Searching over 5,500,000 cases.

Buy This Entire Record For $7.95

Download the entire decision to receive the complete text, official citation,
docket number, dissents and concurrences, and footnotes for this case.

Learn more about what you receive with purchase of this case.

Stapleton v. Tampa Bay Surgery Center, Inc.

United States District Court, M.D. Florida, Tampa Division

August 30, 2017

JANIE STAPLETON, on her own behalf and on behalf of her minor child, C.P., DAVID PACKEN, on his own behalf and on behalf of his minor child, D.J., and CARMELO ALVAREZ, JR. on his own behalf and on behalf of his minor child, K.R.A., Plaintiffs,



         Plaintiffs C.P., D.J., and K.R.A. are patients of Tampa Bay Surgery Center, Inc. (“TBSCI”), whose parents provided sensitive information about them to TBSCI. TBSCI's patient database was hacked, and C.P., D.J., and K.R.A.'s information was briefly posted online, along with the information of more than 142, 000 other patients. Although no patient has had their information misused as a result of the data breach, Plaintiffs are suing TBSCI. The Court concludes the action should be dismissed because Plaintiffs have not suffered an injury in fact and, thus, lack standing to sue.


         C.P., D.J., and K.R.A. are minor children who were patients at TBSCI. (Doc. 4, ¶ 4). As patients, the children's parents were required to provide information to TBSCI, including the children's names, dates of birth, home addresses, and social security numbers (the “Sensitive Information”). (Doc. 4, ¶ 5). TBSCI stored this Sensitive Information electronically in a patient database. (See Doc. 4, ¶ 36).

         In May 2017, a hacker breached TBSCI's database and published C.P., D.J., and K.R.A.'s Sensitive Information on a public file-sharing website, along with the Sensitive Information of more than 142, 000 other TBSCI patients. (Doc. 4, ¶ 4). Plaintiffs do not allege that any of the Sensitive Information has been used. Instead, Plaintiffs allege they are at an increased risk of having their identity stolen and are compelled to incur the costs of credit monitoring/identity theft protection. (Doc. 4, ¶ 10). At least one Plaintiff, C.P.'s mother Janice Stapleton, purchased identity theft protection. (Doc. 4, ¶ 8).

         TBSCI admits that the data breach occurred and that the Sensitive Information was briefly posted online before being removed. (Doc. 12). After the data breach, TBSCI provided free identity protection services to Plaintiffs and other potentially affected patients. (Doc. 12, p. 3-4).[1] The identity theft protection services TBSCI provided locks the affected patient's credit file to prevent access and sends an alert if someone attempts to use the patient's information to open a new line of credit. (Doc. 12, p. 3 n.3).

         In June 2017, Plaintiffs sued TBSCI in a putative class action suit for negligence, breach of fiduciary duty, and invasion of privacy, all under Florida law. TBSCI now moves to dismiss arguing the Court has no jurisdiction because Plaintiffs lack standing.[2]


         Federal Rule of Civil Procedure 12(b)(1) allows a complaint to be dismissed for lack of subject-matter jurisdiction. A district court has subject-matter jurisdiction if the claims present a case or controversy under the Constitution and there is standing. Resnick v. AvMed, Inc., 693 F.3d 1317, 1323 (11th Cir. 2012). A plaintiff bears the burden of proving standing, which requires a showing that “(1) it has suffered an ‘injury in fact' that is (a) concrete and particularized and (b) actual or imminent, not conjectural or hypothetical; (2) the injury is fairly traceable to the challenged action of the defendant; and (3) it is likely, as opposed to merely speculative, that the injury will be redressed by a favorable decision.” Id. (quoting Friends of the Earth, Inc. v. Laidlaw Envtl. Servs. (TOC), Inc., 528 U.S. 167, 180-81, 120 S.Ct. 693, 704, 145 L.Ed.2d 610 (2000)).

         At the pleading stage, the injury element can be satisfied by “general factual allegations of injury resulting from the defendant's conduct.” Lujan v. Defs. of Wildlife, 504 U.S. 555, 561, 112 S.Ct. 2130, 2137, 119 L.Ed.2d 351 (1992). An allegation of imminent injury may suffice if the threatened injury is “certainly impending, ” or there is a “‘substantial risk' that the harm will occur.” Clapper v. Amnesty Int'l USA, 568 U.S. 398, 414 n. 5, 133 S.Ct. 1138, 1150 n. 5, 185 L.Ed.2d 264 (2013). But “‘[a]llegations of possible future injury' are not sufficient.” Id. at 409 (quoting Whitmore v. Arkansas, 495 U.S. 149, 158, 110 S.Ct. 1717, 1724, 109 L.Ed.2d 135 (1990)). So a future injury will not confer standing if it relies on an “attenuated chain of inferences necessary to find harm.” Id. at 414 n. 5; see also Lujan, 504 U.S. at 564, (“Although imminence is concededly a somewhat elastic concept, it cannot be stretched beyond its purpose, which is to ensure that the alleged injury is not too speculative for Article III purposes-that the injury is certainly impending.”).


         The issue of whether a data breach on its own is an “injury in fact” is novel for this Court and has not been addressed by the Eleventh Circuit. Other circuit courts have reached conflicting conclusions, with the Sixth, Seventh, Ninth, and D.C. Circuits holding data breach victims have standing because they are at a substantial risk of injury, and the First, Second, Third, and Fourth Circuits holding data breach victims lacked standing.[3] So there is no clear consensus as to how the issue should be resolved. Considering the arguments on both sides, the Court agrees with TBSCI that Plaintiffs did not alleged an injury in fact.

          To satisfy standing, Plaintiffs must prove an imminent injury. While Plaintiffs allege two categories of harm-(1) their risk of being victims of identity theft as a result of the data breach and (2) the costs Plaintiff Stapleton has incurred and others may incur for credit monitoring/identity theft protection-both categories require Plaintiffs to show there is at least a substantial risk their Sensitive Information will be used in a harmful manner. That is because the second category-Plaintiff Stapleton's payment for credit monitoring and identity theft protection-would not be an actual injury unless there was already a substantial risk of identity theft. Clapper, 568 U.S. at 416 (holding, “respondents cannot manufacture standing merely by inflicting harm on themselves based on their fears of hypothetical future harm that is not certainly impending.”). So Plaintiffs only have standing if their alleged injury is certainly impending or if there is a substantial risk of injury.

         The Court concludes Plaintiffs' allegations are insufficient to show that an injury is certainly impending or that they have a substantial risk of imminent injury. First, Plaintiffs are unable to identify a single proposed class member who has had their Sensitive Information misused as a result of the data breach. See Torres v. Wendy's Co., 195 F.Supp.3d 1278, 1283 (M.D. Fla. 2016) (discussing the number of plaintiffs who have experienced fraudulent charges as an “influential factor” in determining whether future harm is “certainly impending”). The ...

Buy This Entire Record For $7.95

Download the entire decision to receive the complete text, official citation,
docket number, dissents and concurrences, and footnotes for this case.

Learn more about what you receive with purchase of this case.