Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
The Courts Government

Federal Court: Theft of Medical Records Not an 'Imminent Danger' To Victim 149

chicksdaddy writes: A federal court in Texas ruled last week that a massive data breach at a hospital in that state didn't put patients at imminent risk of identity theft, even when presented with evidence that suggested stolen patient information was being used in attempted fraud and identity theft schemes. According to a post over at Digital Guardian's blog Beverly Peters was one more than 400,000 patients of St. Joseph Hospital whose information was stolen by hackers in an attack that took place between December 16 and 18, 2013.

Peters alleged that her personal information had been exposed in the breach and then disseminated in the public domain, where it was being "misused by unauthorized and unknown third parties." Specifically: Peters reported that, subsequent to the breach at St. Josephs, her Discover credit card was used to make a fraudulent purchase and that hackers had tried to infiltrate her Amazon.com account — posing as her son. Also: telemarketers were using the stolen information. Peters claimed that, after the breach, she was besieged with calls and solicitations for medical products and services companies, with telemarketers asking to speak to her and with specific family members, whose contact information was part of the record stolen from St. Joseph's.

As a result, Peters argued that she faced an "imminent injury" due to "increased risk" of future identity theft and fraud because of the breach at St. Joseph, and wished to sue the hospital for violations of the Fair Credit Reporting Act (FCRA). But the court found otherwise, ruling that Peters lacked standing to bring the case in federal court under Article III of the Constitution.
That was because she hadn't been able to prove any direct damages from the attempted identity theft that occurred in the past (Discover reversed the fraudulent charge), while the threat she faced in the future was not "imminent."

As this article notes, the ruling turns on a high profile case involving government surveillance and the now-infamous FISA courts dating back to the Carter administration: Clapper v. Amnesty International USA. In that case, the U.S. Supreme Court ruled against the human rights group and a collection of lawyers and reporters in a challenge to part of the Foreign Intelligence Surveillance Act (FISA). The plaintiffs said they feared that their sources, colleagues and clients would be targets of U.S. government surveillance, and the threat would force them to take expensive security measures to keep their communications private. The High Court ruled otherwise, saying the threat of government surveillance was hypothetical, but not "certainly impending."

In his 15 page ruling (PDF), U.S. District Judge Kenneth Hoyt said the same logic applied to Peters' suit as well. "Under Clapper, Peters must at least plausibly establish a "certainly impending" or "substantial" risk that she will be victimized," Hoyt wrote. "The allegation that risk has been increased does not transform that assertion into a cognizable injury.
This discussion has been archived. No new comments can be posted.

Federal Court: Theft of Medical Records Not an 'Imminent Danger' To Victim

Comments Filter:
  • Exactly! (Score:5, Funny)

    by hsmith ( 818216 ) on Friday February 20, 2015 @09:36AM (#49094237)
    Because just like a credit card number when that is lost / stolen, they can just issue you a new medical history. They can undo the fact you may have diabetes, cancer, HIV, MS, heart disease all really easily and it won't impact your life at all.
    • This story is so F*ed up! It makes me sad, angry, and scared!!!
      I there any further appeal going to take place, or is this it?!

      • So... which is this? stupidity or corruption?

      • Of course there will be appeals, and of course this is just another weird decision from Texas that will get reversed by the Appeals Court.

        Not really sure why it hit slashdot before an appeal. This is routine nonsense a case has to go through when you're suing anybody with deep pockets. Justice will be delayed, but not denied; the wheels of Justice turn slowly, but they do turn.

      • This is a perfectly predictable ruling. Frankly, I'm amused that a lawyer even took the case to court.

        The legal use of the term "imminent" doesn't mean "probably going to happen". "Imminent" means that, barring exceptional circumstances or luck, a particular result will happen before anyone has a reasonable chance to stop it.

        Aim a loaded gun at someone and pull the trigger, and injury is imminent. Aim at a vital area, and death is imminent. Leave a knife in an unlocked drawer when a young child is nearby wh

    • Re:Exactly! (Score:4, Insightful)

      by gweihir ( 88907 ) on Friday February 20, 2015 @10:47AM (#49094541)

      Indeed. It shows that the legal system is fundamentally broken and incapable of dealing with the problems arising in an information-based society. No surprise.

