Duane Morris Class Action Review - 2023 - Report - Page 133
MedData. Styled as a motion to transfer under forum non conveniens, the defendants
sought to transfer the class action to the U.S. District Court for the Southern District of
Texas where MedData had reincorporated in 2020. The court denied the motion. It cited
to several factors, including: (i) the travels of a related case from the Southern District of
Texas to the Western District of Washington and then back to the Southern District of
Texas (with apparent cooperation between counsel for the defendant); (ii) the
defendant’s delay of over five months in filing the motion to transfer; and (iii) the timing
of the defendant’s motion, i.e., the motion was filed after the defendant proceeded into
discovery in Washington and only after the plaintiff filed a motion to consolidate and for
appointment of interim counsel. The court explained that it could not see how a case
progresses for months in one court and then the defendant attempts to choose a
different forum and opposing counsel against whom to litigate. The court refused to
reward this type of gamesmanship and ultimately found that the interest of justice factor
for transfer heavily swayed against transferring this class action to the Southern District
of Texas.
In Blood, et al. v. Labette County Medical Center, 2022 U.S. Dist. LEXIS 191922 (D.
Kan. Oct. 20, 2022), the plaintiffs, a group of patients of the defendant Labette County
Medical center, a county hospital, filed a class action due to cyberthieves allegedly
attacking the defendant’s computer system on October 14, 2021, causing a data breach
in which 85,000 patients and employees from the defendant’s network files were
accessed. Compromised information included both personally identifiable information
(PII) and protected health information (PHI). The defendant investigated and sent
patients a letter on March 11, 2022, informing them of the breach and offered patients
one year of IDX Privacy protection services. This included credit and identity monitoring,
identity theft restoration, and $1 million insurance for all identity theft costs. The plaintiffs
were among those who received the letter. The plaintiffs sought to represent a class of
similarly-situated victims of the data breach. The case was initially filed in state court,
but the defendant removed it under the Class Action Fairness Act. The defendant then
filed a motion to dismiss for lack of subject-matter jurisdiction pursuant to Rule 12(b)(1)
or for failure to state a claim upon which relief can be granted pursuant to Rule 12(b)(6).
In its motion, the defendant raised many grounds for dismissal, but the court chose to
address only its subject-matter jurisdiction over the plaintiffs’ class action claims. The
court determined that one of named plaintiffs lacked standing to pursue her claims
because she failed to allege that she has suffered an injury-in-fact that was fairly
traceable to the data breach. Further, the court found that other two named plaintiffs
also lacked standing because although they alleged an injury-in-fact, they failed to show
that their injury was traceable to the defendant’s actions. Specifically, the court stated
that the named plaintiffs’ allegation that their PII was found on the “dark web” was
insufficient to show a plausible connection to the defendant’s actions. The motion to
dismiss for lack of subject-matter jurisdiction was therefore granted because the court
found that the three named plaintiffs lacked standing to bring the alleged claims.
However, because the court ruled that the standing challenge was a subject-matter
jurisdictional question rather than a determination of the merits of the case, the court
remanded the case back to state court rather than dismissing the claims.
132
© Duane Morris LLP 2023
Duane Morris Class Action Review – 2023
