United States District Court, M.D. Florida, Tampa Division
JANIE STAPLETON, on her own behalf and on behalf of her minor child, C.P., DAVID PACKEN, on his own behalf and on behalf of his minor child, D.J., and CARMELO ALVAREZ, JR. on his own behalf and on behalf of his minor child, K.R.A., Plaintiffs,
TAMPA BAY SURGERY CENTER, INC., Defendant.
S. MOODY, JR., UNITED STATES DISTRICT JUDGE
C.P., D.J., and K.R.A. are patients of Tampa Bay Surgery
Center, Inc. (“TBSCI”), whose parents provided
sensitive information about them to TBSCI. TBSCI's
patient database was hacked, and C.P., D.J., and K.R.A.'s
information was briefly posted online, along with the
information of more than 142, 000 other patients. Although no
patient has had their information misused as a result of the
data breach, Plaintiffs are suing TBSCI. The Court concludes
the action should be dismissed because Plaintiffs have not
suffered an injury in fact and, thus, lack standing to sue.
D.J., and K.R.A. are minor children who were patients at
TBSCI. (Doc. 4, ¶ 4). As patients, the children's
parents were required to provide information to TBSCI,
including the children's names, dates of birth, home
addresses, and social security numbers (the “Sensitive
Information”). (Doc. 4, ¶ 5). TBSCI stored this
Sensitive Information electronically in a patient database.
(See Doc. 4, ¶ 36).
2017, a hacker breached TBSCI's database and published
C.P., D.J., and K.R.A.'s Sensitive Information on a
public file-sharing website, along with the Sensitive
Information of more than 142, 000 other TBSCI patients. (Doc.
4, ¶ 4). Plaintiffs do not allege that any of the
Sensitive Information has been used. Instead, Plaintiffs
allege they are at an increased risk of having their identity
stolen and are compelled to incur the costs of credit
monitoring/identity theft protection. (Doc. 4, ¶ 10). At
least one Plaintiff, C.P.'s mother Janice Stapleton,
purchased identity theft protection. (Doc. 4, ¶ 8).
admits that the data breach occurred and that the Sensitive
Information was briefly posted online before being removed.
(Doc. 12). After the data breach, TBSCI provided free
identity protection services to Plaintiffs and other
potentially affected patients. (Doc. 12, p.
3-4). The identity theft protection services
TBSCI provided locks the affected patient's credit file
to prevent access and sends an alert if someone attempts to
use the patient's information to open a new line of
credit. (Doc. 12, p. 3 n.3).
2017, Plaintiffs sued TBSCI in a putative class action suit
for negligence, breach of fiduciary duty, and invasion of
privacy, all under Florida law. TBSCI now moves to dismiss
arguing the Court has no jurisdiction because Plaintiffs lack
Rule of Civil Procedure 12(b)(1) allows a complaint to be
dismissed for lack of subject-matter jurisdiction. A district
court has subject-matter jurisdiction if the claims present a
case or controversy under the Constitution and there is
standing. Resnick v. AvMed, Inc., 693 F.3d 1317,
1323 (11th Cir. 2012). A plaintiff bears the burden of
proving standing, which requires a showing that “(1) it
has suffered an ‘injury in fact' that is (a)
concrete and particularized and (b) actual or imminent, not
conjectural or hypothetical; (2) the injury is fairly
traceable to the challenged action of the defendant; and (3)
it is likely, as opposed to merely speculative, that the
injury will be redressed by a favorable decision.”
Id. (quoting Friends of the Earth, Inc. v.
Laidlaw Envtl. Servs. (TOC), Inc., 528 U.S. 167, 180-81,
120 S.Ct. 693, 704, 145 L.Ed.2d 610 (2000)).
pleading stage, the injury element can be satisfied by
“general factual allegations of injury resulting from
the defendant's conduct.” Lujan v. Defs. of
Wildlife, 504 U.S. 555, 561, 112 S.Ct. 2130, 2137, 119
L.Ed.2d 351 (1992). An allegation of imminent injury may
suffice if the threatened injury is “certainly
impending, ” or there is a “‘substantial
risk' that the harm will occur.” Clapper v.
Amnesty Int'l USA, 568 U.S. 398, 414 n. 5, 133 S.Ct.
1138, 1150 n. 5, 185 L.Ed.2d 264 (2013). But
“‘[a]llegations of possible future
injury' are not sufficient.” Id. at 409
(quoting Whitmore v. Arkansas, 495 U.S. 149, 158,
110 S.Ct. 1717, 1724, 109 L.Ed.2d 135 (1990)). So a future
injury will not confer standing if it relies on an
“attenuated chain of inferences necessary to find
harm.” Id. at 414 n. 5; see also
Lujan, 504 U.S. at 564, (“Although imminence is
concededly a somewhat elastic concept, it cannot be stretched
beyond its purpose, which is to ensure that the alleged
injury is not too speculative for Article III purposes-that
the injury is certainly impending.”).
issue of whether a data breach on its own is an “injury
in fact” is novel for this Court and has not been
addressed by the Eleventh Circuit. Other circuit courts have
reached conflicting conclusions, with the Sixth, Seventh,
Ninth, and D.C. Circuits holding data breach victims have
standing because they are at a substantial risk of injury,
and the First, Second, Third, and Fourth Circuits holding
data breach victims lacked standing. So there is no clear
consensus as to how the issue should be resolved. Considering
the arguments on both sides, the Court agrees with TBSCI that
Plaintiffs did not alleged an injury in fact.
satisfy standing, Plaintiffs must prove an imminent injury.
While Plaintiffs allege two categories of harm-(1) their risk
of being victims of identity theft as a result of the data
breach and (2) the costs Plaintiff Stapleton has incurred and
others may incur for credit monitoring/identity theft
protection-both categories require Plaintiffs to show there
is at least a substantial risk their Sensitive Information
will be used in a harmful manner. That is because the second
category-Plaintiff Stapleton's payment for credit
monitoring and identity theft protection-would not be an
actual injury unless there was already a substantial risk of
identity theft. Clapper, 568 U.S. at 416 (holding,
“respondents cannot manufacture standing merely by
inflicting harm on themselves based on their fears of
hypothetical future harm that is not certainly
impending.”). So Plaintiffs only have standing if their
alleged injury is certainly impending or if there is a
substantial risk of injury.
Court concludes Plaintiffs' allegations are insufficient
to show that an injury is certainly impending or that they
have a substantial risk of imminent injury. First, Plaintiffs
are unable to identify a single proposed class member who has
had their Sensitive Information misused as a result of the
data breach. See Torres v. Wendy's Co., 195
F.Supp.3d 1278, 1283 (M.D. Fla. 2016) (discussing the number
of plaintiffs who have experienced fraudulent charges as an
“influential factor” in determining whether
future harm is “certainly impending”). The ...