Slashdot Mirror
Federal Court: Theft of Medical Records Not an 'Imminent Danger' To Victim
chicksdaddy writes: A federal court in Texas ruled last week that a massive data breach at a hospital in that state didn't put patients at imminent risk of identity theft, even when presented with evidence that suggested stolen patient information was being used in attempted fraud and identity theft schemes. According to a post over at Digital Guardian's blog Beverly Peters was one more than 400,000 patients of St. Joseph Hospital whose information was stolen by hackers in an attack that took place between December 16 and 18, 2013.
Peters alleged that her personal information had been exposed in the breach and then disseminated in the public domain, where it was being "misused by unauthorized and unknown third parties." Specifically: Peters reported that, subsequent to the breach at St. Josephs, her Discover credit card was used to make a fraudulent purchase and that hackers had tried to infiltrate her Amazon.com account — posing as her son. Also: telemarketers were using the stolen information. Peters claimed that, after the breach, she was besieged with calls and solicitations for medical products and services companies, with telemarketers asking to speak to her and with specific family members, whose contact information was part of the record stolen from St. Joseph's.
As a result, Peters argued that she faced an "imminent injury" due to "increased risk" of future identity theft and fraud because of the breach at St. Joseph, and wished to sue the hospital for violations of the Fair Credit Reporting Act (FCRA). But the court found otherwise, ruling that Peters lacked standing to bring the case in federal court under Article III of the Constitution. That was because she hadn't been able to prove any direct damages from the attempted identity theft that occurred in the past (Discover reversed the fraudulent charge), while the threat she faced in the future was not "imminent."
As this article notes, the ruling turns on a high profile case involving government surveillance and the now-infamous FISA courts dating back to the Carter administration: Clapper v. Amnesty International USA. In that case, the U.S. Supreme Court ruled against the human rights group and a collection of lawyers and reporters in a challenge to part of the Foreign Intelligence Surveillance Act (FISA). The plaintiffs said they feared that their sources, colleagues and clients would be targets of U.S. government surveillance, and the threat would force them to take expensive security measures to keep their communications private. The High Court ruled otherwise, saying the threat of government surveillance was hypothetical, but not "certainly impending."
In his 15 page ruling (PDF), U.S. District Judge Kenneth Hoyt said the same logic applied to Peters' suit as well. "Under Clapper, Peters must at least plausibly establish a "certainly impending" or "substantial" risk that she will be victimized," Hoyt wrote. "The allegation that risk has been increased does not transform that assertion into a cognizable injury.
Peters alleged that her personal information had been exposed in the breach and then disseminated in the public domain, where it was being "misused by unauthorized and unknown third parties." Specifically: Peters reported that, subsequent to the breach at St. Josephs, her Discover credit card was used to make a fraudulent purchase and that hackers had tried to infiltrate her Amazon.com account — posing as her son. Also: telemarketers were using the stolen information. Peters claimed that, after the breach, she was besieged with calls and solicitations for medical products and services companies, with telemarketers asking to speak to her and with specific family members, whose contact information was part of the record stolen from St. Joseph's.
As a result, Peters argued that she faced an "imminent injury" due to "increased risk" of future identity theft and fraud because of the breach at St. Joseph, and wished to sue the hospital for violations of the Fair Credit Reporting Act (FCRA). But the court found otherwise, ruling that Peters lacked standing to bring the case in federal court under Article III of the Constitution. That was because she hadn't been able to prove any direct damages from the attempted identity theft that occurred in the past (Discover reversed the fraudulent charge), while the threat she faced in the future was not "imminent."
As this article notes, the ruling turns on a high profile case involving government surveillance and the now-infamous FISA courts dating back to the Carter administration: Clapper v. Amnesty International USA. In that case, the U.S. Supreme Court ruled against the human rights group and a collection of lawyers and reporters in a challenge to part of the Foreign Intelligence Surveillance Act (FISA). The plaintiffs said they feared that their sources, colleagues and clients would be targets of U.S. government surveillance, and the threat would force them to take expensive security measures to keep their communications private. The High Court ruled otherwise, saying the threat of government surveillance was hypothetical, but not "certainly impending."
In his 15 page ruling (PDF), U.S. District Judge Kenneth Hoyt said the same logic applied to Peters' suit as well. "Under Clapper, Peters must at least plausibly establish a "certainly impending" or "substantial" risk that she will be victimized," Hoyt wrote. "The allegation that risk has been increased does not transform that assertion into a cognizable injury.
Because just like a credit card number when that is lost / stolen, they can just issue you a new medical history. They can undo the fact you may have diabetes, cancer, HIV, MS, heart disease all really easily and it won't impact your life at all.
