UNITED STATES DISTRICT COURT MIDDLE DISTRICT OF FLORIDA TAMPA DIVISION
ANGELICA DIPIERRO, et al., on behalf of themselves and all others similarly situated,
Plaintiffs,
v. Case No: 8:23-cv-01864-KKM-NHA
FLORIDA HEALTH SCIENCES CENTER, INC.,
Defendant. ___________________________________ ORDER Angelica DiPierro, Stacey Graham, Deborah Ivey, Edward James, Sr., Keon Critchlow, and Aubrey Rassel sue Tampa General Hospital on their own behalf and as proposed representatives of a nationwide class. Am. Compl. (Doc. 8). Based on a May 2023 data breach, Plaintiffs allege common law tort and contract claims as well as violations of the Florida Deceptive and Unfair Trade Practices Act (FDUTPA). Am. Compl. ¶¶ 185–243. Plaintiffs now move for preliminary certification of their class and for preliminary approval of a class-wide settlement. Mot. for Prelim. Approval (MPA) (Doc. 37). After careful consideration, I conclude that no named Plaintiff has standing. Accordingly, I remand the case to state court for lack of subject matter jurisdiction. I. BACKGROUND
Tampa General “is a private, not-for-profit hospital headquartered in Tampa, Florida.” Am. Compl. ¶ 39. Between May 12 and May 30, 2023, Tampa General’s computer systems experienced a data breach. ¶¶ 3, 51. During the incident, an
unauthorized third party infiltrated Tampa General’s systems and obtained access to certain files, which included “some patient information” from a group of roughly 2.1 million1 individuals. ; ¶ 4 (alleging that “names, addresses, phone numbers,
dates of birth, Social Security numbers, health insurance information, medical record numbers, patient account numbers, dates of service and/or limited treatment information used by [Tampa General] for its business operations” were “stolen”). On May 31, 2023,
Tampa General learned of the incident and started investigating. Am. Compl. ¶¶ 3, 5. On July 19, 2023, Tampa General began issuing “Cybersecurity Notice[s]” informing potentially affected individuals of what had happened. ¶ 51.2
1 The amended complaint states that “[Tampa General’s] investigation concluded that the Private Information compromised in the Data Breach included Plaintiffs’ and approximately 1.2 million other individuals’ information.” Am. Compl. ¶ 5; ¶¶ 9, 177. But the motion for preliminary approval and the settlement agreement each indicate over two million class members. MPA at 19 (explaining that numerosity is met because there are “approximately two million Settlement Class Members”);
Settlement Agreement (Doc. 37-1) at 2–3 (explaining that “[Tampa General’s]investigation confirmed the
[data breach] included approximately 2.1 million individuals’ Personally Identifiable Information”). Because the greater number of class members is used in the settlement agreement and in Plaintiffs’ most recent filings, I rely on it. 2 Appendix A reflects the full text of Tampa General’s cybersecurity notice as it currently appears. Relying on the cybersecurity notice posted online, Plaintiffs allege that a laundry list
of private information was stolen from each class member. Am. Compl. ¶ 4 n.3 (citing TAMPA GEN. HOSP., ( ) (last visited June 18, 2024), https://perma.cc/3D3F-GDR3;
¶ 51 (quoting same)). But the cybersecurity notice itself equivocates, explaining that, although Tampa General “reviewed the files involved and determined that patient information was included,” “[t]he information ” and only “
have included” the listed pieces of information. (emphasis added). Tampa General also hedged on whether any given individual’s information had been stolen. (explaining that it would “be mailing notification
letters to ” and “providing individuals whose Social Security number was involved with complimentary credit monitoring and identity theft protection services” (emphasis added)).
Two days after Tampa General posted the first cybersecurity notice, Plaintiffs sued in the Thirteenth Judicial Circuit Court in and for Hillsborough County, Florida. Class Counsel Decl. (Doc. 37-2) ¶ 4. Plaintiffs are patients who contracted with
Tampa General for healthcare services and provided the hospital with their private information during treatment. Am. Compl. ¶¶ 11–34. Plaintiffs allege that their information was stolen during the data breach and that they believe the information has been or will be sold on the dark web, consistent with hackers’ modus operandi.
¶¶ 53–54, 59, 120. They claim that Tampa General’s failure to employ reasonable data security practices and procedures allowed the data breach to occur. ¶ 52. More than a dozen similar suits were filed, most of which were later removed to
federal court and then transferred to me. All but one of the related federal actions were stayed pending mediation in this first-filed case. The Parties attended mediation and agreed on the terms of a proposed global settlement. Notice of Settlement
(Doc. 31). About two months later, the Parties finalized their agreement and submitted the settlement for preliminary class certification and approval. MPA; Settlement Agreement (Doc. 37-1). II. LEGAL STANDARD
Section 1447(c) of Title 28 provides that, in an action removed to federal court, “[i]f at any time before final judgment it appears that the district court lacks subject matter
jurisdiction, the case shall be remanded.” Thus, “[w]hen a case is removed from state to federal court and the plaintiffs do not have Article III standing in federal court, the district court’s only option is to remand back to state court.”
, 34 F.4th 988, 994 (11th Cir. 2022). III. ANALYSIS
Plaintiffs request that I certify a single preliminary class for purposes of settlement of “all persons in the United States who were sent notification from [Tampa General] that their Private Information3 as a result of the [data breach].”
