Webb v. Injured Workers Pharmacy, LLC ( 2023 )


Menu:
  •           United States Court of Appeals
    For the First Circuit
    No. 22-1896
    ALEXSIS WEBB, on behalf of herself and all others similarly
    situated; MARSCLETTE CHARLEY, on behalf of herself and all
    others similarly situated,
    Plaintiffs, Appellants,
    v.
    INJURED WORKERS PHARMACY, LLC,
    Defendant, Appellee.
    APPEAL FROM THE UNITED STATES DISTRICT COURT
    FOR THE DISTRICT OF MASSACHUSETTS
    [Hon. Richard G. Stearns, U.S. District Judge]
    Before
    Kayatta, Lynch, and Montecalvo,
    Circuit Judges.
    David K. Lietz, with whom Milberg Coleman Bryson Phillips
    Grossman, PLLC, Raina C. Borrelli, and Turke & Strauss, LLP were
    on brief, for appellants.
    Claudia D. McCarron, with whom Jordan S. O'Donnell and Mullen
    Coughlin LLC were on brief, for appellee.
    June 30, 2023
    LYNCH, Circuit Judge.   Named plaintiffs Alexsis Webb and
    Marsclette Charley brought this putative class action against
    defendant Injured Workers Pharmacy, LLC ("IWP"), asserting various
    state law claims in relation to a January 2021 data breach that
    allegedly    exposed   their   personally   identifiable   information
    ("PII") and that of over 75,000 other IWP patients.        The district
    court concluded that the plaintiffs' complaint did not plausibly
    allege an injury in fact and dismissed the case for lack of Article
    III standing.     See Webb v. Injured Workers Pharmacy, LLC, No.
    22-cv-10797, 
    2022 WL 10483751
    , at *2 (D. Mass. Oct. 17, 2022).
    We hold that the complaint plausibly demonstrates the
    plaintiffs' standing to seek damages.       The plaintiffs press five
    causes of action seeking damages, each of which encompasses at
    least one of the harms that we hold satisfy the requirements of
    Article III standing.     The complaint plausibly alleges an injury
    in fact as to Webb based on the allegations of actual misuse of
    her PII to file a fraudulent tax return.       Further, the complaint
    plausibly alleges an injury in fact as to both plaintiffs based on
    an imminent and substantial risk of future harm as well as a
    present and concrete harm resulting from the exposure to this risk.
    We also hold that the plaintiffs lack standing to pursue injunctive
    relief because their desired injunctions would not likely redress
    their alleged injuries.    We affirm in part, reverse in part, and
    remand for further proceedings.
    - 2 -
    I.
    A.
    We recount the facts as they appear in the plaintiffs'
    complaint     and   in   documents   attached       to    the   complaint   or
    incorporated therein.     Hochendoner v. Genzyme Corp., 
    823 F.3d 724
    ,
    728 (1st Cir. 2016).
    IWP is a home-delivery pharmacy service registered and
    headquartered in Massachusetts.            It maintains records of its
    patients' full names, Social Security numbers, and dates of birth,
    as well as information concerning their financial accounts, credit
    cards, health insurance, prescriptions, diagnoses, treatments,
    healthcare providers, and Medicare/Medicaid IDs.                Much of this
    information    constitutes    PII.        See,    e.g.,   United   States   v.
    Cruz-Mercedes, 
    945 F.3d 569
    , 572            (1st Cir. 2019).         Patients
    provided their PII in order to receive IWP's services, and IWP
    kept that PII.      IWP represented to patients that it would keep
    their PII secure.
    In January 2021, IWP suffered a data breach.              Hackers
    infiltrated IWP's patient records systems, gaining access to the
    PII of over 75,000 IWP patients, and stole PII including patient
    names and Social Security numbers.1              IWP did not discover this
    1    IWP stated in a notice letter to potentially impacted
    patients that "an unknown actor accessed a total of seven . . .
    IWP e-mail accounts" over a four-month period.      The complaint
    alleges that hackers "infiltrated IWP's patient records systems."
