Opinion
5:22-cv-04036-HLT-KGG
10-20-2022
DOROTHY BLOOD, et al., individually and on behalf of all others similarly situated, Plaintiffs, v. LABETTE COUNTY MEDICAL CENTER, Defendant.
MEMORANDUM AND ORDER
HOLLY L. TEETER UNITED STATES DISTRICT JUDGE
Defendant Labette Health provided health care to Plaintiffs Dorothy Blood, Tyler Blood, and Peggy Wittum. Defendant's computer system was then hacked in October 2021, which was after all three received health care. Cyberthieves removed files containing personal information of more than 85,000 patients and employees from Defendant's network. Plaintiffs seek to represent a class of similarly situated victims of the data breach. The case was initially filed in state court, but Defendant removed to federal court based on the Class Action Fairness Act.
Defendant moves to dismiss Plaintiffs' complaint. Doc. 10. Defendant raises many grounds for dismissal, but the Court need only address standing. The Court determines that Wittum lacks standing to pursue her claims because she fails to allege that she has suffered an injury in fact that is fairly traceable to the data breach. The Bloods also lack standing. They allege an injury in fact. But they fail to show that the injury is fairly traceable to Defendant's actions. Because all three named plaintiffs lack standing to bring claims, the Court remands the case to state court.
Thomas v. Metro. Life Ins. Co., 631 F.3d 1153, 1159 (10th Cir. 2011) (“Prior to class certification, the named plaintiffs' failure to maintain a live case or controversy is fatal to the case as a whole-that unnamed plaintiffs might have a case or controversy is irrelevant.” (citations omitted)).
The following facts are taken from Plaintiffs' complaint. The well-pleaded, non-conclusory facts are taken as true for purposes of this order.
A. General Background
Defendant is a county hospital. Cyberthieves attacked Defendant's computer system on October 14, 2021, causing a data breach in which patient files were accessed. Defendant investigated and sent patients a letter on March 11, 2022, informing them of the breach. Compromised information included both personally identifiable information (PII) and protected health information (PHI). Defendant offered patients one year of IDX Privacy protection services. This includes credit and identity monitoring, identity theft restoration, and $1 million insurance for all identity theft costs. Plaintiffs were among those who received the letter.
B. Facts Specific to the Named Plaintiffs
Plaintiffs allege the following facts with respect to the three named plaintiffs in this case.
• The Bloods' and Wittum's full names plus one or more of the following were “removed” from Defendant's system: “Social Security number, medical treatment and diagnosis information, treatment costs, dates of service, prescription information, Medicare or Medicaid number, and/or health insurance information.” Doc. 1-1 at 26 ¶ 114, 28 ¶ 126.
• Since the data breach, the Bloods have had unauthorized charges made to their bank account. They have paid overdraft fees exceeding $500. And they had to change their bank account and debit card numbers.
• The Bloods filed their taxes in February 2022. The IRS notified them that their Social Security number(s) had issues. The Bloods had to prove their identity before the IRS would process their tax return.
• The Bloods have been notified that their PII was found on the “dark web” after the data breach.
• Mr. Blood has been receiving a significantly higher number of spam calls, texts, and emails since December 2021. Wittum has been receiving a significantly higher number of spam calls (between 10 and 15 a day).
• The Bloods now monitor their accounts daily, totaling about 7 hours per week. Wittum has been monitoring her financial accounts for about an hour a week since the data breach.
• Wittum opted into Defendant's offer for a year of data protection services but believes one year to be inadequate.
• Neither the Bloods nor Wittum would have entrusted Defendant with their private information had they known the computer system was unsecure.
C. Damages Alleged by Named Plaintiffs
Plaintiffs claim that they have already been damaged by Defendant's failure to protect their PII and PHI. They also claim a risk of future damages.
1. Actual (Already-Incurred) Damages
• Plaintiffs have spent time monitoring their accounts and mitigating the effects of the data breach (and will continue to do so).
• Plaintiffs claim their lives have been severely disrupted because of the compromise of their personal information.
• Plaintiffs claim their PII and PHI have lost value.
• Plaintiffs claim they overpaid for services because a portion of their payment for medical services was for data security, which Defendant did not provide.
2. Risk of Future Damages
• Plaintiffs claim they “have been placed at an imminent, immediate, and continuing risk of harm from fraud and identity theft.” Id. at 29 ¶ 136.