MPA at 7 (emphasis added); Settlement Agreement ¶ 51.4 They also request that I approve the settlement agreement under Federal Rule of Civil Procedure Rule 23 on a preliminary basis. In evaluating the motion to preliminarily certify to settle, several standing
problems became evident. Because I conclude that none of the named Plaintiffs have Article III standing, I remand the case to state court for lack of subject matter jurisdiction. 28 U.S.C. § 1447(c); , 34 F.4th at 994. I also explain why, even if
one named Plaintiff had standing, class-wide standing concerns would likely pose substantial predominance problems preventing preliminary class certification. A. Article III Standing
Standing is a threshold issue in every federal case, and a federal court must evaluate a plaintiff’s standing throughout the litigation to ensure that the court maintains subject
3 The settlement agreement uses the blanket phrase “Private Information” to refer to two categories of information—“Personally Identifiable Information” and “Protected Health Information,” which together includes “names, addresses, telephone numbers, dates of birth, Social Security numbers, health insurance information, medical record numbers, patient account numbers, dates of service and/or limited treatment information used by [Tampa General] for its business operations.” Settlement Agreement ¶ 2.
4 The amended complaint asserts two classes, one nationwide and one limited to Florida residents. Am. Compl. ¶ 174. Both the settlement agreement and the motion for preliminary certification and approval identify only a nationwide class. MPA at 7; Settlement Agreement ¶ 51. matter jurisdiction. , , 236 F.3d 1292, 1299 (11th Cir. 2001)
(“[A] court must zealously insure that jurisdiction exists over a case, and should itself raise the question of subject matter jurisdiction at any point in the litigation where a doubt about jurisdiction arises.”). Not only is standing an ongoing burden, “a plaintiff must demonstrate
standing for each claim he seeks to press and for each form of relief that is sought.” , 554 U.S. 724, 734 (2008) (citations and quotations omitted). He does so by establishing that he: “(1) suffered an injury in fact, (2)
that is fairly traceable to the challenged conduct of the defendant, and (3) that is likely to be redressed by a favorable judicial decision.” , 578 U.S. 330, 338 (2016).
“By limiting who can sue, the standing requirement implements ‘the Framers’
concept of the proper—and properly limited—role of the courts in a democratic society.’ ” , No. 23-235, slip op. at 7 (2024) (quoting J. Roberts, , 42 DUKE L. J. 1219, 1220 (1993)). Enforcement of “the standing requirement means that the federal courts may never need to decide some contested legal questions,” instead reserving them “to the political processes.” . This is a
feature of our constitutional system, not a bug. The separation of powers, the “single basic idea” that underwrites standing doctrine, at 5 (quoting , 599 U.S. 670, 675 (2023)), “was not simply an abstract generalization in the minds of the Framers: it was woven into the document that they drafted in Philadelphia in the summer
of 1787.” (quoting , 594 U.S. 413, 422–23 (2021)). In class actions, these requirements are temporarily abated by the “basic principle that at the class certification stage only the named plaintiffs need have standing.”
, 73 F.4th 883, 888 (11th Cir. 2023) (footnote omitted); ( ), 999 F.3d 1247, 1261 (11th Cir. 2021) (“[O]nly one named plaintiff must have standing as to any particular
claim in order for it to advance.”). Nonetheless, “[e]very class member must have Article III standing in order to recover individual damages. Article III does not give federal courts the power to order relief to any uninjured plaintiff, class action or not.” , 594
U.S. at 431 (quotations omitted). The amended complaint suffers from several standing problems. I discuss each in turn. 1. The Standard of Proof for Standing at the Preliminary Certification Stage of a Certification-for-Settlement Case Preliminary certification of a class for purposes of settlement initiates a process that
aims to produce a final order granting class members individual relief. With that immediate goal at hand, applying only the “one named plaintiff” principle of standing and the Federal Rules of Civil Procedure’s pleading standards makes little sense. Doing so merely delays
the threshold jurisdictional question until the fairness hearing or thereabout, but without allowing for meaningful discovery or other trial-related preparation in the interim to
establish standing for all class members. The concern can be seen in an example: Were this case to proceed to final judgment after a trial, “the specific facts set forth by [Plaintiffs] to support standing” would need to
“be supported adequately by the evidence adduced.” , 594 U.S. at 431(citations and quotations omitted). At the final judgment stage, pleadings of course would not suffice. That the parties might agree to certify a class to achieve a global settlement and secure a
final judgement via that route does not negate this jurisdictional hurdle. Indeed, the constitutional necessity that each plaintiff must prove standing before he is awarded relief creates some tension with the general idea of a certification-for-settlement class, the basic
purpose of which is to permit quick(er) mass litigation under appropriate circumstances but without the attendant discovery and trial burdens. Considering the open question of what standard of proof for standing is required at
the certification-to-settle stage brings this tension into focus. reserved “the distinct question whether every class member must demonstrate standing a court certifies a class.” at 431 n.4 (citing , 942 F.3d 1259, 1277
(11th Cir. 2019) (“A plaintiff need not prove that every member of the proposed class has Article III standing prior to certification, and in some cases a court might reasonably certify a class that includes some putative members who might not have satisfied the requirements of and decide to deal with the problem later on in the proceeding, but before it
awarded any relief.”)). Accordingly, the Supreme Court has never explained the burden of proof required to demonstrate standing in the certification-for-settlement context. , 65 F.4th 1243, 1254 (11th Cir. 2023) (explaining
that the burden is “unclear”). Faced with this uncertainty, the Eleventh Circuit has “assume[d] without deciding that the applicable standard [for demonstrating standing in such cases] is a pleading standard.” ; , 93 F.4th 1206, 1212 n.7
(11th Cir. 2024) (assuming the same). Plaintiffs do not address this concern or explain why a greater standard of proof should not apply to preliminary class certification when the sole purpose is to achieve a
global settlement, a final judgment awarding relief to the entire class. , 594 U.S. at 431 (“Every class member must have Article III standing in order to recover individual damages.”); , 942 F.3d at 1274 (“The essential point . . . is that at some
time in the course of the litigation the district court will have to determine whether each of the absent class members has standing before they [can] be granted any relief.”). Instead, they contend that “[t]here is no requirement that Article III standing be proved with
evidentiary support at the settlement approval stage,” drawing on a footnote in a pre- decision. MPA at 16 (citing , 999 F.3d at 1261 n.8). This argument overreads Eleventh Circuit precedent. Although appeared skeptical that “Plaintiffs were required to prove they had Article III standing with evidentiary support at
the final approval stage,” that opinion then stated that it “need not decide th[e] issue” because there was no factual challenge to standing. , 999 F.3d at 1261 n.8. The Eleventh Circuit’s recognition in and (as informed by the Supreme Court’s
intervening decision in ) that the standard of proof for demonstrating standing in a certification-for-settlement case is “unclear,” combined with those decisions’ express reservation of the issue, forecloses Plaintiffs’ broad reading of .