    - 3 -
    breach until May 2021, almost four months later.          In the interim,
    the hackers were able to continue accessing PII.              On learning of
    the breach, IWP did not immediately alert its patients.              Instead,
    it initiated a seven-month investigation and worked to implement
    new data security safeguards.
    IWP did not begin notifying impacted patients until
    February 2022, when it circulated a notice letter.              This notice
    provided a high-level description of the breach                but, in the
    plaintiffs' view, did not fully convey its size or scope.                 The
    notice stated that IWP "currently ha[d] no evidence that any
    information ha[d] been misused."       It also "encourage[d] [patients]
    to . . . review[] [their] account statements and monitor[] [their]
    credit reports for suspicious activity" and referred patients to
    a guidance document on protecting their personal information.             IWP
    has not offered to provide, at its own expense, credit monitoring
    and identity protection services to all impacted patients.
    Alexsis   Webb   is   a    former   IWP   patient    who   received
    services from IWP between 2017 and 2020.            She is a resident of
    Ohio.   In February 2022, IWP notified her that her PII had been
    compromised in the data breach. As a result, Webb allegedly "fears
    for her personal financial security and [for] what information was
    The plaintiffs appear to agree that the "initial attack vector"
    was into IWP employee email accounts but contend that this allowed
    the hackers to access additional system information.
    - 4 -
    revealed in the [d]ata [b]reach," "has spent considerable time and
    effort monitoring her accounts to protect herself from . . .
    identity theft," and "is experiencing feelings of anxiety, sleep
    disruption, stress, and fear" because of the breach.                    Webb's PII
    was used to file a fraudulent 2021 tax return, and she has
    "expended   considerable     time"    communicating       with    the     Internal
    Revenue Service ("IRS") to resolve issues associated with this
    false return.
    Marsclette Charley is a current IWP patient who has
    received services from IWP since 2016.               She is a resident of
    Georgia.    Like Webb, she became aware in February 2022 that her
    PII had been compromised in the breach.          She called IWP to confirm
    that her information was stolen, but IWP's representatives would
    not   provide   her   with   specific      details   as   to     what    types   of
    information were accessed.        As a result of the breach, Charley
    allegedly "fears for her personal financial security," "expends
    considerable time and effort monitoring her accounts to protect
    herself from . . . identity theft," and "is experiencing feelings
    of rage and anger, anxiety, sleep disruption, stress, fear, and
    physical pain."
    B.
    On May 24, 2022, Webb and Charley filed a class action
    complaint against IWP in the U.S. District Court for the District
    of Massachusetts, invoking the court's jurisdiction under the
    - 5 -
    Class Action Fairness Act of 2005 ("CAFA"), 
    28 U.S.C. § 1332
    (d).
    The complaint asserts state law claims for negligence, breach of
    implied contract, unjust enrichment, invasion of privacy, and
    breach    of    fiduciary   duty.2     The   complaint   seeks    damages,   an
    injunction "[e]njoining [IWP] from further deceptive and unfair
    practices and making untrue statements about the [d]ata [b]reach
    and the stolen PII," other injunctive and declaratory relief "as
    is necessary to protect the interests of [the] [p]laintiffs and
    the [c]lass," and attorneys' fees.           It seeks to certify a class of
    U.S. residents whose PII was compromised in the data breach.
    On August 9, 2022, IWP moved to dismiss the complaint on
    two bases: under Federal Rule of Civil Procedure ("Rule") 12(b)(1),
    for lack of Article III standing, and under Rule 12(b)(6), for
    failure to state a claim as to each of the complaint's asserted
    claims.    The plaintiffs opposed the motion.
    On October 17, 2022, the district court granted IWP's
    motion and dismissed the case under Rule 12(b)(1).               Webb, 
    2022 WL 10483751
    , at *2.       The court concluded that the plaintiffs lacked
    Article III standing because their complaint did not plausibly
    allege an injury in fact.        
    Id.
