Please ensure Javascript is enabled for purposes of website accessibility

Court revives lawsuit against Baltimore-based optometry board

Applicants have standing in alleged data breach, 4th Circuit says

The 4th U.S. Circuit Court of Appeals, housed at the Lewis F. Powell Jr. U.S. Courthouse in Richmond, Virginia. (U.S. General Services Administration)

The 4th U.S. Circuit Court of Appeals, housed at the Lewis F. Powell Jr. U.S. Courthouse in Richmond, Virginia. (U.S. General Services Administration)

A federal appeals court has revived a lawsuit brought by optometrist applicants who claim a data breach at the industry’s Baltimore-based examining board resulted in disclosure of their personal information to computer hackers who applied for credit cards in their names.

In its published 3-0 decision, the 4th U.S. Circuit Court of Appeals said U.S. District Judge James K. Bredar of Baltimore was wrong to have ruled that the applicants lacked standing to sue the National Board of Examiners in Optometry Inc. because their claimed injuries were merely speculative as no money was drawn on their accounts and they failed to sufficiently allege that NBEO was at fault.

NBEO denies the allegations of fault.

The 4th Circuit decision was its latest interpretation of Supreme Court precedent regarding when plaintiffs have alleged a sufficient injury and claimed an adequate link to a named defendant to give them standing to sue under Article III of the U.S. Constitution.

In its ruling filed Tuesday, the 4th Circuit said the applicants’ claimed injuries from the alleged hacking were more than speculative as they had to incur the time and out-of-pocket costs to protect their credit ratings and prevent future damage from the identity theft.

“Here, the plaintiffs allege that their data has been stolen, accessed, and used in a fraudulent manner,” Judge Robert B. King wrote for the appellate court.

“And although incurring costs for mitigating measures to safeguard against future identity theft may not constitute an injury-in-fact when that injury is speculative, the (Supreme) Court has recognized standing to sue on the basis of costs incurred to mitigate or avoid harm when a substantial risk of harm actually exists,” King added. “Because the injuries alleged by the plaintiffs are not speculative, the costs of mitigating measures to safeguard against future identity theft support the other allegations and together readily show sufficient injury-in-fact to satisfy the first element of the standing to sue analysis.”

The 4th Circuit also found that the applicants sufficiently alleged NBEO’s negligence by claiming the board was the only entity that had collected personal information from each of them. In addition, mailings from the credit-card company after the alleged breach were addressed to a since-married applicant by her maiden name and to a since-divorced applicant by her married name, the 4th Circuit said in reviewing the plaintiffs’ complaint.

“Notably, the plaintiffs allege that, amongst the group of optometrists, the NBEO is the only common source that collected and continued to store Social Security numbers that were required to open a credit card account, and also stored outdated personal information (such as maiden names and former married names) during the relevant time periods” of the alleged security breach, King wrote.

“Furthermore, other national optometry organizations do not gather or store Social Security numbers, or have investigated and confirmed that their databases have not been breached,” King added. “Put simply, the complaints contained sufficient allegations that the NBEO was a plausible source of the plaintiffs’ personal information.”

Judges Paul V. Niemeyer and Albert Diaz joined King’s opinion in Rhonda L. Hutton et al v. National Board of Examiners in Optometry Inc., No. 17-1506.

To purchase a reprint of this article, contact [email protected].