For purposes of the standing analysis below, I assume that a pleading standard applies. But the bottom line remains: Before I award any class member final relief, that member must have standing. , 594 U.S. at 431; ,
942 F.3d at 1274. Plaintiffs seem to assume that I can preliminarily approve their settlement agreement based on a pleading standard and then never explain how or when I would revisit their burden to establish standing for each class member with evidence before
entering a final judgment. This proposal raises constitutional concerns and is also particularly relevant to the predominance inquiry under Rule 23(b)(3). , 942 F.3d at 1272–77. Thus, even if I did not remand the case to state court for lack of standing,
further inquiry into the standard of proof would be prudent before I would preliminarily certify any class or approve any class settlement. 2. Data Breach Standing Principles
A plaintiff must allege an “injury in fact that is concrete, particularized, and actual or imminent” to plead the first element of standing. , 594 U.S. at 423 (citing , 504 U.S. 555, 560–61 (1992)). A concrete injury can be tangible—like a physical or monetary harm—or intangible—like harm to one’s reputation.
at 425. A harm is “actual” if it has already occurred, but a risk of future harm does not give rise to standing unless the risk is “sufficiently imminent and substantial.” at 435 (citing , 568 U.S. 398, 414, n.5 (2013)). Each kind of harm
has its own analytical framework, and a plaintiff’s proffered harms must be analyzed on a claim-by-claim, harm-by-harm basis. , , 73 F.4th at 889 (“[A] mere risk of future harm, without more, does not give rise to Article III standing for recovery of
damages, even if it might give rise to Article III standing for purposes of injunctive relief.”). “For purposes of the concrete injury analysis under Article III, [the Eleventh Circuit] ha[s] recognized three kinds of harm: 1) tangible harms, like physical or monetary
harms; 2) intangible harms, like injuries with a close relationship to harms traditionally recognized as providing a basis for lawsuits in American courts; and, finally, 3) a material risk of future harm when a plaintiff is seeking injunctive relief.” (cleaned up). Of course,
as a technical matter, the third category of concrete harm is simply a sufficiently imminent risk of one of the first two kinds of harm manifesting. Applying these principles in data breach litigation, the Eleventh Circuit has held
that “a plaintiff whose personal information is subject to a data breach can establish a concrete injury for purposes of Article III standing if, as a result of the breach, he experiences ‘misuse’ of his data in some way.” (quoting
, 986 F.3d 1332, 1343 (11th Cir. 2021)). Misuse can constitute both a present intangible injury and an imminent risk of tangible injury in the future. at 889–90, 890 n.9. For example, a plaintiff whose “credit card data and
corresponding personal information” is placed for sale on the dark web may seek damages and forward-looking relief because that kind of misuse “establishes both a present injury—credit card data and personal information floating around on the dark web—and a
substantial risk of future injury—future misuse of personal information associated with the hacked credit card.” at 889–90. To determine whether the named Plaintiffs or the class have standing, I must
analyze each harm alleged in the amended complaint under this rubric. 3. Plaintiffs’ Class-Wide Injury Arguments Even assuming the most generous standard of proof (plausibility under Federal Rule of Civil Procedure 8(a)(2)), the amended complaint does not establish that each (or any)
member of the class has suffered an injury in fact. At a high level of generality, Plaintiffs argue that the entire class has suffered an Article III injury because the class’s “Private Information was allegedly impacted in the [data breach] when an unauthorized third party
gained access to [Tampa General’s] files containing its patients’ sensitive and confidential information.” MPA at 16. Plaintiffs have developed several variations of this argument based on different harms. at 16–18; Resp. to MTD (Doc. 29). But none establish
that the class has, collectively, suffered a concrete injury or is at substantial risk of future harm. i. Increased Risk of Future Harm and Time and Effort Mitigating that Risk Plaintiffs’ first theory of standing is that the data breach “caused them harm including (1) a substantial increased risk of fraud and identity theft, and (2) time spent
dealing with the Data Breach’s consequences.” Resp. to MTD at 5–7. While both fraud and the loss of one’s time are tangible and therefore concrete, the allegations here are neither actual nor imminent for purposes of Article III.
A risk of future harm and a self-inflicted injury designed to mitigate that risk are “inextricably tied” together, and thus rise or fall as one for standing purposes. , 986 F.3d at 1344. In other words, a plaintiff’s “management-of-risk claim is bound
up with his arguments about actual risk.” , 979 F.3d 917, 931 (11th Cir. 2020) (en banc). The key for both, including in data breach litigation, is whether the risk of future harm is sufficiently substantial and imminent.
“[I]f the hypothetical harm alleged is not certainly impending, or if there is not a substantial risk of the harm, a plaintiff cannot conjure standing by inflicting some direct harm on
[himself] to mitigate [the] perceived risk.” , 986 F.3d at 1339 (quotations omitted). Thus, determining whether Plaintiffs have alleged sufficient facts to plausibly plead a concrete risk of future harm resolves any related issues about expenditure of time and effort
to mitigate against that future harm. In , after surveying the decisions of eight other circuits, the Eleventh Circuit promulgated a test for analyzing this fact pattern. at 1340–44. In short, “evidence
of actual misuse is not necessary for [an individual] plaintiff to establish standing following a data breach.” at 1343. But plaintiffs must identify “specific evidence of misuse of class members’ data” to plead a substantial risk of future harm. at 1344. “[V]ague,
conclusory allegations that members of the class have suffered” misuse do not suffice, even under a plausibility standard. at 1343 (citing , 556 U.S. 662, 678 (2009)).