• Plaintiffs claim they “face substantial risk of out-of-pocket fraud losses.” Id. at 29 ¶ 137.
• Plaintiffs allege they “face substantial risk of being targeted for future phishing, data intrusion, and other illegal schemes.” Id. at 30 ¶ 138.
• Plaintiffs “may” incur out-of-pocket expenses to protect their PII and PHI. Id. at 30 ¶ 139.
II. STANDARD
Defendant moves for dismissal under both Rule 12(b)(1) (challenging Plaintiffs' standing) and Rule 12(b)(6) (challenging the sufficiency of Plaintiffs' allegations). The Court does not reach Defendant's 12(b)(6) arguments, so only the 12(b)(1) standard is recited below. See Hill v. Vanderbilt Cap. Advisors, LLC, 702 F.3d 1220, 1224-25 (10th Cir. 2012) (“Our court has repeatedly characterized standing as an element of subject matter jurisdiction.”).
Motions to dismiss for lack of jurisdiction under Rule 12(b)(1) can generally take two forms: a facial attack or a factual attack. “[A] facial attack on the complaint's allegations as to subject matter jurisdiction questions the sufficiency of the complaint.” Holt v. United States, 46 F.3d 1000, 1002 (10th Cir. 1995), abrogated on other grounds by Cent. Green Co. v. United States, 531 U.S. 425, 437 (2001). In that situation, the allegations in the complaint are accepted as true. Id. A factual attack looks beyond the operative complaint to the facts on which subject matter jurisdiction depends. Id. at 1003. Defendant brings a facial attack because it challenges the sufficiency of Plaintiffs' complaint. The Court therefore accepts the allegations in the complaint as true and considers whether those allegations establish subject matter jurisdiction. Id. at 1002.
III. ANALYSIS
The Court now turns to the question of Plaintiffs' standing. In the paragraphs that follow, the Court first gives an overview of what Plaintiffs must show to establish standing. The Court then looks at two of the three individual elements for standing (injury in fact and traceability), evaluating (1) Plaintiffs' claims for injuries already incurred and (2) Plaintiffs' claims based on the risk of future injury. The Court concludes that Wittum fails to adequately allege any injury in fact that is fairly traceable to the data breach. The Bloods adequately allege an injury in fact (at least as to their unauthorized bank charges experience), but they make only conclusory, broad, and speculative allegations that their injury is fairly traceable to the data breach. None of the named plaintiffs adequately alleges standing to pursue the claims.
A. Legal Requirements for Standing
Courts are not “free-wheeling enforcers of the Constitution and laws.” Initiative & Referendum Inst. v. Walker, 450 F.3d 1082, 1087 (10th Cir. 2006). Article III of the Constitution specifically limits the jurisdiction of federal courts to cases and controversies. See Lujan v. Defs. of Wildlife, 504 U.S. 555, 560 (1992). And this limitation requires that plaintiffs have standing to bring claims. See United States v. Colo. Supreme Court, 87 F.3d 1161, 1164 (10th Cir. 1996); see also Brady Campaign to Prevent Gun Violence v. Brownback, 110 F.Supp.3d 1086, 1091 (D. Kan. 2015) (“One of several doctrines reflecting Article III's case-or-controversy limitation on the judicial power is the doctrine of standing.”).
Standing requires that a plaintiff have an actual stake in the controversy. Brady Campaign, 110 F.Supp.3d at 1091. A plaintiff can show this stake by demonstrating “that (1) he or she has suffered an injury in fact; (2) there is a causal connection between the injury and the conduct complained of; and (3) it is likely that the injury will be redressed by a favorable decision.” Ward v. Utah, 321 F.3d 1263, 1266 (10th Cir. 2003) (quoting Phelps v. Hamilton, 122 F.3d 1309, 1326 (10th Cir. 1997)).
The burden of alleging standing is on a plaintiff. See Initiative & Referendum, 450 F.3d at 1087. The extent of a plaintiff's burden depends on the stage of the litigation. Lujan, 504 U.S. at 561. At the pleading stage, a court accepts as true the material allegations of the complaint. Initiative & Referendum, 450 F.3d at 1089. But a court need not accept “conclusory allegations, unwarranted inferences, or legal conclusions.” Brady Campaign, 110 F.Supp.3d at 1092. The plaintiff's allegations establishing standing must still meet the standards of Bell Atlantic Corp. v. Twombly, 550 U.S. 544 (2007) and Ashcroft v. Iqbal, 556 U.S. 662 (2009). See Calderon v. City & Cnty. of Denver, 885 Fed.Appx. 438, 445 (10th Cir. 2021).
