A federal magistrate judge is recommending the dismissal of some parts of a federal class-action lawsuit against Acadian Ambulance for a cybersecurity breach.
Magistrate Judge Carol Whitehurst, U.S. District Court, Western District of Louisiana in Lafayette, made the recommendations May 19 on Acadian Ambulance’s motion to dismiss a consolidated amended class action lawsuit over a 2024 data breach of customers’ and employees’ personal information.
A cybercriminal organization, Daixin Team, allegedly stole as many as 2.9 million Acadian customers’ and employees’ personal information, including Social Security numbers, birth dates and medical records, and sought a ransom. When Acadian refused to pay, Daixin Team claimed it published the information on the dark web where it could be used by identity thieves.
The plaintiffs allege Acadian was negligent, breached an implied contract, breached its fiduciary duty, and violated the Louisiana Unfair Trade Practices and consumer protection laws. They also sued for declaratory judgment and equitable relief and asserted jurisdiction under the Class Action Fairness Act.
Acadian filed a motion to dismiss the lawsuit for lack of CAFA subject matter jurisdiction, lack of standing and for otherwise failing to state claims.
In Acadian Ambulance’s favor
Acadian won on some of its arguments. Whitehurst wrote that the theoretical value of one’s personal information, as determined in other cases, doesn’t have an inherent monetary value or create an economic loss. The individual, she wrote, is instead compensated in ways like damages for invasion of privacy.
“Thus, absent any factual allegations showing how plaintiffs might quantify the diminution in value of personal information,” the court finds in favor of Acadian.
The 5th Circuit Court of Appeal rejected the loss of time as a concrete injury, she wrote, and would probably consider plaintiffs’ allegations that they spent additional time after the breach dealing with increased spam email and text messages, another victory for Acadian Ambulance.
Whitehurst also ruled against the plantiffs, writing that they lack standing to seek injunctive relief based on just the prospect of future cyberattacks rather than a concrete injury that is imminent and substantial. She also recommended the plaintiffs’ claims for unjust enrichment be dismissed.
The plaintiffs allege Acadian breached its fiduciary duty. The court, Whitehurst wrote, doesn’t need to decide this issue because the plaintiffs’ allegations don’t support whether Acadian’s alleged conduct was “intentional or grossly negligent.”
“The allegations do not show that Acadian intentionally, willfully or recklessly” allowed the cyberattackers into its computer system, she wrote.
Whitehurst also recommended the plaintiffs’ claims for breach of confidence and Louisiana Unfair Trade Practices Act be dismissed.
Against Acadian Ambulance
Whitehurst reviewed various prior court decisions and types of injuries plaintiffs have alleged when considering Acadian Ambulance’s motion to dismiss the case for lack of standing. Some of the plaintiffs, she wrote, allege they suffered present injuries.
For example, one plaintiff alleged unauthorized individuals used her stolen information to obtain health insurance and file tax documents, Whitehurst wrote. Another alleged his bank account was shut down for more than two months while he was traveling because of the data breach and another alleged someone charged $500 on his debit card.
Whitehurst agreed that publication of an individual’s personal information on the dark web constitutes a present injury, even if the only injuries are fear and emotional distress.
The federal magistrate judge also found that CAFA jurisdiction is appropriate in the case because more than 7,000 people were affected by the data breach, which meets a jurisdictional threshhold.
The Acadian employees and clients, she wrote, have shown their damages are traceable to Acadian’s alleged inadequate cybersecurity.
“The cyberattack would not have happened but for Acadian’s alleged security failures,” Whitehurst wrote. “Whether any plaintiffs suffered identity theft or fraud from some other data breach is an issue for trial on the merits after discovery.”
The plaintiffs, she wrote, adequately alleged a concrete injury. The allegations and specific allegations of injuries, along with the timing of the filing of the complaint one month after the cyber breach, are sufficient at this early stage to show causation, she wrote.
Federal Judge David Joseph is assigned to the case.
