96 Annals of Health Law Vol. 25
predominance.243 Resnick v. AvMed, Inc., is a rare case decided in plaintiffs’ favor on this issue.244 Thieves stole two unencrypted laptops containing information on 1. 2 million patients from a health insurer.245 The plaintiff class representatives, two plan members who had histories of being particularly careful with their personal or sensitive information, alleged inter alia negligence, negligence per se, and breach of contract.246 Within a year of the theft both plaintiffs had been victims of identity theft.247 The Eleventh Circuit Court held that the pleading of causation was sufficient to avoid dismissal.248 Specifically, the court noted that the plaintiffs had “pled a cognizable injury and have pled sufficient facts to allow for a plausible inference that [defendant’s] failures in securing their data resulted in their identities being stolen.249 They have shown a sufficient nexus between the data breach and the identity theft beyond allegations of time and sequence.”250 In some cases, a state data protection statute that provides for nominal damages may throw plaintiff a lifeline. However, in Sutter Health v. Superior Court, even that was insufficient.251 The California statute in question, part of the CMIA, provided for nominal damages of $1,000.00, noting that, “[ i]n order to recover under this paragraph, it shall not be necessary that the plaintiff suffered or was threatened with actual damages.”252 Given that four million medical records had been stolen, the stakes were high.253 The court ruled that the theft of the data was insufficient and that the statutory damage provision was not triggered until, the plaintiffs demonstrated that the confidentiality of their records had been lost, by showing the thief had viewed the stolen information.254
Amnesty Int’l USA, 133 S. Ct. 1138, 1151 (2013) (“[R]espondents cannot manufacture standing merely by inflicting harm on themselves based on their fears of hypothetical future harm that is not certainly impending.”); see also, Green v. eBay Inc., No. 14-1688, 2015 U.S. Dist. LEXIS 58047, at 6 (E.D. La. May 4, 2015); see, e.g., Remijas v. Neiman Marcus Grp., LLC, 794 F.3d 688, 697 (7th Cir. 2015) (holding victims of cyber theft of credit card information plausibly alleged standing to bring class action). 243. FED. R. CIV. P. 23. 244. Resnick v. AvMed, Inc., 693 F.3d 1317, 1321 (11th Cir. 2012). 245. Id. at 1322. 246. Id. at 1321. 247. Id. 248. Id. 249. Id. at 1330. 250. Id. 251. Sutter Health v. Superior Court, 174 Cal. Rptr. 3d 653, 655 (Cal. Ct. App. 2014). 252. CAL. CIV. CODE § 56. 36 (West 2016). 253. Sutter, 174 Cal. Rptr. 3d at 655. 254. Id. at 662.