On October 17, the District of Massachusetts added to the growing line of federal courts that have held a mere data breach, without additional harm, is insufficient to grant customers Article III standing.  See Webb v. Injured Workers Pharmacy, LLC, 2022 WL 10483751, at *1 (D. Mass. Oct. 17, 2022).  In February 2022, a home delivery pharmacy notified over 75,000 affected customers that hackers broke through its defenses and accessed patients’ personal data.  Two of these customers filed a putative class action against the pharmacy, alleging various tort and contract theories.  The court dismissed their claims for lack of standing, holding that plaintiffs had failed to allege any actionable harm stemming from the data breach despite their allegations that the breach caused them significant emotional harm.

Webb is notable because the plaintiffs attempted to distinguish their situation from other data breach cases that courts dismissed on similar standing grounds.  Unlike in those cases, which did not allege emotional injuries associated with the stress of potential data misuse, the plaintiffs in Webb argued that they suffered “anxiety, sleep disruption, stress, and fear” and spent “considerable time and effort” monitoring their accounts for suspicious activity.  Moreover, one plaintiff suggested—without alleging causation—that the data breach might have led to the filing of a fraudulent tax return in her name. 

The court held that those allegations were insufficient.  According to the court, some “future possibility that an unauthorized third party will, at some undetermined time, misuse [the plaintiffs’]” information, was “not sufficiently threatening to establish an ‘injury in fact.’”  As to their emotional distress and monitoring allegations, the court concluded that the plaintiffs could not manufacture standing by “inflicting harm on themselves based on . . . hypothetical future harm.”  In addition, the court held that the fact that fraudulent tax returns were filed in one plaintiff’s name was insufficient to avoid dismissal because the plaintiffs failed to allege that the data breach caused the fraudulent returns to be filed or point to any harm stemming from the fraudulent filing. 

This decision reinforces the standing hurdles for plaintiffs to clear in data-breach cases in the wake of TransUnion LLC v. Ramirez,141 S. Ct. 2190 (2021).