Federal Court: Theft of Medical Records Not an 'Imminent Danger' To Victim

chicksdaddy writes: A federal court in Texas ruled last week that a massive data breach at a hospital in that state didn't put patients at imminent risk of identity theft, even when presented with evidence that suggested stolen patient information was being used in attempted fraud and identity theft schemes. According to a post over at Digital Guardian's blog Beverly Peters was one more than 400,000 patients of St. Joseph Hospital whose information was stolen by hackers in an attack that took place between December 16 and 18, 2013.

Peters alleged that her personal information had been exposed in the breach and then disseminated in the public domain, where it was being "misused by unauthorized and unknown third parties." Specifically: Peters reported that, subsequent to the breach at St. Josephs, her Discover credit card was used to make a fraudulent purchase and that hackers had tried to infiltrate her Amazon.com account — posing as her son. Also: telemarketers were using the stolen information. Peters claimed that, after the breach, she was besieged with calls and solicitations for medical products and services companies, with telemarketers asking to speak to her and with specific family members, whose contact information was part of the record stolen from St. Joseph's.

As a result, Peters argued that she faced an "imminent injury" due to "increased risk" of future identity theft and fraud because of the breach at St. Joseph, and wished to sue the hospital for violations of the Fair Credit Reporting Act (FCRA). But the court found otherwise, ruling that Peters lacked standing to bring the case in federal court under Article III of the Constitution. That was because she hadn't been able to prove any direct damages from the attempted identity theft that occurred in the past (Discover reversed the fraudulent charge), while the threat she faced in the future was not "imminent."

As this article notes, the ruling turns on a high profile case involving government surveillance and the now-infamous FISA courts dating back to the Carter administration: Clapper v. Amnesty International USA. In that case, the U.S. Supreme Court ruled against the human rights group and a collection of lawyers and reporters in a challenge to part of the Foreign Intelligence Surveillance Act (FISA). The plaintiffs said they feared that their sources, colleagues and clients would be targets of U.S. government surveillance, and the threat would force them to take expensive security measures to keep their communications private. The High Court ruled otherwise, saying the threat of government surveillance was hypothetical, but not "certainly impending."

In his 15 page ruling (PDF), U.S. District Judge Kenneth Hoyt said the same logic applied to Peters' suit as well. "Under Clapper, Peters must at least plausibly establish a "certainly impending" or "substantial" risk that she will be victimized," Hoyt wrote. "The allegation that risk has been increased does not transform that assertion into a cognizable injury.

We Are Just Serfs

So, basically, it seems from now on that attempted murder is going to be dropped as a crime, because a bullet would actually have to hit you, or at least graze you, in order for there to be a risk of harm? This is just another sign that the corporatocracy that we live in is never again going to recognize and respect the rights of individuals that are bearing the brunt for sloppy security and an unwillingness to recognize -- or care about -- the danger that results from it.

Totallly reasonable ruling

[gurps_npc]

"Imminent threat" seems to me to be the opposite of "increased risk".

Frankly, this guy seems to be using the same definition of "imminent threat" that the CIA uses when it determines who to kill/torture.

Which is of course a huge red flag that you have made a mistake. I mean really, thinking like the CIA?

Re:Totallly reasonable ruling

[penix1]

To my lay eye (IANAL and all) this is enough to justify more than imminent threat but actual harm:

subsequent to the breach at St. Josephs, her Discover credit card was used to make a fraudulent purchase and that hackers had tried to infiltrate her Amazon.com account -- posing as her son. Also: telemarketers were using the stolen information. Peters claimed that, after the breach, she was besieged with calls and solicitations for medical products and services companies, with telemarketers asking to speak to her and with specific family members, whose contact information was part of the record stolen from St. Joseph's.

For this judge to say it is simply ignoring the actual harm done is mind blowing...

Re:Hey, no worries. It's no big deal

[monkeyzoo]

Open call to doxx the judge? Anonymous, are you listening?
And then if the gov't catches the hackers, they can just say, hey there was no harm!!! He said so himself!

"Standing"

[sycodon]

The concept of Standing has to be the most abused notions in the legal system, especially with regards to the government.

You should not have to prove you have been specifically injured in order to make the government follow the law.

Re:"Standing"

[kilfarsnar]

The concept of Standing has to be the most abused notions in the legal system, especially with regards to the government.

You should not have to prove you have been specifically injured in order to make the government follow the law.

It's even worse nowadays, because the government does so much in secret the evidence you have been injured is classified.

Re:Liberal Ass

[oh_my_080980980]

You mean a conservative ass unless you think pimping for Chevron is liberal or are going on the basis of his color...

Re:Exactly!

[gweihir]

Indeed. It shows that the legal system is fundamentally broken and incapable of dealing with the problems arising in an information-based society. No surprise.

Re:Hey, no worries. It's no big deal

[Gr8Apes]

While normally I'd say no, in this case, the only way this judge will see the light is to personally experience just exactly what it means to be hacked. He's already demonstrated a total lack of understanding with actual evidence thrown in front of him, so maybe the experience will enlighten him. Would his position be the same with the meth-addicted gun toting neighbor that shoots randomly into the neighborhood yesterday, that he's not an imminent threat today.... some people are just idiots.

Re:Hey, no worries. It's no big deal

[tnk1]

I don't know that this is entirely fair. While a lot rides on a judge's opinion, in the end, the judges are only supposed to interpret the law and precedents from higher courts, not make things up as they go along. If there had been no precedent (ie. the Clapper decision), he may have felt more free to define a better test for "imminent threat".

Most lower court judges work to make sure their decisions will pass muster on appeal. That requires them to respect precedents or you can be sure that those judges will be constantly overruled on appeal. And if a judge is constantly overruled on appeal, it means that more cases end up waiting on appeals and fewer cases can be heard. If the Supreme Court is constantly having to decide cases that end up in their lap on appeal, they'll have no time to ensure the most important ones get their time. If a judge becomes a passthrough to an appeal, that judge will have their reputation and possibly their career suffer.

There is a reason that judges are appointed, sometimes for life. They're supposed to be accountable to the law, not the electorate directly. If we have a problem with definitions, we need to get legislation with the right definitions. I am not suggesting that anyone get doxxed, but if someone was to be, it needs to be legislators.

Re:Exactly!

[gtall]

No, it shows that a judge in Texas is screwed up. Arguing from a single point to an entire set of points is generally a hard argument to make, I suggest you take Logic 101.

Re:Hey, no worries. It's no big deal

[wiredlogic]

You don't get a free pass to throw out common sense when you enter the judiciary.