      • I would tend to disagree on theft with no victims. What happens when the person that got their medical records stolen finds this was promoted by or done by the people that now harass them on the phone. And when said victim shows up on their doorstep with a baseball bat because the law (not unlike 9/11) failed to act and have now produced case law that will prevent them from having to act on it in the future? I think their are more individual people than corporations, think the law will fail to act on bac

      • Re:Exactly! (Score:5, Insightful)

        by gtall ( 79522 ) on Friday February 20, 2015 @01:17PM (#49095607)

        No, it shows that a judge in Texas is screwed up. Arguing from a single point to an entire set of points is generally a hard argument to make, I suggest you take Logic 101.

        • by HiThere ( 15173 )

          If this were a single data point, I would agree with you. Unfortunately, it's merely the most recent.

    • "Hey, I've always wanted to have sex with two beautiful women such as yourselves, but I've never had the nerve. Well, I'm dying of cancer and... well... here. Let me show you my medical records first."

    • Comment removed based on user account deletion
  • We Are Just Serfs (Score:2, Insightful)

    by Anonymous Coward
    So, basically, it seems from now on that attempted murder is going to be dropped as a crime, because a bullet would actually have to hit you, or at least graze you, in order for there to be a risk of harm? This is just another sign that the corporatocracy that we live in is never again going to recognize and respect the rights of individuals that are bearing the brunt for sloppy security and an unwillingness to recognize -- or care about -- the danger that results from it.
  • by NotDrWho ( 3543773 ) on Friday February 20, 2015 @09:37AM (#49094245)

    I wonder if Judge Kenneth Hoyt would be cool with hackers openly posting all of his personal info online. After all, it's not a cognizable injury or anything.

    • by monkeyzoo ( 3985097 ) on Friday February 20, 2015 @10:12AM (#49094343)

      Open call to doxx the judge? Anonymous, are you listening?
      And then if the gov't catches the hackers, they can just say, hey there was no harm!!! He said so himself!

      • No need to dox him. Just find out what hospital his medical records are at...

        • Re: (Score:3, Insightful)

          by Gr8Apes ( 679165 )
          While normally I'd say no, in this case, the only way this judge will see the light is to personally experience just exactly what it means to be hacked. He's already demonstrated a total lack of understanding with actual evidence thrown in front of him, so maybe the experience will enlighten him. Would his position be the same with the meth-addicted gun toting neighbor that shoots randomly into the neighborhood yesterday, that he's not an imminent threat today.... some people are just idiots.
          • by tnk1 ( 899206 ) on Friday February 20, 2015 @01:14PM (#49095589)

            I don't know that this is entirely fair. While a lot rides on a judge's opinion, in the end, the judges are only supposed to interpret the law and precedents from higher courts, not make things up as they go along. If there had been no precedent (ie. the Clapper decision), he may have felt more free to define a better test for "imminent threat".

            Most lower court judges work to make sure their decisions will pass muster on appeal. That requires them to respect precedents or you can be sure that those judges will be constantly overruled on appeal. And if a judge is constantly overruled on appeal, it means that more cases end up waiting on appeals and fewer cases can be heard. If the Supreme Court is constantly having to decide cases that end up in their lap on appeal, they'll have no time to ensure the most important ones get their time. If a judge becomes a passthrough to an appeal, that judge will have their reputation and possibly their career suffer.

            There is a reason that judges are appointed, sometimes for life. They're supposed to be accountable to the law, not the electorate directly. If we have a problem with definitions, we need to get legislation with the right definitions. I am not suggesting that anyone get doxxed, but if someone was to be, it needs to be legislators.

            • by wiredlogic ( 135348 ) on Friday February 20, 2015 @02:05PM (#49095973)

              You don't get a free pass to throw out common sense when you enter the judiciary.

              • by tnk1 ( 899206 )

                Yes, but if common sense does not conform to a legal precedent, the precedent wins. That's the system. If the precedent needs changing, then the higher court needs to act on it, or it needs to be overridden by legislation.

