cybersecurity

District of Massachusetts Dismisses Data Breach Class Action for Lack of Injury

Practice area:

On October 18, 2022, in Webb v. Injured Workers Pharmacy, LLC, the District of Massachusetts dismissed a class action complaint brought by former pharmacy patients alleging that their sensitive personal information had been exposed in a data breach affecting more than 75,000 customers. In its analysis, the court determined that the named plaintiffs and putative class members could not satisfy the injury-in-fact requirement for constitutional standing. Plaintiffs Webb and Charley had claimed the breach caused “anxiety, sleep disruption, stress, and fear” and cost them “considerable time and effort” monitoring their accounts.

The court rejected these factual allegations as an insufficient basis to confer constitutional standing under Article III:

The Complaint does not sufficiently allege that the breach caused any identifiable harm. It is only alleged that Webb and Charley spent “considerable time and effort” monitoring their accounts and, in Webb’s case, dealing with the IRS. Plaintiffs “cannot manufacture standing merely by inflicting harm on themselves based