The precise definition of “misuse,” and the necessary quantum of evidence required to show a substantial, class-wide risk of future harm, remain open questions. The answers to these questions should reflect the limited role of federal courts in our system of
constitutional government and ensure that federal courts decide cases only where plaintiffs have suffered real harm (or are at substantial risk of future harm). , 594 U.S. at 422–24. Courts concerned with safeguarding that limited role should take care to resolve remaining questions about the nature and quantum of required misuse in data
breach litigation to avoid definitions of misuse that would oblige the judiciary to “exercise general legal oversight . . . of private entities” based on a “roving commission to publicly opine on every legal question.” at 423–24; at 434 (“A letter that is not sent does
not harm anyone, no matter how insulting the letter is. So too here.”). Notwithstanding this uncertainty, , , and provide helpful touchstones to guide the inquiry.
was an easy “no standing” case. There, the district court concluded that Tsao lacked standing because he failed to “identify a single specific, concrete injury in fact that he or anyone else suffered as a result of any misuse of customer credit card information”
following the data breach. at 1337 (cleaned up). The Eleventh Circuit agreed, explaining that “Tsao offer[ed] only vague, conclusory allegations that members of the class
ha[d] suffered any actual misuse of their personal data—[t]here, ‘unauthorized charges.’ ” at 1343. Such “conclusory allegations of injury” could not confer standing based on the future risk of identity theft absent “specific evidence of some misuse of class members’ data.” at 1343–44.
presented a straightforward case in the opposite direction. There, the plaintiffs alleged “that their credit card and personal information was ‘exposed for theft
and sale on the dark web.’ ” 73 F.4th at 889. The allegation was much more specific than ’s vague claims about “unauthorized charges,” with the plaintiffs “explain[ing] that,
based on [the Defendant’s] internal reporting, the information for 4.5 million cards the hackers accessed in the Brinker system were found on Joker Stash,” a specific dark web marketplace. at 886–87 (emphasis added). This “critical” allegation—“that hackers took
credit card data and corresponding personal information from [the Defendant’s] systems and affirmatively posted that information for sale on Joker Stash”—was “the misuse for standing purposes that . . . was missing in .” at 889–90 (footnote omitted). The
Eleventh Circuit had no need to wrestle with the difficulties presented when (1) a named plaintiff’s factual allegations do not specify whether all of the class’s information was stolen and (2), even if alleged as stolen, whether all of the class’s information was posted for sale.
is an example of a less clear-cut case. There, “dozens of Plaintiffs allege[d] they ha[d] already had their identities stolen and thus suffered injuries in many different ways,” including actual fraud. 999 F.3d at 1262–63. Although dozens of instances of misuse
may not seem like much compared to a “class of approximately 147 million members,” at 1267, the Eleventh Circuit concluded that “the allegations of some Plaintiffs that they have suffered injuries resulting from identity theft support the sufficiency of all
Plaintiffs’ allegations that they face a of identity theft,” at 1263. Comparing Plaintiffs’ allegations to these examples, is the closest match. Plaintiffs generally allege that they “believe their unencrypted Private Information was sold on the dark web following the Data Breach, as that is the of hackers.”
Am. Compl. ¶ 99; ¶¶ 54, 120. They do not allege that all Plaintiffs’ information was on a particular website (nor would that necessarily be plausible if the only fact supporting the allegation is the language included in the
cybersecurity notice, which is opaque as to whether the entire class’s information was even ). The amended complaint also alleges that a single plaintiff, Edward James, Sr., suffered three instances of fraud “as a result of the Data Breach.” ¶ 153. None of
these allegations is sufficient to support class-wide standing. Neither , , nor hold that a single conclusory allegation of misuse as to one plaintiff following a data breach is enough to supply a
multi-million-member class with a universal injury based on the substantial risk of future harm. Article III requires more. And even if the cases stood for such a sweeping proposition, as I explain below, James’s individual allegations suffer from deficiencies such
that they cannot support his own standing, much less standing for the rest of the class. Plaintiffs’ conclusory allegation, contra Tampa General’s clear implication in its cybersecurity notice, that the entire class’s private information was stolen is simply
implausible. ¶¶ 4, 53, . The related allegation that Plaintiffs “believe” the class’s private information has been sold on the dark web is not enough either. Am. Compl. ¶¶ 54, 99, 120. Without the “critical” allegation that buttressed the complaint in (that the entire batch of stolen data was posted
for sale on a specific dark web marketplace), Plaintiffs’ conclusory allegation that they believe their information has been or will be sold because that is the nature of things is speculative. , 568 U.S. at 414 n.5 (explaining that an “attenuated chain of
inferences” and “speculation about the unfettered choices made by independent actors not before the court” is insufficient to satisfy the “substantial risk standard” (quotations omitted)); , 986 F.3d at 1339, 1343–44 (applying to data
breach standing). Because the amended complaint does not plausibly plead sufficient specific misuse to establish a substantial risk of future harm, Plaintiffs’ intertwined theories of injury fail. ii. Diminished Value of Private Information
Second is Plaintiffs’ suggestion that “the diminished value of [their] Private Information as a result of the Data Breach is itself a legally recognized, cognizable injury.” Resp. to MTD at 8. In their view, a plaintiff’s private information is “valuable property”
with a “considerable market value” in both legitimate and criminal marketplaces. Am. Compl. ¶¶ 110, 115; ¶¶ 110–19. That value, Plaintiffs claim, “has been damaged and diminished by [the information’s] compromise and unauthorized release.”
