Plaintiff drops privacy suit that stretched to claim against UMass Medical in nationwide data breach

UMass Chan Medical School
Mass. Office of Travel & Tourism via Flickr CC BY-ND 2.0

Until six days ago, the University of Massachusetts Chan Medical School was defending a privacy suit over a data breach, though the plaintiff liability theories looked thin.

There doesn't seem to be any dispute over the fact of the data breach. UMass Chan was just one of hundreds of organizations nationwide implicated in a breach affecting tens of millions. According to electronic security firm Emsisoft (which has a commercial interest in higher numbers), the breach affected more than 2,700 organizations and the data of more than 94 millions persons (last updated Jan. 18, 2024).

The vulnerability for all of these organizations was a file transfer platform called MOVEit, a product of publicly traded, Burlington, Mass.-based Progress Software Corp. UMass Chan used MOVEit to transfer personal information to other state agencies and programs. Hackers obtained and published the data of more than 134,000 persons, including recipients of state supplemental income and elder services.

According to state officials, WBUR reported, the "exposed data varies by person, but in each case includes the person's name and at least one other piece of information like date of birth, mailing address, protected health information like diagnosis and treatment details, Social Security number, and financial account information." The commonwealth notified affected persons and offered free credit monitoring and identity theft protection.

The complaint filed in federal court in September 2023 sought class action certification. The named plaintiff blamed UMass Chan for weak security and delayed notification resulting in a fraudulent attempt to use her debit card. Wednesday last week, the plaintiff voluntarily dismissed without prejudice, meaning the case might not yet be over.

The articulated causes of action, though, were a stretch. That's not to say that the putative plaintiffs suffered no injury. The problem rather is that the law in most states, including Massachusetts, and at the federal level still fails to define data privacy wrongs in a manner on par with the law of Europe and most of the rest of the world.

There was no statutory cause of action in the UMass Chan complaint. The diversity complaint alleged counts of negligence, breach of contract, and unjust enrichment.

Negligence has not been a productive vein for privacy plaintiffs, who lack the usually prerequisite physical injury. Massachusetts cracks open the door more than most other states to negligence actions based on lesser injury claims, such as emotional distress or economic loss. But it's not a wide opening.

Privacy actions in state law meanwhile are problematic because American common law has not yet well established the nature of the plaintiff's loss according to conventional understandings of injury. Indeed, federal courts disagree over when a statutory state privacy action supplies the "injury-in-fact" standing required by the federal Constitution. 

The named plaintiff in the UMass Chan case hastened to emphasize her contractual relationship with UMass Chan as a service provider, in an effort to anchor the negligence claim within a strong relationship of duty to get through the Massachusetts doorway. She described the identity risk of the debit-card incident to establish economic loss at least.

It's not clear that the pleading could have pushed over the hurdles to negligence recovery. I have advocated for the evolution of common law tort to close the gap in recognition of privacy violations in U.S. law, similarly to how UK courts developed the "misuse of private information" tort in common law to complement transposition of EU data protection. The Massachusetts Supreme Judicial Court could do that; certification would be required here in a federal case. But the trend in American data privacy law rather has been for the courts to wait on legislators to move the ball forward.

The other liability theories were a stretch, too. In contract, the plaintiff alleged herself a third-party beneficiary of data sharing agreements between UMass Chan and its state partners. Third parties can claim rights in a contract, but the proof is stringent. Contract law also raises a damages problem. The plaintiff here was not seeking specific performance, and it's not clear that any recovery in contract law would exceed the remediation the commonwealth already offered.

The equitable claim of unjust enrichment theorized essentially that UMass Chan benefited financially by cheaping out on security. That's creative, but a plaintiff in equity usually wants back something she lost to the defendant. A differential in the cost of contract services is speculative, and it's an attenuated causal chain to allege detriment to UMass Chan clients.

Privacy plaintiffs in the United States have seen some success using laws that predate contemporary data breach. But those theories won't work here. Massachusetts once had a leading data regulatory system for its requirements of secure data management. But the law is now well worn and has not kept up with other states, California being the model. Critically, the Massachusetts regs don't provide for private enforcement.

