Pharmacy Times reports:
In January 2021, a nationwide mail-order pharmacy located in Massachusetts experienced a data breach. The pharmacy discovered the breach in May 2021 and investigated to determine its scope. Personally identifiable information (PII), including names and Social Security numbers for more than 75,000 customers, was breached.
In February 2022, 9 months after the initial discovery and 13 months after the breach, the pharmacy began notifying customers of a breach in its computer information. The notification indicated the pharmacy had undertaken a “comprehensive and time-intensive review of the contents” involved in the breach and said the pharmacy “currently [has] no evidence that any information has been misused.” The notification provided customers with information about how they could help protect their personal information but did not offer customers any compensation for credit monitoring.
Litigation ensued. And even though one of the plaintiffs experienced identity theft and was the victim of tax refund fraud, the district court granted the defendant’s motion to dismiss based on a lack of “concrete and particularized injuries that are actual or imminent” after the pharmacy claimed that the plaintiff’s injuries were not fairly traceable to their actions.
The dismissal was overturned and remanded on appeal. Webb vs. Injured Workers Pharmacy subsequently settled.
Read more at Pharmacy Times.
With so many breaches every day, it can be difficult for plaintiffs to successfully allege that their harm or injury was linked to a defendant’s breach in particular, and challenges to standing continue.