¶ 115. This argument fares no better—while lost value is a tangible injury, Plaintiffs have not shown that this injury is actual or imminent. Although Plaintiffs allege the existence of both legal and illegal markets for the kind
of information potentially compromised in the data breach, ¶¶ 110–19, there is no allegation that any Plaintiff has (or has ever had) the intention of selling such information to data brokers, legitimate or otherwise. As should be self-evident in a suit claiming harm
from a future risk of identity theft, Plaintiffs do not allege that they have sold or plan to sell their information to criminals. And the existence of a robust legal market for private information is not enough either because, “[a]t bottom, Plaintiffs’ diminished-value theory
assumes that the [data breach] afforded companies with whom Plaintiffs would voluntarily trade their [private information] access to [that information] without Plaintiffs’ permission.” , No. 22-cv-20105, 2022 WL 19486310, at *12
(S.D. Fla. May 10, 2022). “But what basis exists for that assumption? None, in the Court’s estimation.” At best, the assumption is impermissible “speculation about the unfettered choices made by independent actors not before the court.” ,
No. 23-235, slip op. at 10 (quoting , 568 U.S. at 414 n.5). Like many data breach litigants in this circuit who have unsuccessfully raised diminution of value arguments, Plaintiffs do “not adequately allege a devaluation of [their private information] . . . because
[they do] not plausibly explain how the [data breach] could have harmed Plaintiffs’ abilities to sell their [information].” , 2022 WL 19486310, at *12; at *10–12 (collecting cases rejecting the diminished value standing argument) “Absent any such explanation, [the] diminished-value argument founders.” at *12;
( ), 380 F. Supp. 3d 1243, 1257 (M.D. Fla. 2019) (“Plaintiffs have not alleged that their personal information has an independent monetary value that is now less than it was before
the Data Breach.”); , No. 17-cv-2120, 2018 WL 1465766, at *4 (N.D. Ga. Mar. 12, 2018) (finding no standing when plaintiff failed to “allege with particularity any facts explaining how her personal identity information is less valuable than
it was before the Breach”). iii. Emotional Injury Third, Plaintiffs identify the “emotional distress associated with the loss of control over their highly sensitive Private Information” as a potential intangible harm. ,
Am. Compl. ¶ 8; Resp. to MTD at 9. But as Plaintiffs conceded in their response to the motion to dismiss, courts in this circuit have ordinarily recognized such harms as sufficiently concrete in the data breach context only when “allegations of emotional
distress” are “coupled with the substantial risk of future harm.” Resp. to MTD at 9 (citing ( ), 603 F. Supp. 3d 1183, 1203 (S.D. Fla. 2022)). That accords with Supreme Court
precedent. In , the plaintiffs claimed “esthetic” injuries arising from the extinction of
endangered species. 504 U.S. at 562–63. While the Court acknowledged that aesthetic injuries are legally cognizable, the plaintiffs nevertheless lacked standing because they were not “among the injured” who might imminently lose the opportunity to observe the animals
directly. (quotation omitted); at 563–64 (explaining that extinction does not cause an actual or imminent injury where plaintiffs only have a vague intent to observe wildlife in the future). The same is true here. It is not enough that a plaintiff has a “special
interest in the subject,” emotional or aesthetic. at 563 (cleaned up). He or she must be “directly affected.” . Because Plaintiffs have not plausibly alleged a substantial risk of future identity theft under the framework, their allegations
of related emotional distress do not establish a concrete injury for standing purposes. iv. Lost Benefit of the Bargain Plaintiffs next allege that they have been tangibly injured because they lost the benefit of their bargain with Tampa General. Am. Compl. ¶¶ 124, 208;
Resp. to MTD at 9–10; MPA at 17–18. But they have not shown that this harm is actual. Plaintiffs’ factual allegations on this point are sparse. The primary claim is that “[w]hen agreeing to pay [Tampa General] for the provision of its health care services,
Plaintiffs and other reasonable consumers understood and expected they were, in part, paying for the service and necessary data security to protect [their private information].” Am. Compl. ¶ 124. This implied agreement was allegedly breached when Tampa General
“did not provide the expected data security,” resulting in Plaintiffs “receiv[ing] services that were of a lesser value than what they reasonably expected to receive under the bargains they struck.” Put differently, Tampa General “required [Plaintiffs] to provide [it] with their
Private Information to receive services” and thus “impliedly promised to protect” that information “through adequate data security measures” as part of its contract with patients. ¶¶ 227–28; ¶ 48.
To support this argument, Plaintiffs allege that Tampa General “made promises and representations to its Patients” that any private information collected “would be kept safe and confidential,” that “the privacy of that information would be maintained,” and that
Tampa General “would delete any sensitive information after it was no longer required to maintain it.” ¶ 43. They also invoke Tampa General’s “Privacy Practices disclosure,” which states that the hospital is “required by law to maintain the privacy of your [protected
health information under federal law] and to provide you with notice of our legal duties and privacy practices with respect to [that information].” ¶ 44. The disclosure assures readers that Tampa General is “committed to protecting the privacy of your health
information.” But conspicuously absent is any allegation that the named Plaintiffs (or any other class member) specifically relied on the privacy practices disclosure when deciding to become a patient. Also missing is any suggestion that the actual medical services Plaintiffs received (tellingly there is no discussion of these services beyond the
allegation that they occurred) were diminished in value by Tampa General’s data security practices. “Many courts have cast doubt on [the benefit of the bargain theory of standing in
data breach litigation], especially in cases where plaintiffs do not sufficiently allege reliance on defendants’ representations as to their security policies.” , 603 F. Supp. 3d at 1205; , , 380 F. Supp. 3d at 1257 (“[T]here are no factual
allegations demonstrating that the Parties mutually agreed that any portion of the sums paid from Plaintiffs to Defendants would be allocated to data security.”). I join those courts’ skepticism. Of course, “an economic injury qualifies as a concrete injury.”
