Background
In May 2019, Bayamón Medical Center (BMC), a hospital in Puerto Rico, suffered a ransomware attack that exposed the personally identifiable information (PII) and protected health information (PHI) of 522,493 patients, including their full names, Social Security numbers, dates of birth, and medical diagnoses. BMC disclosed the breach to patients in July 2019, noting that while the data had been encrypted and accessed, there was “no indication” it had been used by unauthorized parties.
Betzaida Santos-Pagán, a former BMC patient who received the breach notice, filed a putative class action in the U.S. District Court for the District of Puerto Rico in May 2020, along with co-plaintiff Minerva M. Hernández-Umpierre. They asserted claims under Puerto Rico law for breach of contract, breach of the covenant of good faith and fair dealing, and negligence, alleging BMC failed to properly safeguard patient information. The plaintiffs invoked federal jurisdiction under the Class Action Fairness Act (CAFA).
Santos initially alleged only a general risk of identity theft. However, in her second amended complaint filed in April 2024—nearly five years after the breach—she added that a fraudulent cellphone account had been opened in her name after she received the breach notice, causing her to spend approximately $800 to repair her credit score. The district court dismissed for lack of Article III standing, holding that Santos failed to plausibly allege her injury was traceable to BMC’s data breach. Santos appealed.
The Court’s Holding
The First Circuit affirmed the dismissal. The panel held that while Santos adequately alleged an injury in fact—actual fraudulent misuse of her PII resulting in concrete economic harm—she failed to adequately allege that this injury was fairly traceable to BMC’s data breach, a requirement for Article III standing. The court distinguished this case from its recent decision in Webb v. Injured Workers Pharmacy, LLC, where a similar standing argument had succeeded.
The court identified three critical deficiencies in Santos’s allegations supporting traceability. First, there was no plausible temporal connection: the breach occurred in May 2019, but Santos discovered the fraudulent account sometime after September 2023—more than four years later—with no allegation of when the account was actually opened. Second, unlike the Webb plaintiff, Santos’s complaint contained no allegations that she generally protected her PII carefully, never transmitted unencrypted PII over unsecured networks, or stored documents securely. Third, the complaint failed to allege that the specific type of PII needed to open a cellphone account was the kind of information Santos had provided to BMC or that was exposed in the breach.
Without these plausible factual connections, the court concluded, the complaint amounted to conclusory allegations that the fraud was traceable to BMC’s breach rather than plausible inferences. The court emphasized that its obligation to construe facts in the plaintiff’s favor does not require crediting “bald assertions, unsupportable conclusions” or allowing speculative leaps in causation.
Key Takeaways
- Data breach plaintiffs seeking standing must plausibly allege not just that they were harmed, but that their injury is fairly traceable to the defendant’s breach—conclusory assertions of a causal connection are insufficient at the pleading stage.
- Temporal proximity matters: a multi-year gap between a data breach and discovery of fraudulent misuse weakens the plausibility of a causal link without additional supporting facts.
- Plaintiffs strengthen traceability allegations by showing they generally safeguard their PII carefully and would not have disclosed sensitive information through other channels, making the defendant’s breach the likely source.
- The specific type of PII needed for the fraud must align with the information exposed in the defendant’s breach; generic allegations that cybercriminals use PII for fraud are insufficient.
Why It Matters
This decision provides important guidance on the pleading-stage requirements for data breach class actions. While it confirms that actual misuse of PII following a breach can constitute a cognizable injury in fact, it establishes that plaintiffs cannot simply rely on temporal proximity to the breach and conclusory allegations of causation. The opinion suggests that surviving a motion to dismiss requires factual allegations supporting a reasonable inference that the defendant’s breach—and not some other source—was the origin of the fraudster’s PII.
For defendants, the decision offers a roadmap for challenging data breach claims at the pleading stage. For plaintiffs’ counsel, it underscores the importance of conducting thorough pre-suit discovery and factual investigation before filing, and of pleading specific details about the timing of discovered fraud, the plaintiff’s information security practices, and the overlap between data exposed and information misused. The decision may reduce the number of data breach class actions that clear the Article III standing threshold, particularly in cases involving delayed discovery of fraud and limited factual development of causation.