                If there is no precedent, then sure, the judge can apply their own sense with a lot more leeway.

                The problem is that when you expect a judge to use their "common sense", what that is varies for every person, even if just a little bit. Judges are in a position to legislate from the bench

            • I don't know that this is entirely fair. While a lot rides on a judge's opinion, in the end, the judges are only supposed to interpret the law and precedents from higher courts, not make things up as they go along. If there had been no precedent (ie. the Clapper decision), he may have felt more free to define a better test for "imminent threat".

              You've forgotten that this is the USA, where the highest law of the land is the Bill of Rights.

              The Anti-Federalists opposed the original Constitution on many grounds, including a) there was no Bill of Rights, and b) any Bill of Rights would be incomplete.

              During the ratification process, promises were made that this issue would be dealt with. James Madison wrote a Bill of Rights, and cleverly made it open-ended, by providing for unspecified rights retained by the people (9th Amendment) and reserved to the p

          • by Kaenneth ( 82978 ) on Friday February 20, 2015 @02:02PM (#49095947) Journal

            True:

            http://en.wikipedia.org/wiki/V... [wikipedia.org]

            "Congress passed the VPPA after Robert Bork's video rental history was published during his Supreme Court nomination."

      • by RingDev ( 879105 )

        Not saying that this judge is deserving of a doxxing, but I would like to point out his trial history: http://www.plainsite.org/judge... [plainsite.org]

        Which includes almost $300,000 in civil forfeiture cases in southern Texas. Those cases most folks refer to as "state-sanctioned highway robbery".

        -Rick

      • No doxxing, please (two wrongs don't make a right). The guy's apparently well-known [verdicts-forecast.com] already anyway, and quite the infamous judicial nutcase. A classic case for why judges shouldn't be allowed to serve for life.

      • Open call to doxx the judge? Anonymous, are you listening?
        And then if the gov't catches the hackers, they can just say, hey there was no harm!!! He said so himself!

        I grieve for the lawyer who has a geek for a client.

        The accidental exposure of medical records and the like can potentially be quite damaging, of course. But the harm to any particular individual or institution can be hard to measure, at least in the beginning.

        The moment you conspire to actually make use of such personal information to harass or intimate a federal judge you are open to conviction on the felony charge.

    • Dox him and let's find out.
    • "Standing" (Score:5, Insightful)

      by sycodon ( 149926 ) on Friday February 20, 2015 @10:16AM (#49094365)

      The concept of Standing has to be the most abused notions in the legal system, especially with regards to the government.

      You should not have to prove you have been specifically injured in order to make the government follow the law.

      • Re:"Standing" (Score:5, Insightful)

        by kilfarsnar ( 561956 ) on Friday February 20, 2015 @10:32AM (#49094461)

        The concept of Standing has to be the most abused notions in the legal system, especially with regards to the government.

        You should not have to prove you have been specifically injured in order to make the government follow the law.

        It's even worse nowadays, because the government does so much in secret the evidence you have been injured is classified.

      • Re: (Score:3, Interesting)

        by Anonymous Coward

        Do you have any concept of what the case is about here?

        Standing requires you to have:
        1) actual injury (or imminent injury);
        2) The injury must be caused by the defendants' actions or negligence;
        3) The injury must be redressable - e.g., it must be likely that court action will remedy the situation and make the plaintiff "whole" again;

        What is alleged by the plaintiff in this case is that "I'm at heightened risk of identity theft because of this, therefore St. Joseph's is in violation of the law and should b

        • Do you have any concept of what the case is about here?

          Standing requires you to have:
          1) actual injury (or imminent injury);
          2) The injury must be caused by the defendants' actions or negligence;
          3) The injury must be redressable - e.g., it must be likely that court action will remedy the situation and make the plaintiff "whole" again;

          What is alleged by the plaintiff in this case is that "I'm at heightened risk of identity theft because of this, therefore St. Joseph's is in violation of the law and should be punished for the leak." Except every injury she claims is theoretical - not imminent, and there is no way of telling from ONLY her claims whether or not these claimed injuries were caused by the St. Joseph's leak. My medical records have never been breached, but somebody's stolen my credit card number before... so there are, clearly, other ways for a credit card number to be stolen. My medical records have never been breached, but I've received spam mail that appears to be from my own email address - so again, clearly there's other ways for this to happen. My medical records have never been breached, but I've received numerous and frequent calls from telemarketers - again, if all they have is her claim, then the preponderance of the evidence doesn't show that St Joseph's is the CAUSE of her woes.