, 942 F.3d 1076, 1084 (11th Cir. 2019). And the Eleventh Circuit has held that, in the context of a dietary supplement banned for sale by the FDA, “[a] person experiences an economic injury when, as a result of a deceptive act
or an unfair practice, he is deprived of the benefit of his bargain,” , by “acquir[ing] a worthless product,” at 1086. But was an especially narrow decision. at 1088 (“We caution that our decision is limited to the specific facts alleged in this
case—that the plaintiffs purchased dietary supplements that Congress, through the FDCA and the DSHEA, had banned from sale with the purpose of preventing consumers from ingesting an unsafe product.”). The facts here are far afield from the world of FDA regulation and “worthless” dietary supplements. While a hospital’s data security practices
may exert some abstract pressure on the price of healthcare services, they do not devalue the services themselves and they certainly do not render them worthless. A heart surgery is a heart surgery, data breach or not.
Because Plaintiffs have not plausibly alleged that Tampa General’s data security practices deprived them of the benefit of their bargain for healthcare services, this theory of class-wide injury also fails.5 v. Invasion of Privacy
Fifth and finally, Plaintiffs allege that they have suffered the intangible harm of an “invasion of privacy,” but that theory fails. ¶ 208; ¶ 209 (“loss of privacy”). District courts in this circuit have generally declined to recognize a concrete injury based
on conclusory allegations of loss of privacy in the data breach context unless those allegations are coupled with “a substantial and imminent risk of future identity theft.” , , 603 F. Supp. 3d at 1205. As explained above, Plaintiffs have failed to
plausibly plead that their information was in fact stolen and, relatedly, failed to plausibly
5 I note, in the alternative, that even if the lost benefit of an implied bargain for data security was a freestanding cognizable injury in data breach class actions, I would still likely decline to certify a class based on such a theory of standing because it would flunk Rule 23(b)(3)’s predominance requirement. Individualized questions about Tampa General’s representations, whether patients would have sought treatment elsewhere absent those representations, and whether any given patient’s information was stolen, (explaining that “some patient information” was obtained and that this information “may have included” certain pieces of information), would inevitably overwhelm common questions of law and fact. The class action device is inappropriate in such situations. plead any such risk. Thus, Plaintiffs cannot show a class-wide injury based solely on the
allegation that the data breach resulted in an invasion of privacy. Any other result would undermine ’s conclusion that “[e]vidence of a mere data breach does not, standing alone, satisfy the requirements of Article III standing.” 986 F.3d at 1344.
Plaintiffs believe that their invasion-of-privacy harm suffices to establish standing under the test established by the Supreme Court in In that case, the Court explained that certain intangible harms can be concrete if they bear “a close relationship to
a harm traditionally recognized as providing a basis for a lawsuit in American courts.” , 594 U.S. at 425 (quotations omitted); MPA at 16–17 (advancing this theory). Plaintiffs aver that the invasion of privacy tort provides the requisite “close
historical or common-law analogue for their asserted injury,” even though they neither bring a claim for invasion of privacy nor identify which of their claims is sufficiently akin to that common law tort. , 594 U.S. at 424.
Eleventh Circuit precedent forecloses this route to standing. reasoned “that the common-law analogue analysis is to legislature-made statutory violations because the Supreme Court has not applied it to any other kind of
intangible harm.” 73 F.4th at 890 n.9. Thus, if the cause of action in a data breach case originates from the common law, rather than from a statute, ’s ‘misuse’ requirement remains the order of the day. Plaintiffs may not rely on to rescue their
common-law claims from and . In their effort to invoke , Plaintiffs do not distinguish between their common-law claims and their statutory claim under the FDUTPA. And they certainly
have not shown that a FDUTPA claim is analogous to the common law tort of invasion of privacy. , 48 F.4th 1236, 1242–50 (11th Cir. 2022) (en banc) (discussing and applying the common-law-analogue
analysis at the level of a claim’s individual elements); , 74 F.4th 1336, 1343 (11th Cir. 2023) (en banc) (“[T]he relationship between the harms we compare is too attenuated when a plaintiff completely fails to allege an element essential to the harm set
out as a common-law comparator.” (quotations omitted)). In the light of Plaintiffs’ failure to identify any potential common-law analogue for their FDUTPA claim, much less a plausibly appropriate one, they have not shown standing based on .6
6 It is somewhat unclear whether the common-law-analogue analysis applies to state statutory claims at all. Footnote nine of cabins the framework to “legislature-made statutory violations” but also confirms that remains good law after . 73 F.4th at 890 n.9. And although seems to have understood ’s application of the misuse requirement to be “in the context of a state common-law negligence claim,” , the operative complaint in included a statutory claim under the FDUTPA. , 986 F.3d at 1336 (“Based on these alleged injuries, the Complaint claims that PDQ . . . violated the Florida Unfair and Deceptive Trade Practices Act by failing to, among other things, maintain adequate data security practices (Count VI).” (cleaned up)); , No. 18-cv-1606, Compl. (Doc. 1) ¶¶ 148–60 (M.D. Fla. July 3, 2023). Because the district court decision in dismissed the entire complaint without prejudice for lack of standing and the Eleventh Circuit affirmed in full, applying the “misuse” requirement for standing in data breach cases to a state statutory claim was likely necessary to ’s holding. 4. James’s Individualized Standing Argument
Regardless of the ability to demonstrate class-wide standing, Plaintiffs may certify a class under Eleventh Circuit precedent so long as one named plaintiff demonstrates standing for each of the class’s claims and each form of requested relief. , 73 F.4th at 888; , 594 U.S. at 431. James presents Plaintiffs’ only arguable case.
He alleges that he “discovered a fraudulent charge to his bank account in the amount of $2,600.70 for the purchase of a television” and suffered “two unauthorized ATM withdrawals in the amount of $400 each from his bank account” at some indeterminate
time “[s]ince the data breach.” Am. Compl. ¶ 153. These allegations are both tangible harms and sufficient “misuse” to provide James a concrete injury based on the risk of future identity theft under and . But that does not end the standing inquiry.
