Background
Plaintiff Betzaida Santos Pagán filed a putative class action against Bayamón Medical Center following a ransomware attack that exposed the personal and health information of over five hundred thousand patients. While the plaintiff alleged actual misuse of her data through a fraudulent cellphone account, she could not plausibly allege that this specific fraud was caused by the defendant’s breach.
The court’s reasoning
The court determined that while the plaintiff adequately pleaded an injury in fact through the actual misuse of her personal information, she failed to establish traceability. The complaint did not contain sufficient facts to show that the fraudulent account was the result of the defendant’s cyberattack rather than other sources.
We find that the complaint’s plausible allegations of actual misuse of her PII state an injury in fact.
Kerin v. Titeflex Corp., 770 F.3d 978, 981 (1st Cir. 2014)
What it means going forward
This decision reinforces the requirement in data breach litigation that plaintiffs must not only show harm but also provide a factual nexus connecting that harm directly to the specific breach alleged.