Medical imaging company beats suit over ransomware attack

(Reuters) - Arizona-based Assured Imaging LLC has escaped a proposed class action over a 2020 ransomware attack on its electronic medical record system, at least for now, after a federal judge found the plaintiffs in the case lack standing to sue.

FILE PHOTO: A hooded man holds a laptop computer as cyber code is projected on him in this illustration picture taken on May 13, 2017. REUTERS/Kacper Pempel/Illustration/File Photo

U.S. District Judge John Hinderaker in Tucson on Monday granted Assured’s motion to dismiss the case, concluding that the plaintiffs haven’t sufficiently alleged they suffered an injury in fact to establish standing.

The plaintiffs, who were Assured patients, alleged that they are at a heightened risk of identity theft and may incur costs for protective measures after the attack, among other injury claims. Assured provides mobile digital mammography and other services, according to its website.

“We respectfully disagree with the court’s ruling and are considering our options,” David Lietz of Mason Lietz & Klinger, a lawyer for the plaintiffs, said in an email. The judge left the door open for the plaintiffs to amend their complaint for a second time.

Two lawyers for Assured from Baker & Hostetler and Coppersmith Brockelman didn’t immediately respond to requests for comment Tuesday.

The litigation stems from a May 2020 cyberattack on Assured’s computer systems, which led to a ransomware attack that encrypted patient data from its electronic medical record system, according to the complaint. Assured notified affected people a few months later, sharing that “limited” data was exfiltrated and unknown actors may have accessed some patient information, the complaint said.

Four named plaintiffs in an amended complaint brought claims including negligence, breach of implied contract, breach of fiduciary duty and violation of Arizona’s consumer fraud law.

Assured moved to dismiss, arguing the plaintiffs don’t sufficiently allege they suffered injury in fact. Judge Hinderaker in his Monday order agreed, citing other data breach cases.

Hinderaker agreed with Assured that the type of information potentially accessed - names, addresses, medical history and other patient data - don’t rise to the level needed to find a “certainly impending injury.”

The plaintiffs haven’t adequately alleged their data was stolen, and even if it were, “they have not shown that the personal information at issue is sufficiently sensitive to give rise to an imminent or certainly impending injury in fact for Article III standing purposes in data breach cases,” he found.

Since the plaintiffs don’t establish they are at an increased risk of future harm, the alleged injury from spending time and money to mitigate fallout from the attack also isn’t enough for standing purposes, the judge said.

They also don’t sufficiently allege the other claimed injuries, including that their personal information is less valuable, that they overpaid for the service, and that some plaintiffs suffered emotional distress and anxiety, Hinderaker found.

The case is Travis et al v. Assured Imaging LLC, U.S. District Court for the District of Arizona, No. 4:20-cv-00390-JCH

For the plaintiffs: David Lietz of Mason Lietz & Klinger; Hart Robinovitch of Zimmerman Reed

For Assured: Paul Karlsgodt, David Carney and Marcus McCutcheon of Baker & Hostetler; Keith Beauchamp and Shelley Tolman of Coppersmith Brockelman