James must also demonstrate that his injury (or risk of future injury) is “fairly traceable to the challenged conduct of the defendant.” , 578 U.S. at 338. James has not pleaded facts plausibly alleging (nor introduced evidence establishing)
that the three fraudulent charges are “fairly traceable” to Tampa General’s data breach. , 73 F.4th at 889 n.6 (“We may review both the allegations in the complaint and evidence in the record so far to determine whether the named plaintiffs in
this case have established Article III standing for class certification purposes.”); at 890–91 (concluding that two of three named plaintiffs in a data breach class action lacked standing on traceability grounds, despite adequately alleging a class-wide
concrete injury, when the record revealed that they did not visit the affected business during the “at-risk time frame”). Evaluating traceability in the context of a data breach might not always be difficult. In , for example, the causation question was easy because
“the information for all 4.5 million cards the hackers accessed in the Brinker system were found on Joker Stash.” 73 F.4th at 886–87. When a batch of private information subject to a data breach is posted for sale en masse on a single dark web marketplace, traceability
flows. But when the alleged injury is based on scattered instances of individualized misuse, a more nuanced inquiry necessarily applies. That inquiry reveals several critical flaws in James’s allegations.
The first traceability problem relates to the scope of the data breach. James alleges that he received a letter from Tampa General explaining that “some combination of his name, address, phone number, date of birth, Social Security number, health insurance
information, medical record number, patient account number, dates of service, and/or limited information related to treatment received at [Tampa General] used by Defendant for its business operations” was “improperly accessed and obtained by unauthorized third
parties.” Am. Compl. ¶ 152. On its face, this allegation appears unequivocal that at least “some” of James’s information was stolen. But the cybersecurity notice, which the amended complaint reproduces in full and relies on as a primary source, promised only that Tampa General would “mail[] notification letters to
in this event.” . James does not attach the letter directed to him, so there is no way to confirm whether the letter contains the concrete language of his allegation or the more equivocal “may have been” that Tampa General used in the
cybersecurity notice. Without a clear answer, this apparent inconsistency casts doubt on whether James’s information was actually taken, which in turn bears on whether the fraud James claims to have suffered is plausibly traceable to the data breach.
But even if “some” of James’s information was accessed as alleged, he does not claim that any banking or other financial information related to the fraudulent claims on his bank account was stolen. That omission is notable. Instead, he recites a laundry list of potential
pieces of information that may have been accessed in some combination, but never connects them with the claimed misuse of his bank account and debit cards. Am. Compl. ¶ 152 (alleging only that what was stolen “comprised some combination of” James’s private
information related to personal identifiers and health records, but never mentioning any financial information or the like). This creates a substantive mismatch between bank and ATM fraud and the subject-matter of the data stolen in the breach. Without additional
factual allegations to bridge the gap, James has not plausibly alleged how any of the potentially stolen information could fairly cause the $2,600 unauthorized charge to his bank account or the two $400 ATM withdrawals. The requisite leaps of factual allegations and
logic present serious traceability problems. Finally, James suffers from the same hurdle that almost every data breach plaintiff will, even those who can allege misuse: It is far from clear that the three identified instances
of fraud are fairly traceable to the Tampa General data breach (or indeed, to any data breach). To be sure, “traceability does not equate to proximate cause.” , 57 F.4th 916, 927 (11th Cir. 2023). But
unlike , this is not a situation where the causation inquiry is complicated by multiple actors working in a single chain of events preventing attribution to one alone. at 926–27. The question instead is whether the alleged misuse stems from one of
many parallel, independent causes, each of which could have resulted in the harm. In , the plaintiffs avoided this problem by alleging that thieves posted the batch of stolen credit cards en masse to a single dark web marketplace, 73 F.4th at 886, thereby
rendering traceability quite plausible. Plaintiffs here make no such allegations. And James merely alleges that the data breach occurred prior to the fraudulent credit card charges, which is insufficient without allegations establishing the proximity of the fraudulent
charges to the date of the data breach. Am. Compl. ¶ 153. It is possible that the hackers used the information inappropriately themselves. It is also possible that they sold the information directly to another for malfeasance. Or perhaps nothing has happened from the potential exposure of information, at least not based on the episode at Tampa General.
That a plaintiff can conjure hypotheticals does not mean that he has plausibly pleaded (much less proven for purposes of final judgment after class certification) traceability. In the same vein, James’s alleged injuries could have resulted from a different data breach,
unrelated to Tampa General, or identity theft unconnected to a data breach at all. James’s description of how carefully he otherwise protects his private information cannot immunize his faulty allegations. ¶ 151 (alleging that “James is very careful
about sharing his sensitive Private Information,” that he “stores any documents containing his Private Information in a safe and secure location,” and that he “has never knowingly transmitted unencrypted sensitive Private Information over the Internet or any other
unsecured source”). This recitation is best understood as an attempt to support a negative inference—because James is generally careful with his private information, the fraud alleged was likely not caused by some other data breach or incident. But the very existence of this
case shows that locations generally understood as “safe and secure” (like hospital computer systems) can transform into risk vectors with little warning. And tellingly, James does not allege that his private information has never been compromised before or after
Tampa General’s data breach incident. Together, these flaws negate a showing of traceability, even under a plausibility standard of proof. And if evidence is required, as implies must be true before I can order individualized relief in a class action, 594 U.S. at 431, then the question is
not even close. * * * Neither James, nor any other named Plaintiff, has shown individualized standing
under even the most lenient standard of proof. And Plaintiffs’ numerous class-wide standing theories all fail. Thus, Plaintiffs lack standing to sue in federal court, either as individuals or as class representatives. In the light of this jurisdictional defect, I must
remand the case to state court under 28 U.S.C. 1447(c). , 34 F.4th at 994. B. Even if Plaintiffs’ Had Standing, the Rule 23 Analysis Would Likely Not Favor Certification Although I do not reach the merits of Plaintiffs’ motion for preliminary class certification, I briefly explain why Plaintiffs’ standing problems would also likely result in