          What's more, the only *actual injury* she's sustained has been fixed already - Discover declined the charge & issued her a new account.

          What's left is big scary sounding ghost stories that "someday some hacker might use my stuff to do scary stuff, and the only way that could have happened is through St. Joseph's negligence."

          So... yeah, she doesn't have standing to file a class action suit. In making this judgement, the government *is* following the law. Of course, if you'd like to revise the rules for Standing, then I'll go file a federal case against you because I'm afraid that something I've said here might make you punch me in the mouth someday. Because you know, punching someone in the mouth is against the law, and you MIGHT do it to me someday, so it never hurts to get you thrown in jail ahead of time - right?

          Your points seem reasonable, but I don't recall seeing that the plaintiff had tried to set up a class action suit. That would be pushing the issue really hard.

        • by sycodon ( 149926 )

          What's more, the only *actual injury* she's sustained has been fixed already

          So, if I take pot shots at you, miss and then say, "sorry, my bad", you are good with that. No need to involve the police?

          And I'm saying the the Standing Rule needs to be looked at and revised. not tossed.

        • Re:"Standing" (Score:4, Interesting)

          by sycodon ( 149926 ) on Friday February 20, 2015 @11:45AM (#49095023)

          Let's say the Feds set up an illegal surveillance program (what? never happen!).

          They illegally spy on people but you don't know who. They may have spied on you, but you can't prove it.

          So YOU can't file a lawsuit against the feds because YOU haven't been spied on.

          Do you see how ridiculous "Standing" is in this situation?

          • by tnk1 ( 899206 )

            We need an ombudsman or independent commission which has automatic standing in Federal court with the specific charge of investigating scenarios like this where someone believes they could have been harmed, but they can't get enough evidence to prove that they have standing. The commission would then get the information, which they would keep secret until they determine a list of people where there might be probable cause that they have been injured. That or the commission sues, is granted an award, and t

          • by suutar ( 1860506 )

            Yes, but what makes it silly is that the surveillance program is illegal, and punishment should be meted out for that regardless of harm. Getting hacked is not illegal.

        • by Kaenneth ( 82978 )

          Does she use G-mail?

          When my brother in law got a private e-mail from a realtor with an attachment that suggested we get our basement lined with plastic; suddenly the ads on Slashdot were for local basement lining service companies, even before my brother-in law read the e-mail.

          Google not only read the e-mail attachment before it entered our home network, it automatically matched his e-mail account to our houses IP address (we don't share computers, so not cookie based), and started serving advertisements to

      • by Anonymous Coward

        Isn't the concept of Standing required to prevent random people without any real inerest in the matter (or actually an interest to lose the case) to bring charges and set a precedent that is opposite to what a competent party might have achieved?

    • You guys obliquely or not so obliquely calling for doxing of a Federal Judge are pretty brave, I must say.

      But maybe you'll find out definitively if a U.S. Marshall Service no-knock warrant results in someone like Raylan Givens showing up to execute it, or whether that's just in Harlan County.

      Regardless, I'm sure whatever jail you end up in will definitely have someone who resembles Boyd Crowder.

      • Why not? Apparently, doxing isn't actually illegal [thedailybeast.com]!

        You could argue that it's not a smart thing to do because a Federal judge might have enough power to get somebody raided with a no-knock warrant and arrested even though the charges wouldn't stick, though.

        • by swb ( 14022 )

          Let's count the ways it could go wrong:

          1) Conspiracy to obstruct justice -- I don't know what the exact charge is, but let's just assume it's a Federal felony with a big fine and guaranteed jail time.

          2) No-knock raid, search and seizure of your computer equipment. Oh, and it will be held as evidence and likely subject to civil forfeiture. And they'll fucking trash your house while they're at it.