So, basically, it seems from now on that attempted murder is going to be dropped as a crime, because a bullet would actually have to hit you, or at least graze you, in order for there to be a risk of harm? This is just another sign that the corporatocracy that we live in is never again going to recognize and respect the rights of individuals that are bearing the brunt for sloppy security and an unwillingness to recognize -- or care about -- the danger that results from it.
I wonder if Judge Kenneth Hoyt would be cool with hackers openly posting all of his personal info online. After all, it's not a cognizable injury or anything.
SJW's don't eliminate discrimination. They just expropriate it for themselves.
So, if I dropped my wallet, I wouldn't expect that there is an imminent danger that someone will take all the cash out of it and spend it?
Frankly, this guy seems to be using the same definition of "imminent threat" that the CIA uses when it determines who to kill/torture.
Which is of course a huge red flag that you have made a mistake. I mean really, thinking like the CIA?
excitingthingstodo.blogspot.com
The concept of Standing has to be the most abused notions in the legal system, especially with regards to the government.
You should not have to prove you have been specifically injured in order to make the government follow the law.
When Fascism comes to America, it will call itself Anti-Fascism, and tell you to give up your guns.
Maybe this is saying that you can't sue for something that hasn't happened yet - and, indirectly, that the law requiring protection of confidentiality (and penalizing failure) has no teeth, and that the limits against abusive overreach of law are allowing an end-run around the general intent.
Let's say you had a workman at your house, and they left the garage door unlocked when they were finished. If you come home and everything is fine, then there is no cause for legal action. If you come home and your house has been robbed, then first it's the robber's criminal act, and then maybe there's a civil action by your insurance company to get money from the workman's insurance company.
The hospital is seen as the *victim* of a theft, just as if a doctor's or psychiatrist's office were broken into for drugs and some records were stolen, rather than a *culprit* for "failing to maintain HIPAA confidentiality". YOU have to go after each person who does something illicit with the information; each marketer, each fraud instance, each problem, is individual. And since each of them is small individually, it's YOUR burden to chase them as a civil matter rather than a criminal matter that would get you some help from society (through the police agencies).
If a breach happens, just change your medical history.
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
Courts apply the law - justice is a bit more nebulous.
This is why I say we have a legal system, not a justice system.
"What the American public doesn't know is what makes them the American public." -Ray Zalinsky (Tommy Boy)
Generally people do not understand about personal data until it bites them in the butt. If his data and his families data gets highlighted in those records on the net. Bet he will think differently very fast. Perhaps he needs to understand the personal injury before he can make good decisions.
Until is more expensive for people that make these decisions and corporations that fail on so many levels of bureaucracy, no changes will be made that have an impact.
Texas is about 60/40 Republican/Democrat at the moment. From 1848 to 1978, Democrats won Texas in all but 4 presidential elections, and Texas even had a Democrat (Ann Richards) as it's governor up until George W. Bush was elected in the mid-1990s. Texas' population is also among the fastest growing in the nation as a result of the high number of people relocating there from other states, suggesting that its demographics are likely to change over the next few years. As it is now, almost all of the urban centers (of which there are quite a few) lean Democrat, while the sprawling suburbs (of which there are also quite a few) lean Republican.
Suggesting it's "99.999% Republican" means that you've fallen for the rhetoric one side or the other is spewing.
The court did not say she was wrong, it said she went to the wrong courthouse.
You keep using that word; I don't think you know what it means.
Not only was this guy nominated by Reagan, he was nominated on Phil Gramm's recommendation.
Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
Although it is alleged that St. Joseph's failures "proximately caused" these injuries, the allegation is conclusory and fails to account for the sufficient break in causation caused by opportunistic third parties. The injuries, to the extent that they meet the first prong, are "the result of the independent action of a third party" and therefore not cognizable under Article III.
1) Company leaks your data
2) Third parties abuse your data
3) You don't have standing to sue company, because you've been harmed by third parties.
Who else would have standing to sue expect for the people whose data is being protected? This is basically saying nobody has standing and the law is null and void. This judge should rule the Snowden trial, if there ever is one. He'd dismiss all charges because the US government would lack standing, they haven't been harmed by Snowden's actions only the actions of independent third parties acting on his information. That's a clear break in causation, don't you agree?
Live today, because you never know what tomorrow brings
The hospital **will** be facing fines for the breach, HIPAA violations are expensive. Hospitals have been cutting IT staff in recent years as a penny-smart/pound-foolish cost-saving measure, wonder if this will show Franciscan Healthcare how stupid that is.
"Think about how stupid the average person is. Now, realise that half of them are dumber than that." - George Carlin