an intractable predominance problem under Rule 23(b)(3), even if I was not required to remand to state court. In the light of the standing deficiencies discussed above and the Eleventh Circuit’s
decisions in and outlining the relationship between standing and predominance, the class as defined is unlikely to produce a scenario where “questions of law or fact common to class members” will “predominate over . . . questions affecting only
individual members,” specifically, the questions surrounding the standing of each class member. FED. R. CIV. P. 23(b)(3). In fact, understanding the interaction between
standing and predominance only underscores the grave nature of Plaintiffs’ standing deficiencies. “Common issues of fact and law predominate if they have a direct impact on every
class member’s effort to establish liability and on every class member’s entitlement to injunctive and monetary relief.” , 942 F.3d at 1274 (cleaned up). “[C]ommon issues will not predominate over individual questions if, as a practical matter, the resolution
of an overarching common issue breaks down into an unmanageable variety of individual legal and factual issues.” (quotations omitted). The inquiry “requires more of a qualitative than quantitative analysis” and entails “a pragmatic assessment of the entire
action and all the issues involved.” (quotations omitted). In , the Eleventh Circuit vacated a Telephone Consumer Protection Act class based on the district court’s failure to appropriately consider standing problems in the
predominance inquiry. at 1272–77. Although affirmed the traditional “one named plaintiff” rule and rejected “the proposition that all class members must prove their standing before a class [can] be certified,” the panel concluded that “[i]n some cases,
whether absent class members can establish standing may be exceedingly relevant to the class certification analysis required by [Rule 23].” at 1273. The issue of absent class members’ Article III standing “pose[d] a powerful problem under Rule 23(b)(3)’s predominance factor,” , “because at some point before it can award relief, the district
court will have to determine whether each member of the class has standing,” at 1274. The “essential point” is just that—“at some time in the course of the litigation the district court will have to determine whether each of the absent class members has standing before
they [can] be granted any relief.” at 1275. Of course, “[t]hat is an individualized issue,” , and a district court must consider it in the predominance inquiry under Rule 23(b)(3). To be clear, did “not hold . . . that a court is required to ensure that the
class definition does not include individuals who do not have standing before certifying a class.” at 1276. But it does instruct district courts to “consider under Rule 23(b)(3) before certification whether the individualized issue of standing will predominate
over the common issues in the case, when it appears that a large portion of the class does not have standing, . . . and making that determination for these members of the class will require individualized inquiries.” at 1277. As I explained above, Plaintiffs do not allege
facts that plausibly state a class-wide injury. No named Plaintiff can establish individualized standing either, preventing the “one named plaintiff” rule from kicking in. As a result, even evaluated as individuals, it seems quite likely that few members of the proposed class could
establish standing when all was said and done. Sifting through millions of class members to find a few needles in the haystack would likely require the fine-grained legal and factual analyses that ordinarily prevent a finding of predominance under Rule 23(b)(3). , 73 F.4th at 893 n.14
(explaining that the district court needed to “determine whether its class definitions would require individualized proof of standing, especially as to time or effort expended to mitigate the consequences of the data breach”). That is especially so when a proposed class definition
is especially broad. MPA at 7 (defining the proposed settlement class as “all persons in the United States who were sent notification from [Tampa General] that their Private Information was as a result of the [data breach]” (emphasis
added)); , 73 F.4th at 892–93 (rejecting the district court’s predominance analysis because the class definition was overbroad and the court failed to conduct a predominance analysis as to uninjured absent class members).
Thus, even if James or another named Plaintiff established standing under the one named plaintiff rule, I would likely be unable to certify a class for failure to satisfy Rule 23(b)(3). IV. CONCLUSION
Accordingly, the following is ORDERED: 1. The Clerk is directed to REMAND this action to the Circuit Court for
the Thirteenth Judicial Circuit in and for Hillsborough County, Florida, and to transmit a certified copy of this order to the clerk of that court. 2. The Clerk is further directed to TERMINATE any pending motions and deadlines, and to CLOSE this case. ORDERED in Tampa, Florida, on June 18, 2024.
ate a Mizelle United States District Judge
Appendix A As of June 18, 2024, Tampa General’s Cybersecurity Notice read as follows:
Cybersecurity Notice Notice to Our Patients of Cybersecurity Event Tampa General Hospital considers the health, safety, and privacy of our patients and team members a top priority. Regrettably, this notice concerns a cybersecurity event that may have involved some of that information.
What Happened? On May 31, 2023, through our proactive monitoring tools, TGH detected unusual activity on our computer systems. We immediately took steps to contain the activity and began an investigation with the assistance of a third-party forensic firm. Fortunately, TGH’s monitoring systems and experienced technology professionals effectively prevented encryption, which would have significantly interrupted the hospital’s ability to provide care for patients. However, the investigation determined that an unauthorized third party accessed TGH’s network and obtained certain files from its systems between May 12 and May 30, 2023.
TGH reported the event to the FBI and provided information to support its investigation of the criminal group responsible. What Information Was Involved? We reviewed the files involved and determined that some patient information was included. The information varied by individual, but may have included names, addresses, phone numbers, dates of birth, Social Security numbers, health insurance information, medical record numbers, patient account numbers, dates of service and/or limited treatment information used by TGH for its business operations. TGH’s electronic medical record system was not involved or accessed. What is TGH Doing? TGH considers the health, safety and privacy of patients and team members a top priority. The hospital is continuously updating and hardening systems to help prevent events such as this from occurring and has implemented additional defensive tools and increased monitoring. What Can Patients Do? TGH will be mailing notification letters to individuals whose information may have been involved in this event and is also providing individuals whose Social Security number was involved with complimentary credit monitoring and identity theft protection services. Patients are encouraged to review statements from their health insurer and healthcare providers, and to contact them immediately if they see any services they did not receive. For More Information: Patients with questions can call the dedicated call center at 1-833-627-2718, Monday through Friday, between 9:00 a.m. and 9:00 p.m. Eastern Time.