          3) What else do you have at home they can use to compound charges? Guns? Well, possession of a firearm while c

  • by Akratist ( 1080775 ) on Friday February 20, 2015 @09:38AM (#49094255)
    So, if I dropped my wallet, I wouldn't expect that there is an imminent danger that someone will take all the cash out of it and spend it?
    • No, no, no - this is like if you dropped your wallet, and someone used the personal information inside (from your driver's licence, credit cards, etc) to steal your identity, get a credit card in your name, spend the bank's money, and leave you liable.

      I trust that, like the judge in this case, you can now see why this is not a problem at all.

      Uh...

  • by gurps_npc ( 621217 ) on Friday February 20, 2015 @10:10AM (#49094329) Homepage
    "Imminent threat" seems to me to be the opposite of "increased risk".

    Frankly, this guy seems to be using the same definition of "imminent threat" that the CIA uses when it determines who to kill/torture.

    Which is of course a huge red flag that you have made a mistake. I mean really, thinking like the CIA?

    • "Imminent threat"

      That sounds soooooo familiar... I just can't place [google.com] it...

    • by penix1 ( 722987 ) on Friday February 20, 2015 @11:00AM (#49094623) Homepage

      To my lay eye (IANAL and all) this is enough to justify more than imminent threat but actual harm:

      subsequent to the breach at St. Josephs, her Discover credit card was used to make a fraudulent purchase and that hackers had tried to infiltrate her Amazon.com account -- posing as her son. Also: telemarketers were using the stolen information. Peters claimed that, after the breach, she was besieged with calls and solicitations for medical products and services companies, with telemarketers asking to speak to her and with specific family members, whose contact information was part of the record stolen from St. Joseph's.

      For this judge to say it is simply ignoring the actual harm done is mind blowing...

      • These are claims; a judge would require proof of this. The hack and calls will be hard to prove (unless she recorded the calls), but presumably there is proof of the fraudulent purchase. Even so, she'd have to prove that the thieves got the CC details from the St. Joseph leak and not from elsewhere.

        However I'd think that the bar for such proof wouldn't be all that high when the judge is merely determining if the plaintiff has standing; that definitive proof should wait until the case is actually tried.
        • by penix1 ( 722987 )

          First of all, yes they are claims partially substantiated by documents (CC Statements) and in the case of Amazon, any confirmation emails (which I assume they have since they thwarted the attempt).

          Still, that, to me, is more than enough to justify not only standing but the claim of "imminent harm" wich this judge is denying.

        • by suutar ( 1860506 )

          the problem is that once the fraudulent purchase is reversed (which it was) it's no longer legally "harm" because you aren't out any money.

          • by Sabriel ( 134364 )

            Except for the time you spent chasing the money back and dealing with all the crap the ID theft caused. And time is money, as any lawyer who's ever billed for his time could tell you.

  • Sounds like our system of law is broken. What's next?
  • Isn't that the argument for warrantless wire taping, something might happen in the future? Wasn't that reason to invade Iraq, they might develop nuclear weapons...
  • by DutchUncle ( 826473 ) on Friday February 20, 2015 @10:31AM (#49094453)
    Maybe this is saying that you can't sue for something that hasn't happened yet - and, indirectly, that the law requiring protection of confidentiality (and penalizing failure) has no teeth, and that the limits against abusive overreach of law are allowing an end-run around the general intent.

    Let's say you had a workman at your house, and they left the garage door unlocked when they were finished. If you come home and everything is fine, then there is no cause for legal action. If you come home and your house has been robbed, then first it's the robber's criminal act, and then maybe there's a civil action by your insurance company to get money from the workman's insurance company.