To show the first element of standing (an injury in fact), a plaintiff must demonstrate “an invasion of a legally protected interest which is (a) concrete and particularized and (b) actual or imminent, not conjectural or hypothetical.” Initiative & Referendum, 450 F.3d at 1087 (quoting Lujan, 504 U.S. at 560). “A ‘concrete' injury must be ‘de facto'; that is, it must actually exist.” Spokeo, Inc. v. Robins, 136 U.S. 330, 340 (2016). And to be “imminent,” a “threatened injury must be certainly impending to constitute injury in fact.” Clapper v. Amnesty Int'l USA, 568 U.S. 398, 409 (2013). Alternatively, there can be a “substantial risk” that the harm will occur. Susan B. Anthony List v. Driehaus, 573 U.S. 149, 158 (2014). But in a suit for damages, the mere risk of future harm-without more-is insufficient to confer standing. See TransUnion LLC v. Ramirez, 141 S.Ct. 2190, 2210-11 (2021). A plaintiff may pursue injunctive relief to prevent future harm, but the risk of harm still must be “sufficiently imminent and substantial.” Id. at 2210 (citing Clapper, 568 U.S. at 414 n.5.).
To show the second element of standing (a causal connection, or that the injury be “fairly traceable” to the challenged action), a plaintiff must “allege a substantial likelihood that the defendant's conduct caused plaintiff's injury in fact.” Santa Fe All. for Pub. Health & Safety v. City of Santa Fe, N.M., 993 F.3d 802, 814 (10th Cir. 2021) (citations and quotation marks omitted). The injury must not be “the result of the independent action of some third party not before the court.” Id. A plaintiff cannot establish that an injury is “fairly traceable” by a “speculative chain of possibilities.” Clapper, 568 U.S. at 414. But this element “is not focused on whether the defendant ‘caused' the plaintiff's injury in the liability sense.” Wuliger v. Mfrs. Life Ins. Co., 567 F.3d 787, 796 (6th Cir. 2009). Actual, “[p]roximate causation is not a requirement of Article III standing.” Lexmark Int'l, Inc. v. Static Control Components, Inc., 572 U.S. 118, 134 n.6 (2014).
Standing's third element (redressability) requires a substantial likelihood that the plaintiff's requested relief will redress the claimed injury. Ash Creek Min. Co. v. Lujan, 969 F.2d 868, 875 (10th Cir. 1992) (citations omitted). The Court need not address this element further for purposes of this order.
B. Injuries/Damages Already Incurred
There are six potential sources of standing for Plaintiffs' claims of injury to-Dated: (1) the $500 in bank fees the Bloods suffered because someone used their account without authorization; (2) any costs associated with the Bloods' verification of their identity in response to a letter from the IRS; (3) Plaintiffs' alleged costs of monitoring accounts (time) and mitigating the alleged effects of the data breach; (4) disruption in lives, including Plaintiffs' receipt of unwanted spam phone calls, texts, and emails; (5) the lost value of Plaintiffs' PII and PHI; and (6) Plaintiffs' overpayment for services because a portion of their payment for medical services was for data security.
To the extent Plaintiffs attempt to claim they were injured by Defendant's violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the Kansas Protection of Consumer Information statute, or the Kansas Consumer Protection Act, their allegations also fail to establish standing. Even if the Court assumes that Defendant violated one or more of these statutes, violation of the law does not establish standing absent injury in fact. See In re Sci. Applications Int'l Corp. (SAIC) Backup Tape Data Theft Litig., 45 F.Supp.3d 14, 30 (D.D.C. 2014) (“Standing . . . does not merely require a showing that the law has been violated, or that a statute will reward litigants in general upon showing of a violation.”). It is also unclear whether Plaintiffs claim the discovery of the Bloods' PII on the dark web is a present injury or caused a risk of future injury. The Court addresses this claim in the next section. But it is insufficiently pleaded, regardless of where the Court considers it.
