Last week, New York federal judge Vincent L. Bricetti dismissed a data breach class action against Northeast Radiology PC (Northeast) and Alliance HealthCare Services (Alliance) because the plaintiffs failed to allege a cognizable injury.

In July 2021, Jose Aponte II and Lisa Rosenberg filed suit alleging that Northeast and Alliance failed to protect their sensitive health data from unauthorized access. The complaint alleged that more than 1.2 million patients’ medical records were exposed, including more than 60 million X-rays, CT scans, MRIs, medical test results, diagnoses, Social Security numbers, names, and addresses.

According to the complaint, in mid-2019, a third-party forensic firm discovered “major flaws” in the companies’ medical archiving system that exposed patients’ medical records to the general public. The plaintiffs alleged that the companies had inadequate security systems and that they failed to remediate the firm’s findings, which led to unauthorized parties accessing patient information for “at least nine months between April 14, 2019 and January 7, 2020.” However, Judge Bricetti dismissed the complaint based on the lack of standing. Judge Bricetti said the mere potential for exposure of their information did not establish that the plaintiffs were harmed from the incident. Judge Bricetti wrote, “Plaintiffs’ risk of future harm is too speculative to establish standing.” Aponte and Rosenberg were patients at Northeast Radiology, however, Northeast Radiology only confirmed that 29 patients’ information was accessed as a result of this incident and the plaintiffs were not included in that group. Therefore, said Judge Bricetti, the risk of having their data misused was too remote and the complaint warranted dismissal.

Photo of Kathryn Rattigan Kathryn Rattigan

Kathryn Rattigan is a member of the Business Litigation Group and the Data Privacy+ Cybersecurity Team. She concentrates her practice on privacy and security compliance under both state and federal regulations and advising clients on website and mobile app privacy and security…

Kathryn Rattigan is a member of the Business Litigation Group and the Data Privacy+ Cybersecurity Team. She concentrates her practice on privacy and security compliance under both state and federal regulations and advising clients on website and mobile app privacy and security compliance. Kathryn helps clients review, revise and implement necessary policies and procedures under the Health Insurance Portability and Accountability Act (HIPAA). She also provides clients with the information needed to effectively and efficiently handle potential and confirmed data breaches while providing insight into federal regulations and requirements for notification and an assessment under state breach notification laws. Prior to joining the firm, Kathryn was an associate at Nixon Peabody. She earned her J.D., cum laude, from Roger Williams University School of Law and her B.A., magna cum laude, from Stonehill College. She is admitted to practice law in Massachusetts and Rhode Island. Read her full rc.com bio here.