        As to the complaint's allegation
    that a fraudulent tax return was filed in Webb's name, the court
    2    The complaint also asserts a state law claim for
    negligence per se. The plaintiffs agreed to voluntarily dismiss
    this claim in their district court briefing.
    - 6 -
    reasoned   that    the   complaint    did    not   sufficiently   allege    a
    connection between the data breach and this false return.            See 
    id.
    at *2 n.4.       As to the complaint's other allegations, the court
    reasoned that the potential future misuse of the plaintiffs' PII
    was not sufficiently imminent to establish an injury in fact and
    that actions to safeguard against this risk could not confer
    standing either.      See id. at *2.        Because it dismissed the case
    under Rule 12(b)(1), the court did not reach IWP's Rule 12(b)(6)
    arguments.   Id. at *1 n.2.
    This timely appeal followed.
    II.
    The      plaintiffs'      complaint      must   meet    standing
    requirements based on Article III of the Constitution, which limits
    "[t]he judicial Power" to "Cases" and "Controversies." U.S. Const.
    art. III, § 2, cl. 1; see In re: Evenflo Co., Inc., Mktg., Sales
    Pracs. & Prods. Liab. Litig., 
    54 F.4th 28
    , 34 (1st Cir. 2022).
    "The existence of standing is a legal question, which we review de
    novo."   Evenflo, 54 F.4th at 34 (quoting Kerin v. Titeflex Corp.,
    
    770 F.3d 978
    , 981 (1st Cir. 2014)).                "When reviewing a pre-
    discovery grant of a motion to dismiss for lack of standing, we
    accept as true all well-pleaded fact[s] . . . and indulge all
    reasonable   inferences     in    the      plaintiff[s']   favor."         
    Id.
    (alterations and omission in original) (internal quotation marks
    omitted) (quoting Kerin, 
    770 F.3d at 981
    ).            "[W]e apply the same
    - 7 -
    plausibility    standard     used   to   evaluate    a    motion   under    Rule
    12(b)(6)."     Gustavsen v. Alcon Lab'ys, Inc., 
    903 F.3d 1
    , 7 (1st
    Cir. 2018). At this stage in the proceedings, our analysis focuses
    on whether the two named plaintiffs have standing.                   See id.;
    Hochendoner, 
    823 F.3d at 730, 733-34
    ; 1 W. Rubenstein, Newberg and
    Rubenstein on Class Actions §§ 2:1, 2:3 (6th ed. June 2023 update).
    "[P]laintiffs bear the burden of demonstrating that they
    have standing," TransUnion LLC v. Ramirez, 
    141 S. Ct. 2190
    , 2207
    (2021), and must do so "with the manner and degree of evidence
    required at the successive stages of the litigation," id. at 2208
    (quoting Lujan v. Defs. of Wildlife, 
    504 U.S. 555
    , 561 (1992)).
    Plaintiffs "must demonstrate standing for each claim that they
    press and for each form of relief that they seek."                   
    Id.
        "To
    establish standing, a plaintiff must show an injury in fact caused
    by the defendant and redressable by a court order."            United States
    v. Texas, No. 22-58, slip op. at 4 (U.S. June 23, 2023); see
    Evenflo, 54 F.4th at 34.
    At    issue   in   this   appeal   is     the   "injury    in    fact"
    requirement -- and, in particular, the requirement that this injury
    be "concrete."     "[T]raditional tangible harms, such as physical
    harms and monetary harms" are "obvious[ly]" concrete.              TransUnion,
    141 S. Ct. at 2204.          Intangible harms can also be concrete,
    including when they "are injuries with a close relationship to
    harms traditionally recognized as providing a basis for lawsuits
    - 8 -
    in American courts," such as "reputational harms, disclosure of
    private information, and intrusion upon seclusion."     Id.; see also
    Spokeo, Inc. v. Robins, 
    578 U.S. 330
    , 340-41 (2016). This "inquiry
    asks whether plaintiffs have identified a close historical or
    common-law analogue for their asserted injury," but "does not
    require an exact duplicate."    TransUnion, 141 S. Ct. at 2204.
