A federal appeals court on Friday reinstated a putative class-action lawsuit filed in connection with a pharmacy’s data breach, stating the plaintiffs had adequately alleged actual or potential injury.
Andover, Massachusetts-based Injured Workers Pharmacy LLC, a home delivery pharmacy service, experienced a data breach in January 2012, with hackers gaining access to personally identifiable information, including the social security numbers and personal financial information of more than 75,000 of its patients, according to the ruling by the 1st U.S. Circuit Court of Appeals in Boston in Alexsis Webb; Marsclette Charley v. Injured Workers Pharmacy LLC.
IWP did not discover the breach until almost four months later, in May 2021, and did not begin notifying its patients about it until February 2022. Even then, “it did not fully convey its size or scope,” the ruling said.
Ms. Webb, whose PII was used to file a fraudulent 2021 tax return, and Ms. Charley, who said she feared for her personal financial security as a result of the breach, filed a putative class action in U.S. District Court in Boston, charging negligence, breach of implied contract, unjust enrichment, invasion of privacy and breach of fiduciary duty.
The district court dismissed the case, concluding the plaintiffs’ complaint did not plausibly allege an injury in fact.
A three-judge appeals court panel overturned the ruling. “We hold that the complaint’s plausible allegation of actual misuse of Webb’s stolen PII to file a fraudulent tax return suffice to state a concrete injury under Article III,” it said. “There is an obvious temporal connection between the filing of the false tax return and the timing of the data breach.”
As to Ms. Charley’s complaint, it “plausibly alleges a concrete injury in fact based on the material risk of future misuse of Charley’s PII and a concrete harm caused by exposure to its risk,” it said.
The appeals court affirmed dismissal of the plaintiffs’ claim for injunctive relief, stating it was “not likely to redress their alleged injuries.”
Plaintiff David K. Lietz, a partner with Milberg Coleman Bryson Phillips Grossman LLC in Washington, issued a statement that said in part, “The Webb decision demonstrates that federal court is still a viable forum for data breach cases based upon the material risk of future misuse.”
The pharmacy’s attorneys did not respond to a request for comment.
