WASHINGTON (CN) - A data breach may have compromised the personal information and medical records of millions of military members, but most plaintiffs who filed suit don't have a legal leg to stand on, a federal judge ruled.
U.S. District Judge James Boasberg threw out all but two plaintiffs in the case Friday, ruling that the mere fear that one's personal information has been swiped does not constitute a legal injury.
"This case presents thorny standing issues regarding when, exactly, the loss or theft of something as abstract as data becomes a concrete injury," Boasberg wrote. "That is, when is a consumer actually harmed by a data breach - the moment data is lost or stolen, or only after the data has been accessed or used by a third party?"
The judge relied on precedent finding that "the mere loss of data - without evidence that it has been either viewed or misused - does not constitute an injury sufficient to confer standing."
The origin of the case dates back to September 2011 when a thief smashed the window of a car sitting in a San Antonio, Texas, parking garage and made off with the car's GPS system, stereo and several data tapes.
The car belonged to an employee of Science Applications International Corp., the information-technology company that handles data for the federal government, and the tapes "contained personal information and medical records concerning 4.7 million members of the U.S. military (and their families) who were enrolled in TRICARE health care, which contracts with SAIC - somewhat ironically - to protect patients' data," Boasberg wrote.
Eight ensuing complaints involving 33 plaintiffs were consolidated before Boasberg.. Named as defendants are the U.S. Department of Defense, TRICARE and Secretary Chuck Hagel.
Boasberg tossed all but two of the plaintiffs for lack of standing Friday.
Colorado man Robert Curtis and another plaintiff, Robin Warner, alone alleged actual injuries that can be linked to the data breach, the court found. The remaining plaintiffs merely allege a fear of how their information could be used.
Curtis said that, since the data breach, he has received mail from credit-card companies thanking him for applying for loans for which he has not sought. Warner, meanwhile, said she has received calls from telemarketers trying to sell her products for her very specific medical condition.
"A reasonable reader may still wonder: If Curtis and Yarde's information was potentially accessed or misused, why not presume that the remaining plaintiffs' information will suffer the same fate?" the 28-page opinion concludes.
Boasberg noted that "the theft from the SAIC employee's car was a low-tech, garden-variety one," adding, "this is hardly a black-ops caper."
It would require highly skilled individuals and tape decoders to pull the information off of the tapes, and it's highly unlikely that a petty car thief who also stole the GPS and stereo of the car would even know the value of the pilfered tapes - medical records - can be sold for $14 to $25 each on the black market, the court found.