    "[A] material risk of future harm can [also] satisfy the
    concrete-harm requirement," but only as to injunctive relief, not
    damages.   Id. at 2210; see id. at 2210-11.      To have standing to
    pursue damages based on a risk of future harm, plaintiffs must
    demonstrate a separate concrete harm caused "by their exposure to
    the risk itself."    Id. at 2211.
    Applying these principles in TransUnion, the Supreme
    Court concluded that only a portion of the certified class in that
    case had standing to pursue the claim that TransUnion, a credit
    reporting agency, had failed to use reasonable procedures in
    maintaining its credit files.       See id. at 2200, 2208.   The class
    comprised individuals whose TransUnion credit reports bore alerts
    erroneously suggesting that they might be terrorists or other
    serious criminals.   Id. at 2201-02.    The Court held that the 1,853
    class members whose credit reports TransUnion disseminated to
    third parties had standing, because this injury bore a sufficiently
    close relationship to "the reputational harm associated with the
    tort of defamation."   Id. at 2208.     That the credit reports "were
    - 9 -
    only misleading and not literally false" did not defeat standing,
    because "an exact duplicate" of a traditionally recognized harm is
    not required.    Id. at 2209.
    However, the remaining 6,332 class members whose credit
    reports were not disseminated to third parties lacked standing.
    Id. at 2212. The Court first considered whether the mere existence
    of misleading alerts in these plaintiffs' internal TransUnion
    credit files (absent dissemination) was a concrete injury and
    concluded that it was not.      See id. at 2209-10.      The Court then
    rejected the plaintiffs' effort to establish standing for damages
    on a risk of future harm theory, reasoning that they had not
    demonstrated    that   they   "were    independently   harmed   by   their
    exposure to the risk itself -- that is, that they suffered some
    other injury . . . from the mere risk that their credit reports
    would be provided to third-party businesses."          Id. at 2211; see
    id. at 2210-11.    The Court noted that emotional harm might supply
    the requisite concrete, present injury but did not reach this
    question because the plaintiffs had not claimed any such injury.
    See id. at 2211 & n.7.
    III.
    A.
    We begin with Webb's standing to pursue damages.              We
    conclude that the complaint plausibly alleges a concrete injury in
    fact as to Webb based on the plausible pleading that the data
    - 10 -
    breach resulted in the misuse of her PII by an unauthorized third
    party (or third parties) to file a fraudulent tax return.3
    Our data security precedents support the conclusion that
    actual misuse of PII may constitute an injury in fact.    In Katz v.
    Pershing, LLC, 
    672 F.3d 64
     (1st Cir. 2012), we concluded that the
    named plaintiff lacked standing to sue as to her state law consumer
    protection claims that the defendant had employed inadequate data
    security   practices.    See   
    id. at 69-70
    .   We   stated   that
    "[c]ritically, the complaint [did] not contain an allegation that
    [her] nonpublic personal information ha[d] actually been accessed
    by any unauthorized user" -- let alone subsequently misused -- but
    rather "rest[ed] entirely on the hypothesis that at some point an
    unauthorized, as-yet unidentified, third party might access her
    data and then attempt to purloin her identity."    
    Id. at 79
    .     The
    alleged harm in that case was not "impending" because it was
    "unanchored to any actual incident of data breach."      
    Id. at 80
    .
    And the plaintiff could not manufacture standing by incurring
    mitigation costs in the absence of an impending harm.     See 
    id.
     at
    3    The claims asserted in the plaintiffs' complaint all
    arise from the IWP data breach, and neither party argues that the
    standing inquiry differs with respect to any claim. Accordingly,
    we treat the claims together throughout our analysis.          See
    TransUnion, 141 S. Ct. at 2213-14 (assessing standing for
    "intertwined" claims together); Evenflo, 54 F.4th at 35 (similar);
    Clemens v. ExecuPharm Inc., 
    48 F.4th 146
    , 156-59 (3d Cir. 2022)
    (employing same underlying standing analysis for contract, tort,
    and "secondary contract" claims in data breach case).