The Court pauses to note an overarching issue with Plaintiffs' claims. Plaintiffs contend that their full names plus one or more of the following were “removed” from Defendant's system: “Social Security number, medical treatment and diagnosis information, treatment costs, dates of service, prescription information, Medicare or Medicaid number, and/or health insurance information.” Plaintiffs do not allege the additional pieces of information removed for each of them. This adds an overarching level of conjecture and speculation to Plaintiffs' complaint and alleged harms. Noting this overarching issue, the Court turns to the specifically identified alleged harms.
First, the Bloods' bank fees constitute a concrete and actual injury. The Bloods therefore meet the first requirement of standing for this injury. The second element-traceability-is a different story. The Bloods' allegations on this front are speculative and insufficient to connect the data breach to their bank account. In making this determination, the Court requires only that the Bloods plead non-speculative facts to allege a “substantial likelihood” that it was Defendant's actions that caused the Bloods' harm and not the actions of any other independent actor. The Bloods have not made this showing.
The Bloods allege they suffered unauthorized charges to their bank account. But they do not plead any facts suggesting how the mere possession of their Social Security numbers and names would enable someone to make unauthorized charges on an existing account (instead of, for example, opening a new account). In re SAIC, 45 F.Supp.3d at 31 (holding claims that “unauthorized charges were made to [plaintiffs'] existing credit cards or debit cards, or that money was withdrawn from an existing bank account” lacked causation for purposes of standing because the plaintiffs did not “allege[] that credit-card, debit-card, or bank-account information was on the stolen tapes”); see also Fernandez v. Leidos, Inc., 127 F.Supp.3d 1078, 1086 (E.D. Cal. 2015) (finding no traceability when the plaintiff did not allege that the medical conditions targeted by increased spam mailings were listed in the medical records compromised in the breach).
This highlights the Court's overarching concern just noted. Plaintiffs assume someone possessed their Social Security numbers without authorization. But this assumption is speculative. Plaintiffs allege they were notified that “one or more of the following” items were removed from Defendants' system. The list of items included Social Security numbers, plus several healthcare-related items. But Plaintiffs do not know-or even allege upon information and belief-that their own Social Security numbers, as opposed to some of the other items listed, were actually stolen.
In contrast, the Fourth Circuit in Hutton v. National Board of Examiners in Optometry, Inc., found the plaintiffs sufficiently alleged traceability when they claimed the defendant was the “only common source” that collected the stolen information. 892 F.3d 613, 623 (4th Cir. 2018). The Bloods have not alleged that someone gained access to their bank account number or debit card number(s) through the breach. They have not offered a plausible explanation for how someone accessed their existing bank account using the information stolen from Defendant. To assume someone could have done so with the allegedly stolen information (most of which is healthcare-related) requires a level of speculation and conjecture this Court is unwilling to accept. Without a plausible, non-speculative connection from the stolen information to the Bloods' existing bank account, the Bloods cannot show a substantial likelihood that Defendant's action caused their injury. The Bloods lack standing to bring a claim based on this event.
Second, the Court turns to the Bloods' tax verification issue. The Bloods allege what “when [they] filed their taxes in February 2022, they received notice from the IRS that their Social Security number(s) had issues.” Doc. 1-1 at 27 ¶ 117. And they claim they “had to prove their identity to [sic] before the tax return was processed.” Id. This allegation is insufficient for several reasons. The Bloods do not specify how long the delay in their tax return was, what the problem was with the return, or how difficult it was to rectify. For example, did one short phone call clear it up? And they do not even allege whether they were expecting a refund that was delayed or whether they owed taxes and had (or had not) sent their payment. These details are the concrete and particularized types of facts that should support the Bloods' allegations. Without supporting facts, the bare allegations are conclusory. They fail to meet their burden of alleging they suffered any actual, concrete harm from this event.
The Bloods also fail to plead facts suggesting the IRS problem is traceable to Defendant's actions. Although their social security numbers may have been involved in both the tax submission and the data breach, the Bloods' allegations are conclusory and lack facts that might connect the actions. The entirety of their allegation for this claim is “[i]n addition, when the Bloods filed their taxes in February 2022, they received notice from the IRS that their Social Security number(s) had issues. They had to prove their identity to before the tax return was processed.” Id. Despite knowing Defendant challenged this allegation, the Bloods did not properly seek leave to amend their complaint or otherwise indicate they were willing to provide more detail. Specifically, the Bloods do not plead that they never had tax trouble before. They do not explain the nature of the “issues” with the Social Security number(s) or even if the issue involved both of them or only one of them. Perhaps there was a typographical error in one of the numbers. This was information within the knowledge of the Bloods-not Defendant. Again, the Court does not require more than Iqbal and Twombly do at this stage of the case. But it does require more than conclusory and speculative allegations-particularly when Plaintiffs bear the burden to show they have an actual case or controversy for the Court to resolve.