Some plaintiffs have found success with the dated (1986) Computer Fraud and Abuse Act. But a federal CFAA claim would be leveled properly against the hacker. The alleged culpability of UMass Chan is more accident than abuse.

American privacy plaintiffs flailing to state wrongs in litigation unfortunately is common and will continue as long as the United States lacks a comprehensive approach to data protection. I wrote 10 years ago already that American expectations in data privacy had outpaced legal entitlements.

The pivotal factor in whether MOVEit breach victims find any relief is likely to be the state where they and their defendants are located. Perhaps the case will push commonwealth legislators at last to act on a bill such as the proposed Massachusetts Information Privacy and Security Act (see, e.g., Mass. Tech. Leadership Council).

The case is Suarez v. The University of Massachusetts Chan Medical School (D. Mass. filed Sept. 18, 2023).

Disputed allegations in malicious prosecution suits against Apple raise data protection issues

Apple Store Osaka (Sébastien Bertrand CC BY 2.0)

A case of identity theft, now the subject of lawsuits against Apple and a security contractor, SIS, in three jurisdictions, seems to have raised an alarm about data protection.  But the case might be more complicated, as the defendants have accused the plaintiff of false pleadings.

Plaintiff Ousmane Bah was a 17-year-old Bronx honors student and permanent resident alien applying for citizenship at times relevant to the complaints.  An acquaintance of Bah's acquired Bah's temporary New York driving learner's permit (ID); it is disputed what Bah knew about the acquisition.

The ID did not have a photo, and the biographical data did not match the acquaintance's in all particulars, such as height.  Nevertheless, when the acquaintance was, according to the complaints, apprehended trying to shoplift from Apple stores in New York, New Jersey, and Massachusetts, he was misidentified as Bah.  Bah was criminally charged, subject to arrest warrants, and repeatedly compelled to defend himself.  The case does not directly implicate the known risk of race discrimination in facial recognition algorithms.  But in Bah’s version of events, Apple's use of facial recognition technology to identify the perpetrator in subsequent incidents gave police a false confidence that the suspect was Bah.

Apple and SIS have filed for Rule 11 sanctions in New Jersey and characterize the complaint in that jurisdiction as fiction.  They rely on discovered communication between Bah and the acquaintance to allege that Bah knew well that he was being impersonated, and that misidentification resulted from the acquaintance’s deliberate deception, not from error on the part of Apple or SIS. 

Media have been quick to seize on the allegations in the initial complaint, which does resonate with extant privacy issues in public policy.  If the plaintiff’s allegations are complete and accurate, then the case speaks to Americans’ lack of comprehensive data protection law.  A data protection regulation like Europe’s, generally speaking, would shift the burdens of fair and accurate identification to the defendants, rather than a victim of identity theft, time and again.

Moreover, if the plaintiff’s allegations are complete and accurate, the case has unpleasant overtones in race and socioeconomic equality.  A mismatch of data between the false ID and the acquaintance's appearance prompts concern that “black” was all the retailer needed to see, and one must worry whether persons of limited means can afford to defend themselves against false charges and wrongful arrest, not to mention the collateral effects of publication of misidentification to third parties, such as employers and creditors.

Bah claims defamation and malicious prosecution.  The complaints at least allege evidence in support of actual malice, which Apple and SIS deny.  Malicious prosecution is usually a claim made against public officials in tandem with civil rights violations, but the tort is viable against private parties who initiate criminal proceedings on false pretenses.  Whether the plaintiff’s allegations hold up, I do not know.  The counter-allegations of Apple and SIS in seeking sanctions in the New Jersey case are biting.

The cases are:

• Bah v. Apple Inc., No. 1:19-cv-03539-PKC (S.D.N.Y. filed Apr. 22, 2019) (Court Listener);
• Bah v. Apple Inc., No. 2:20-cv-15018-MCA-MAH (D.N.J. filed Oct. 27, 2020) (Court Listener); and
• Bah v. Apple Inc., No. 1:21-cv-10897-RGS (D. Mass. filed May 28, 2021) (Court Listener).

Bah is represented in the New York case by UMass Law alumnus Subhan Tariq, '13.  My thanks to Steven Zoni, '13, for bringing this case to my attention.