    - 11 -
    79.   We distinguished the case from those "in which confidential
    data actually has been accessed through a security breach and
    persons involved in that breach have acted on the ill-gotten
    information."      Id. at 80 (emphasis added).4
    We hold that the complaint's plausible allegations of
    actual misuse of Webb's stolen PII to file a fraudulent tax return
    suffice to state a concrete injury under Article III.                 This
    conclusion accords with the law of other circuits.          See, e.g., In
    re Equifax Inc. Customer Data Sec. Breach Litig., 
    999 F.3d 1247
    ,
    1262 (11th Cir. 2021) (identifying both "identity theft and damages
    resulting   from    such   theft"   as   concrete   injuries);   Attias   v.
    CareFirst, Inc., 
    865 F.3d 620
    , 627 (D.C. Cir. 2017) ("Nobody doubts
    that identity theft, should it befall one of these plaintiffs,
    would constitute a concrete and particularized injury.").
    4   Our decision in Anderson v. Hannaford Brothers Co., 
    659 F.3d 151
     (1st Cir. 2011), is also instructive.       To be clear,
    Anderson did not concern Article III standing. It did, however,
    discuss the types of harms that can arise out of data misuse
    following a data breach. 
    Id. at 162-67
    . In that case, we reversed
    the district court's dismissal of certain state law claims because
    the plaintiffs' alleged mitigation costs were incurred in response
    to a serious data breach and actual misuse of PII and were thus
    "reasonable" and "constitute[d] a cognizable harm under Maine
    law." 
    Id. at 154, 164
    ; see 
    id. at 162-67
    . The data breach involved
    "the deliberate taking of credit and debit card information by
    sophisticated thieves" and the "actual misuse" of this information
    to "run up thousands of improper charges across the globe." 
    Id. at 164
    ; see 
    id. at 154
    .    We concluded that "[t]he [plaintiffs]
    were not merely exposed to a hypothetical risk, but to a real risk
    of misuse." 
    Id. at 164
    .
    - 12 -
    The district court concluded that the complaint did not
    plausibly allege a connection between the data breach and the
    filing of the false tax return.           See Webb, 
    2022 WL 10483751
    , at *2
    n.4.     We disagree.      In our view, the complaint plausibly alleges
    a connection between the actual misuse of Webb's PII and the data
    breach.     In applying the plausibility standard required at the
    motion    to    dismiss    stage,   we    "[must]     draw   on   [our]   judicial
    experience and common sense . . . [and] read [the complaint] as a
    whole."        Evenflo, 54 F.4th at 39 (alterations and omission in
    original)        (internal     quotation        marks        omitted)     (quoting
    García-Catalán v. United States, 
    734 F.3d 100
    , 103 (1st Cir.
    2013)).     We must also "indulge all reasonable inferences in the
    plaintiff[s'] favor." Id. at 34 (alteration in original) (internal
    quotation marks omitted) (quoting Kerin, 
    770 F.3d at 981
    ).
    There is an obvious temporal connection between the
    filing of the false tax return and the timing of the data breach.
    Further, the complaint's allegation that Webb's PII was "used by
    an unauthorized individual" to file a false tax return is made in
    the context of allegations relating to harms Webb has suffered
    because of the data breach.           The complaint also alleges that Webb
    is "very careful about sharing her PII," "has never knowingly
    transmitted      unencrypted    PII      over   the   internet     or   any   other
    unsecured source," and stores documents containing her PII in a
    secure location.          The obvious inference to be drawn from these
    - 13 -
    allegations is that the criminal or criminals who filed the false
    tax return obtained Webb's PII from the IWP data breach, not from
    some other source.   And the complaint alleges that, as a result of
    the data breach and IWP's conduct, the plaintiffs "have suffered
    or are at an increased risk of suffering . . . [d]elay in receipt
    of tax refund monies . . . [and the] [u]nauthorized use of stolen
    PII."   These general allegations provide further support for a
    plausible connection.    See In re: SuperValu, Inc., Customer Data
    Sec. Breach Litig., 
    870 F.3d 763
    , 772 (8th Cir. 2017) (holding
    that, at the motion to dismiss stage, a complaint's "'general
    allegations embrace[d] those specific facts . . . necessary to
    support' a link between [a plaintiff's] fraudulent charge and the
    data breaches" (quoting     Bennett v.   Spear, 
    520 U.S. 154
    ,   168
    (1997))).