Plaintiffs ask for leave to amend to correct any deficiencies the Court finds. The request is made in the last sentence of their response brief. This is not the proper way to request leave to amend. Plaintiffs did not comply with D. Kan. R. 15.1 nor outline any additional facts they would include. “A court need not grant leave to amend when a party fails to file a formal motion.” Calderon v. Kan. Dep't of Soc. & Rehab. Servs., 181 F.3d 1180, 1186 (10th Cir. 1999). Plaintiffs' request is not properly before the Court and is therefore denied.
Third, the Court reviews Plaintiffs' allegations of time spent monitoring and mitigating (other than the time related to the Bloods' bank account and taxes). These “injuries” are only concrete if they are based on a threat of future injury that is certainly impending. As the Court explains in the next section of this order, they are not. Plaintiffs “cannot manufacture standing merely by inflicting harm on themselves based on their fears of hypothetical future harm that is not certainly impending.” McMorris v. Carlos Lopez & Assocs., LLC, 995 F.3d 295, 303 (2d Cir. 2021) (quoting Clapper, 568 U.S. at 417); see also In re Mednax Servs., Inc., Customer Data Security Breach Litig., 2022 WL 1468057, at *6 (11th Cir. 2022).
Fourth, the alleged inconvenient disruptions (such as spam calls, texts, and emails) do not constitute an injury in fact. In re Practicefirst Data Breach Litig., 2022 WL 354544, at *5 n.8 (W.D.N.Y. 2022), adopted by district court, 2022 WL 3045319 (collecting cases finding unsolicited spam insufficient to constitute an injury in fact). And an increase in spam phone, texts, and emails calls, while certainly frustrating, cannot be causally linked to the specific data breach here because there is (1) no allegation that phone numbers or email addresses were stolen and (2) no allegation that Plaintiffs' phone numbers or email addresses were unlisted or otherwise protected. In re SAIC, 45 F.Supp.3d at 33. Again, Plaintiffs fail to meet either the first or second requirement of standing.
Fifth, the alleged lost value of PII and PHI lacks a concrete and particularized injury. Even if Plaintiffs' PII and PHI have monetary value, as Plaintiffs allege, they do not allege facts explaining how they lost value because of the breach. They do not allege (nor likely would they) that they tried to sell their information and couldn't or were offered less than its value. Plaintiffs have failed to plausibly allege actual damages based on the alleged lost value of their PII and PHI. See In re Capital One Consumer Data Security Breach Litig., 488 F.Supp.3d 374, 403-04 (E.D. Va. 2020) (citing cases with similar conclusions); Khan v. Children's Nat'l Health Sys., 188 F.Supp. 524, 534 (D. Md. 2016).
Sixth, the alleged overpayment for medical services also fails to establish standing. In re Zappos.com, Inc., 108 F.Supp.3d 949, 962 n.5 (D. Nev. 2015) (finding no standing based on “diminished value of the services provided by Zappos” because plaintiffs failed to “allege facts showing how the price they paid for [Zappos's] goods incorporated some particular sum that was understood by both parties to be allocated towards the protection of customer data”); In re SAIC, 45 F.Supp.3d at 30 (rejecting overpayment theory, stating, “[t]o the extent that Plaintiffs claim that some indeterminate part of their premiums went toward paying for security measures, such a claim is too flimsy to support standing.”); see Lewert v. P.F. Chang's China Bistro, Inc., 819 F.3d 963, 968 (7th Cir. 2016) (expressing skepticism about the plaintiffs' argument that “the cost of their meals is an injury because they would not have dined at P.F. Chang's had they known of its poor data security”).
In summary, none of Plaintiffs' past injuries create standing for them to bring claims. The Court next turns to their anticipated future injuries. These injuries do not fare better.
