On June 11, 2026, the U.S. Court of Appeals for the First Circuit in Santos-Pagan v. Bayamon Medical Center, issued a pivotal ruling in a hospital data breach class action that denied standing to the plaintiff because she could not trace her alleged fraud to the cyberattack. The decision reinforces a growing judicial trend that data exposure alone is not enough to sustain a federal class action. Plaintiffs must show concrete, traceable harm caused by the breach. This shift has immediate implications for how businesses should respond to breaches and prepare for the litigation that often follows.
BACKGROUND & DECISION
A hospital was hit by a cyberattack that compromised patients’ personal information. One affected patient filed a class action alleging that the breach exposed her data and that she subsequently suffered fraud and other downstream harms as a result. She argued that the hospital’s inadequate security measures violated duties under state and federal law and that the class should be allowed to proceed on behalf of all patients whose data was exposed.
The First Circuit concluded that the plaintiff lacked Article III standing to sue in federal court. Rather than reaching the merits of the breach claims, the court focused on whether the plaintiff had suffered a “concrete” injury that was “actual”or certainly impending and causally tied to the hospital’s conduct. The court held that the mere fact that data was exposed in a breach does not automatically constitute a concrete injury sufficient for standing. Because the plaintiff failed to demonstrate that the fraud she experienced was linked to the hospital’s breach rather than to some other source of her data, the court found no actual or certainly impending harm and dismissed the case on standing grounds.
IMPLICATIONS
The First Circuit’s approach reshapes the way courts evaluate data breach cases. Previously, many suits were able to proceed on the theory that exposure created a significant risk of future harm, particularly when sensitive data like Social Security numbers, health records, or payment card information were involved. Under this decision, that theory is no longer sufficient on its own. This ruling now reinforces the argument that plaintiffs must now show that their specific losses were actually caused by the breach, such as confirmed identity theft, fraudulent transactions, or documented reputational damage.
This shift makes it more difficult for plaintiffs to assemble large, generalized classes in which many members only have “data exposed” claims without concrete, attributable injury. Courts are now more likely to scrutinize whether each proposed class member has suffered harm that can be traced to the breach, rather than allowing the case to proceed on the basis of speculative risk. For businesses, this means that standing-based defenses can be a powerful tool in early litigation, potentially ending cases before they reach discovery or settlement negotiations.
PRACTICAL GUIDANCE
- Document Assessment of Misuse. When a breach occurs, response strategy should be shaped not just by compliance obligations but also by the litigation realities created by this ruling. As soon as a business learns of a breach, businesses do well to focus on identifying concrete harm and determining what data was exposed, whether payment card data, health records, or identifiers like names and Social Security numbers. An assessment should be undertaken as to whether there is evidence of misuse, such as fraudulent charges, new accounts opened, or medical claims submitted. This should be clearly and separately documented from the breach notification work. If a business can credibly state that there is no evidence of misuse and that affected individuals have not reported concrete harm, defendants can argue early in litigation that most or all class members lack standing, which is now a more viable defense than in the past.
- Watch Representations & Compliance. One of the vulnerabilities in data breach litigation is marketing or public statements that suggest security is absolute, so avoid claims like “your data is completely secure” or “we prevent all breaches.” Instead, use language that acknowledges risk and emphasizes reasonable, industry-standard safeguards, and ensure privacy notices, security pages, and customer communications are consistent and do not overstate capabilities. This includes documenting the company’s security program so it is available to demonstrate reasonable practices if challenged, and training staff on phishing and insider threats, as many breaches now start with social engineering. This reduces the risk that plaintiffs will argue the business breached a specific promise or misrepresented its security posture, which can be especially damaging when paired with allegations of negligence.
- Include Regulatory Readiness. Even if federal standing is weak, businesses may still face state-court class actions where standing rules are more lenient, regulatory investigations by state attorneys general, the Federal Trade Commission, the Department of Health and Human Services, or other agencies, and consumer protection claims that rely on deceptive practices or failure to implement reasonable security. A company’s breach response should include a regulatory readiness plan that identifies who will talk to agencies and what documents will be prepared, a state-court litigation strategy that includes potential early dismissals or settlements, and a clear, consistent external and internal communication plan. The First Circuit’s reasoning suggests courts will respect robust, timely responses, so a business does well to act quickly by initiating forensic investigations, engaging third-party experts, and beginning remediation within days, while providing affected individuals with clear, precise information about what happened, what data was involved, and what they can do to protect themselves.
BOTTOM LINE
The Santos-Pagan ruling sends a clear signal that, in federal courts, data exposure alone is not enough to sustain a data breach class action. Plaintiffs must show concrete, traceable harm caused by the breach, and courts are increasingly dismissing cases where that link cannot be established. For businesses, this means they can more aggressively challenge standing in federal cases, design a breach response to limit litigation exposure, and still prepare for state-court filings and regulatory actions where standing may be easier to prove.