 at 6-10). Plaintiff argues he has standing to bring his claims personally and on behalf of a class and that he has sufficiently alleged the threat of a substantial risk of harm. (ECF No.15 at 3-4).

One of the most interesting parts of the opinion on standing concerned the disclosure of sensitive medical information to a third party constituting a violation of FCRA and hence, an invasion of privacy that constitutes an alleged injury:

This Court finds the Third Circuit’s reasoning in Horizon persuasive. The disclosure of plaintiff’s sensitive medical information to a third party—even where, as here, that third party is a hacker— constitutes an invasion of privacy, the very type of injury that Congress enacted the FCRA to remedy. While Defendant argues that “one cannot infer from mere access … that Plaintiff’s information was accessed, then stolen,” Defendant has provided no evidence to support this assertion and indeed acknowledges in the data breach notice that it is “unable to definitively rule out” the possibility that patient information was accessed or stolen. (ECF No. 9-1 at 2). Defendant has failed to provide factual evidence that would definitively disprove Plaintiff’s allegation of injury. Accordingly, in addition to stating an injury in fact by alleging emotional distress, Plaintiff has also alleged an Article III injury by pleading a violation of the FCRA through the disclosure of his sensitive medical information to a third party.

When all was said and done, the court denied the motion to dismiss in part and granted it in part.  But the case survived and has a long way to go.

Foster v. Health Recovery Services
Case No. 2:19-CV-4453
United States District Court, S.D. Ohio, Eastern Division.

Opinion

Thanks to @JohnBrownnjr for alerting me to the opinion.

Related posts:

  • Fla. Courts Require Actual Injury to Demonstrate Standing in Data Breach Cases
  • The plaintiffs have standing to sue — court. No, they don’t — appeals court.
  • Plaintiffs Use Privacy Pledge Against Insurer in Data Breach Claim
  • Court guts much of class action lawsuit against Sony over data breach, but some claims remain
Category: HackHealth DataU.S.

Post navigation

← GAO: DATA SECURITY: Recent K-12 Data Breaches Show That Students Are Vulnerable to Harm
Cosmote reveals cyber attack exposed telephone data from thousands of customers →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • National Health Care Fraud Takedown Results in 324 Defendants Charged in Connection with Over $14.6 Billion in Alleged Fraud
  • Swiss Health Foundation Radix Hit by Cyberattack Affecting Federal Data
  • Russian hackers get 7 and 5 years in prison for large-scale cyber attacks with ransomware, over 60 million euros in bitcoins seized
  • Bolton Walk-In Clinic patient data leak locked down (finally!)
  • 50 Customers of French Bank Hit by Insider SIM Swap Scam
  • Ontario health agency atHome ordered to inform 200,000 patients of March data breach
  • Fact-Checking Claims By Cybernews: The 16 Billion Record Data Breach That Wasn’t
  • Horizon Healthcare RCM discloses ransomware attack in December
  • Disgruntled IT Worker Jailed for Cyber Attack, Huddersfield
  • Hacker helped kill FBI sources, witnesses in El Chapo case, according to watchdog report

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • The Trump administration is building a national citizenship data system
  • Supreme Court Decision on Age Verification Tramples Free Speech and Undermines Privacy
  • New Jersey Issues Draft Privacy Regulations: The New
  • Hacker helped kill FBI sources, witnesses in El Chapo case, according to watchdog report
  • Germany Wants Apple, Google to Remove DeepSeek From Their App Stores
  • Supreme Court upholds Texas law requiring age verification on porn sites
  • Justices nix Medicaid ‘right’ to choose doctor, defunding Planned Parenthood in South Carolina

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.