C. Risk of Future Injury
Plaintiffs' remaining injuries are potential; they have not yet happened. Plaintiffs are concerned they are at risk of future fraud and identity theft, phishing, and data intrusion. They also fear additional out-of-pocket expenses and lost time cleaning up future problems arising out of the data breach.
The standing inquiry in “risk of future injury” data breach cases is a little more complicated than the evaluation of whether an actual, existing injury has been pleaded. Courts have split on whether the risk of future injury based on stolen personal information constitutes “injury in fact” for standing purposes. The Tenth Circuit has not yet addressed this issue, but multiple Circuits have held that without actual misuse of stolen information, plaintiffs lack standing to bring claims because their injuries are not concrete, particularized, or imminent. See C.C. v. Med-Data, 2022 WL 970862, at *4 (D. Kan. 2022) (citing cases); see also Tsao v. Captiva MVP Rest. Partners, LLC, 986 F.3d 1332, 1340-44 (11th Cir. 2021) (surveying cases and remarking “Generally speaking, the cases conferring standing after a data breach based on an increased risk of theft or misuse included at least some allegations of actual misuse or actual access to personal data.”); Legg v. Leaders Life Ins. Co., 574 F.Supp.3d 985, 990 (W.D. Okla. 2021) (internal citation and quotation omitted) (“[A]ll of the circuit court cases conferring standing after a data breach based on an increased risk of theft or misuse included at least some allegations of actual misuse.”). But see McMorris, 995 F.3d at 300 (“[I]n actuality, no court of appeals has explicitly foreclosed plaintiffs from establishing standing based on a risk of future identity theft-even those courts that have declined to find standing on the facts of a particular case.”).
Other courts have considered situations in which a data breach resulted in misuse of stolen information. See, e.g., Hutton, 892 F.3d at 621-22 (concluding plaintiffs had standing based on imminent threat of injury; data had already been misused); Attias v. Carefirst, Inc., 865 F.3d 620, 628-29 & n.2 (D.C. Cir. 2017) (concluding plaintiffs had standing based on substantial risk of future identity theft; some plaintiffs already had missing tax refunds); Galaria v. Nationwide Mut. Ins. Co., 663 Fed.Appx. 384, 387-91 (6th Cir. 2016) (concluding plaintiffs had standing based on a substantial risk of harm; named plaintiff had experienced three unauthorized attempts to open credit cards in his name); Remijas v. Neiman Marcus Grp., LLC, 794 F.3d 688, 693-94 (7th Cir. 2015) (finding there was an “objectively reasonable likelihood” that injury would occur to customers whose credit card information was stolen; 9,200 cards had already experienced fraudulent charges) (quoting Clapper, 568 U.S. at 410); Krottner v. Starbucks Corp., 628 F.3d 1139, 1143 (9th Cir. 2010) (concluding plaintiffs had standing based on in increased risk of identity theft; someone had tried to open a bank account in the plaintiff's name); Hapka v. Carecentrix, Inc., 2016 FL 7336407, at *4 (D. Kan. 2016); see also In re Zappos, Inc., 888 F.3d 1020, 1025-28 & n.7 (9th Cir. 2018) (following Krottner, post-Clapper).
The Court examined nearly all of Plaintiffs' allegations of actual misuse above. They either do not constitute an injury in fact for purposes of standing or are not fairly traceable to the data breach. The Court is left with one more allegation that may constitute “misuse” such that the cases finding standing above would suggest the same outcome is appropriate here: The Bloods represent they have been notified that their PII was found on the “dark web.” This, too, is insufficient.
The Bloods' “dark web” allegation lacks a plausible connection to Defendant's actions. The Bloods simply allege that “[s]ince [Defendant's] Data Breach, the Bloods have been notified that their PII was found on the ‘dark web.'” Doc 1-1 at 27 ¶ 118. But when were they notified? Was the PII on the dark web before the breach and were they only notified later? And what PII was “found”? Does it match the PII stolen in the data breach? And is Defendant's database the only place this information was available? Cf. Hutton, 892 F.3d at 623 (noting the defendant was the “only common source” of certain PII). Again, this is information in the hands of the Bloods, not Defendant. Plaintiffs' allegations are conclusory and unsupported by facts. This is not enough. But cf. Fero v. Excellus Health Plan, Inc., 304 F.Supp.3d 333, 340-45 (W.D.N.Y. 2018) (finding evidence that the plaintiffs' information was for sale on the dark web buttressed the court's independent determination that the plaintiffs were subject to imminent and certain impending injury).