    The hospital is seen as the *victim* of a theft, just as if a doctor's or psychiatrist's office were broken into for drugs and some records were stolen, rather than a *culprit* for "failing to maintain HIPAA confidentiality". YOU have to go after each person who does something illicit with the information; each marketer, each fraud instance, each problem, is individual. And since each of them is small individually, it's YOUR burden to chase them as a civil matter rather than a criminal matter that would get you some help from society (through the police agencies).
    • The difference in this case as I understand it is that the hospital was legally required to lock that door then they failed to properly secure the door which resulted in the theft of sensitive information. In your example there is no such burden placed on the workmen. They are not required by law to ensure the safety of the homes that they work at unlike the hospital. A better example would be to compare the hospital to a bank. If a bank is robbed and all of there customer's money is stolen is the bank

      • by suutar ( 1860506 )

        nope, the bank is not responsible. The FDIC will cover some losses because the bank bought insurance (because not having it means fewer customers), but above that you're SOL unless the thief is caught and the money is returned.

    • by cusco ( 717999 )

      The hospital **will** be facing fines for the breach, HIPAA violations are expensive. Hospitals have been cutting IT staff in recent years as a penny-smart/pound-foolish cost-saving measure, wonder if this will show Franciscan Healthcare how stupid that is.

  • by Sloppy ( 14984 ) on Friday February 20, 2015 @10:31AM (#49094457) Homepage Journal

    If a breach happens, just change your medical history.

    • This.

      It's stupid to continue having high blood pressure once a breach has been revealed.

      People should change ailments at least every 60 days.

  • So, suddenly when the government is on the line the Constitution is useful for something more than toilet paper? Got it.

    It's amazing how so many judges lack sound judgement, which, by definition, should be a basic requirement for the job....

    • by cusco ( 717999 )

      Government??? The government doesn't own the hospital, care to clarify your point? The judge is protecting the interests of the healthcare conglomerates from the threat of 400,000 injured customers.

  • Generally people do not understand about personal data until it bites them in the butt. If his data and his families data gets highlighted in those records on the net. Bet he will think differently very fast. Perhaps he needs to understand the personal injury before he can make good decisions.
    Until is more expensive for people that make these decisions and corporations that fail on so many levels of bureaucracy, no changes will be made that have an impact.
  • "Your honor, the plaintiff's files are now complete safe. They're in no danger. Unless the new Jaguar that is parked just outside your office in the no park zone. The one for which the keys have been put .... right ... here"

    There really seems to be no logical/moral ideas behind these decisions.

  • ... because it is another hammer-strike on the chisel that's helping shape the body of evidence required to successfully try breach cases like this.

    The plaintiff has no standing because 1.) no identity theft actually occurred, 2.) there is no strong indicator that identity theft will occur.

    As litigants sharpen the evidentiary needle, courts are going to be boxed in to a decision just as soon as a victim meets criteria 1.) and 2.).

    It'not, "if," it's "when."

  • by sabbede ( 2678435 ) on Friday February 20, 2015 @11:45AM (#49095025)
    The court did not say she was wrong, it said she went to the wrong courthouse.
  • by Kjella ( 173770 ) on Friday February 20, 2015 @12:04PM (#49095179) Homepage

    Although it is alleged that St. Joseph's failures "proximately caused" these injuries, the allegation is conclusory and fails to account for the sufficient break in causation caused by opportunistic third parties. The injuries, to the extent that they meet the first prong, are "the result of the independent action of a third party" and therefore not cognizable under Article III.

    1) Company leaks your data
    2) Third parties abuse your data
    3) You don't have standing to sue company, because you've been harmed by third parties.

    Who else would have standing to sue expect for the people whose data is being protected? This is basically saying nobody has standing and the law is null and void. This judge should rule the Snowden trial, if there ever is one. He'd dismiss all charges because the US government would lack standing, they haven't been harmed by Snowden's actions only the actions of independent third parties acting on his information. That's a clear break in causation, don't you agree?

    • by suutar ( 1860506 )

      No, the break in causation is that there's no way to show that the data these third parties are using against the woman _definitely came from the hospital breach_. There's other ways to get card numbers, there's other ways to get family info. Now, if they start using _medical info_ against her, it'll be a lot harder to come up with alternatives, because there's not that many places to get hold of it.

      In your analogy, because the stuff Snowden is leaking isn't available elsewhere, it'd be pretty easy to show

  • ... go to the free clinic with your STDs, gential warts and other maladies and check in with the ID for Kenneth Hoyt.

In the long run, every program becomes rococco, and then rubble. -- Alan Perlis

Working...