Two unencrypted laptop computers containing PHI on 1.2 million current and former AvMed members, including Social Security numbers, were stolen from an office in Gainesville. The laptops were sold to an individual with a history of dealing in stolen property. Plaintiffs in a class action lawsuit filed against AvMed included two named members who suffered identity theft following the laptop theft.
A district court ruled, among other issues, that plaintiffs failed to state a known injury and did not have legal standing to proceed with the suit. The appeals court found sufficient cause for standing and that plaintiffs established a claim for entitlement of relief from AvMed because of harm from identity theft. “The Eleventh Circuit focused the bulk of its analysis on the question of causation as it related to damages and conducted an analysis under Rule 8 to determine whether plaintiffs allege a plausible basis for inferring that their sensitive information was obtained from AvMed,” the InfoLawGroup blog explains.
However, the appeals court also found that plaintiffs insufficiently argued for entitlement to relief under Florida law for claims of negligence, breach of contract and implied contract, and breach of the implied covenant of good faith and fair dealing. “We therefore reverse in part, affirm in part, and remand the case to the district court for further proceedings,” according to the ruling, available here.
The importance of the appeals court ruling is that it could bring more data breach litigation before the Eleventh Circuit, the InfoLawGroup blog notes. The case “fairly clearly outlines what the Court views as the minimum requirements to establish causation in a data breach/identity theft case.”