The Court is left with no sufficient allegations of data misuse. Under the caselaw elucidated above, the risk of future harm is no more than an “attenuated chain of possibilities.” Clapper, 568 U.S. at 410; see also Tsao, 986 F.3d at 1340-44 (finding no standing based on allegations of future risk of identity theft, proactive mitigation costs, and conclusory allegations of unauthorized charges); In re SuperValu, Inc., 870 F.3d 763, 769-70 (8th Cir. 2017) (no standing based on speculative allegations); Reilly v. Ceridian Corp., 664 F.3d 38, 41-46 (3d Cir. 2011) (concluding “allegations of hypothetical, future injury do not establish standing under Article III”). Plaintiffs' concerns are speculative. The Court has no concrete actions on which to base a conclusion that any threatened harm is “certainly impending.” Clapper, 568 U.S. at 410. There is simply no case or controversy before the Court.
Even if the Court were to find Plaintiffs met their burden to establish standing, the Court is dubious whether this case would survive scrutiny of the four claims raised: (1) breach of implied contract; (2) unjust enrichment; (3) violation of K.S.A. § 50-7a02; and (4) violation of the Kansas Consumer Protection Act. There are several high-level problems the Court identifies with these claims. In short, the Court questions how there could have been an implied contract with no allegation of mutual assent by Defendant. The Court suspects Plaintiffs cannot pursue all the damages they'd like under an unjust enrichment theory. There is a valid question whether K.S.A. § 50-7a02 provides a private right of action. And Plaintiffs appear to stretch the application of the KCPA beyond that intended by the legislature. The Court is reticent to create causes of action that the Kansas legislature and courts have not. Defendant raises several other arguments that have appeal. But the Court leaves the question of the sufficiency of Plaintiffs' claims for another day.
IV. CONCLUSION
Plaintiffs have not met their burden to show they have standing to bring any of their claims. Defendant sought dismissal on this basis. But this case is a removal case. And courts routinely treat standing as a matter of subject matter jurisdiction. Hill, 702 F.3d at 1226. When a case has been removed and a court finds it lacks subject matter jurisdiction, the court must remand the case. 28 U.S.C. § 1447(c) (“If at any time before final judgment it appears that the district court lacks subject matter jurisdiction, the case shall be remanded.”). This command is mandatory. See Int'l Primate Prot. League v. Adm'rs of Tulane Educ. Fund, 500 U.S. 72, 89 (1991) (“[T]he literal words of § 1447(c) . . . on their face, give no discretion to dismiss rather than remand an action.” (cleaned up)).
The Court recognizes authority describing standing and subject matter jurisdiction as separate questions. See, e.g., Rent Stabilization Ass'n of New York v. Dinkins, 5 F.3d 591, 594 n.2 (2d Cir. 1993); see also Moms Against Mercury v. FDA, 483 F.3d 824, 826 (D.C. Cir. 2007) (“Where both standing and subject matter jurisdiction are at issue, however, a court may inquire into either and, finding it lacking, dismiss the matter without reaching the other.”). Standing is technically an issue of justiciability. But it is jurisdictional in nature. And the Tenth Circuit has treated it as a subject matter jurisdiction matter. See, e.g., Nova Health Sys. v. Gandy, 416 F.3d 1149, 1155 (10th Cir. 2005) (“As with all questions of subject matter jurisdiction except mootness, standing is determined as of the date of the filing of the complaint.” (quotation omitted)); Schutz v. Thorne, 415 F.3d 1128, 1132 (10th Cir. 2005) (identifying the standard of review for “questions of subject matter jurisdiction, including whether a plaintiff has standing to sue”); see also Bender v. Williamsport Area Sch. Dist., 475 U.S. 534, 541-42 (1986) (considering standing a question of subject matter jurisdiction).
THE COURT THEREFORE ORDERS that Defendant's motion to dismiss (Doc. 10) is GRANTED in part and DENIED in part. The named plaintiffs lack standing to pursue their claims in federal court. But the Court does not dismiss the case and instead REMANDS the case to state court.
THE COURT FURTHER ORDERS that Defendant's motion to strike (Doc. 9) remains pending and should be transferred to the state court.
IT IS SO ORDERED.