Milberg Data Breach Attorneys Help to Revive Webb v. Injured Workers Pharmacy Suit
by Brian Eckert
The United States Court of Appeals for the First Circuit has overturned a district court ruling that plaintiffs in a proposed class action against a prescription delivery company lack standing to seek damages.
Milberg’s David Lietz, who briefed and argued the case at the First Circuit, called the decision “really important for data breach litigation.”
Case Background
Webb et al v. Injured Workers Pharmacy, LLC is a proposed class action lawsuit filed in May 2022. The case stems from a January 2021 cyberattack that allegedly exposed the personally identifiable information (PII) of more than 75,000 patients of Injured Workers Pharmacy, LLC, a home delivery pharmacy service.
IWP filed a motion to dismiss the case, arguing that the plaintiffs “only generally allege an increased risk of future harm in the form of potential identity theft or fraud.” The plaintiffs responded in a motion that the increased risk of future economic harm was sufficient to establish standing.
A Massachusetts federal judge sided with the defendant and dismissed the case. He concluded the plaintiffs did not plausibly allege an injury in fact and therefore lacked Article III standing.
The plaintiffs appealed their case to the First Circuit. During oral arguments in May, David Lietz told a panel of judges that plaintiff Alexis Webb suffered concrete harm in the form of a fraudulent tax return filed in her name following the IWP data breach.
“Every circuit that has approached this question, and the United States Supreme Court, has ruled that if a plaintiff pleads actual misuse, that this satisfies the concrete injury standard for Article III standing purposes,” said Lietz.
He added that, at the pleadings stage, it is only necessary to show “plausibility,” a type of “obvious logical connection that could also be supported by a temporal connection.”
First Circuit Agrees Plaintiffs Have Standing
In an opinion issued on June 30th, First Circuit appellate judges held that the complaint plausibly shows the plaintiffs’ standing to seek damages.
“The plaintiffs press five causes of action seeking damages, each of which encompasses at least one of the harms that we hold satisfy the requirements of Article III standing,” the order states.
According to the circuit judges, the lawsuit plausibly alleges that plaintiff Webb suffered an injury in fact based on the allegations of actual misuse of her PII to file a fraudulent tax return. In addition, the lawsuit plausibly alleges an injury in fact to both plaintiffs based on an imminent and substantial risk of future harm, as well as a present and concrete harm resulting from the exposure to this risk, the judges wrote.
However, the judges held that the plaintiffs lack standing to pursue injunctive relief because the proposed injunctions would be unlikely to redress their alleged injuries.
The First Circuit thus affirmed in part, reversed in part, and remanded the case for further proceedings to the U.S. District Court for the District of Massachusetts.
Putting the First Circuit Decision in Context
A record number of data breaches were reported in 2021, the year of IWP’s breach. Last year, total data breaches remained flat, but more Americans were affected by them.
As data breaches increase, so do data breach lawsuits. A report on class action settlements reveals that data breach settlements totaled more than $700 million in 2022, up 46% from the previous year. The top settlements were against T-Mobile ($350 million), Capital One ($190 million), the U.S. Office of Personnel Management ($63 million), and Morgan Stanley ($60 million), with several more settlements falling in the $5 – $12 million range.
One of the biggest issues in data breach litigation is whether a plaintiff can show they have standing to assert claims for damages. It is well established that plaintiffs who have experienced direct economic harm—such as fraudulent charges—have standing. But it is less firmly established that plaintiffs have standing when there is only a risk of future harm.
The latter was cited by IWP as grounds for dismissing Webb v. Injured Workers Pharmacy. Their motion to dismiss noted that even though Webb claimed her data was used to file a fraudulent tax filing, she alleged no economic harm as a result.
In TransUnion LLC v. Ramirez, the U.S. Supreme Court rejected the argument that class members’ risk of future harm—without other concrete, present harm—was sufficient to confer standing. As Reuters notes, the decision sets a higher bar for federal class action plaintiffs suing immediately after a data breach, before any actual harm is specified.
The developing case law in the aftermath of TransUnion is still in its early stages, and the recent First Circuit decision demonstrates how it might be applied moving forward. The Webb decision joins the Third Circuit’s opinion in Clemens v. ExecuPharm as the only post-TransUnion federal appellate court data breach decisions. In both cases, the federal circuit courts held that the doors to federal court are still open based upon a present and imminent risk of future harm.
Webb v. Injured Workers Party asserts state law claims for negligence, breach of implied contract, unjust enrichment, invasion of privacy, and breach of fiduciary duty. The First Circuit judges deciding the appeal cited TransUnion extensively.
For example, citing TransUnion, 141 S. Ct. at 2211, the judges wrote that, to establish standing to pursue damages, the complaint must also plausibly allege a separate concrete, present harm caused “by [the plaintiffs’] exposure to [this] risk [of future harm].”
The judges concluded that the complaint satisfied this requirement “based on the allegations of the plaintiffs’ lost time spent taking protective measures that would otherwise have been put to some productive use.” These allegations include “opportunity costs” and “lost wages” associated with the time and effort expended addressing future consequences of the data breach.
Milberg: A National Leader in Data Breach Litigation
Milberg cybersecurity and privacy lawyers have filed hundreds of data breach lawsuits, won millions of dollars for data breach victims, lobbied for court decisions that benefit data breach class members, and helped to create checks and balances against technology and the companies that wield it.
Mr. Lietz has successfully briefed and argued dozens of motions to dismiss, served as lead counsel in data breach cases on the cutting edge of Article III federal court jurisdiction, been named class counsel in dozens of data breach class actions, and won millions of dollars for data breach victims.
Since 1965, Milberg has filed thousands of class action lawsuits and recovered billions of dollars for our clients. We pioneered class action litigation and continue to be a leading voice for consumer justice.