The decision from the Middle District of North Carolina (Panighetti v. Intelligent Business Solutions, Inc.) is the latest in a recent trend finding that allegations of future or unspecified damages in data breach class actions are insufficient to establish Article III standing. The court granted the defendant’s motion to dismiss finding that plaintiff lacked Article III standing because he failed to plead a concrete injury.
Background & Order
IBS, a health information company, collects and maintains PII for healthcare entities. Plaintiff, a hospital patient that IBS provided services for, alleged that his social security number, medical treatment information and health insurance information, as well as that of an estimated 12,000 other individuals, was part of a 2022 data breach. Panighetti v. IBS, No. 1:23-CV-209, 2025 U.S. Dist. LEXIS 123406 (M.D.N.C. June 30, 2025. at 1 & 2.
After IBS became aware of the data breach, it notified impacted individuals. Plaintiff alleged that this notification “created a present, continuing, and significant risk of suffering identity theft” and filed a class action complaint against IBS. Id. IBS moved to dismiss challenging the plaintiff’s Article III standing. IBS argued Plaintiff was “not able to plead facts that show there was actual misuse of data that resulted in identity theft, fraud, or another concrete injury-in-fact.” Id. at 4. Plaintiff countered that he had standing to sue “because the data breach harmed him, will harm him again, and requires him to expend resources mitigating that harm” and that these harms “confer standing” based on Fourth Circuit precedent. Id. In granting IBS’ motion the court held that the Plaintiff lacked Article III standing. The court reasoned that to proceed with a lawsuit, Article III requires Plaintiff to demonstrate three elements: (1) an injury in fact; (2) causation; and (3) redressability.” Id. at 5 (citing David v. Alphin, 704 F.3d 327, 333 (4th Cir. 2013)).
No Injury in Fact
Honing-in on the first element, the court explained that the plaintiff must show he “suffered an invasion of a legally protected interest which is concrete, particularized, and actual or imminent.” Id. Relying on Fourth Circuit precedent, the court rejected the plaintiff’s argument that he was injured because nowhere in the pleadings did the plaintiff claim that he was a victim of identity theft or fraud, that risk of future theft was “certainly impending,” or provide instances of his personal information being misused. The court also held that spending time and money to mitigate the increased risk caused by the breach, where there was no misuse of data, was too speculative to confer standing. As for the plaintiff’s assertions of emotional harm, the Court held the allegations were insufficient to confer standing. Id. at 8 (quoting Beck v. McDonald, 848 F.3d. 262 (4th Cir. 2017). Accordingly, the Court dismissed the plaintiff’s claims of emotional harm as “bare assertions of possible or potential harm.” Id.
Implications
Injury in fact remains an important element for Article III standing. Companies facing data breach class actions in federal court do well to determine whether the plaintiff suffered actual harm and, if not, consider whether to move to dismiss the action. In evaluating whether to dismiss, defendants should weight the possibility that the plaintiff could refile the action in state court.