    We reject IWP's argument that the alleged actual misuse
    is not itself a concrete injury absent even more resulting harm to
    Webb. As described above, we agree with those courts that consider
    actual misuse of a plaintiff's PII resulting from a data breach to
    itself be a concrete injury.   See, e.g., Equifax, 999 F.3d at 1262;
    Attias, 
    865 F.3d at 627
    .    And beyond that, applying a TransUnion
    analysis, this alleged actual misuse is closely related to the
    tort of invasion of privacy based on appropriation of another's
    name or likeness, which "protect[s] . . . the interest of the
    individual in the exclusive use of his own identity, in so far as
    - 14 -
    it is represented by his name or likeness, and in so far as the
    use may be of benefit to him or to others."          Restatement (Second)
    of Torts § 652C cmt. a (Am. L. Inst. 1977); see id. § 652C cmt. b
    (noting that while some states have "limited . . . liability [by
    statute] to commercial uses of the name or likeness," the general
    rule is "not limited to commercial appropriation"); see also 141
    S. Ct. at 2204.
    B.
    Charley's standing to pursue damages is more difficult.
    The complaint does not allege actual misuse of Charley's PII.
    Nonetheless,   we   conclude   that,    in   light    of   the   plausible
    allegations of some actual misuse, the complaint plausibly alleges
    a concrete injury in fact based on the material risk of future
    misuse of Charley's PII and a concrete harm caused by exposure to
    this risk.5    This analysis is equally applicable to Webb and
    provides an independent basis for our conclusion that the complaint
    plausibly demonstrates standing as to Webb.
    5    The plaintiffs do not argue that the exposure of their
    PII in the breach was itself an intangible harm sufficient to
    confer standing -- for example, by analogy to the torts of breach
    of confidence or invasion of privacy based on public disclosure of
    private information. Cf. TransUnion, 141 S. Ct. at 2209 (analyzing
    similar "initial question" before turning to the plaintiffs' risk
    of future harm theory).    Accordingly, we do not consider this
    question.   And to the extent the plaintiffs seek to establish
    standing based on an alleged "diminution [in] value" of their PII,
    they have waived this argument by raising it for the first time in
    their reply brief.    See, e.g., United States v. Abdelaziz, No.
    22-1129, 
    2023 WL 3335870
    , at *41 n.36 (1st Cir. May 10, 2023).
    - 15 -
    1.
    "[A]    material   risk    of    future     harm   can    satisfy     the
    concrete-harm requirement," at least as to injunctive relief, when
    "the risk of harm is sufficiently imminent and substantial."
    TransUnion, 141 S. Ct. at 2210; see also Susan B. Anthony List v.
    Driehaus, 
    573 U.S. 149
    , 158 (2014); Clapper v. Amnesty Int'l USA,
    
    568 U.S. 398
    , 414 n.5 (2013).
    Many of the same factors we have considered in other
    data breach cases inform our conclusion as to standing in this
    case.   Plaintiffs face a real risk of misuse of their information
    following a data breach when their information is deliberately
    taken   by   thieves     intending     to    use   the   information         to   their
    financial advantage -- i.e., exposed in a targeted attack rather
    than inadvertently.          And the actual misuse of a portion of the
    stolen information increases the risk that other information will
    be misused in the future.
    We     stress   that    these     considerations          are    neither
    exclusive    nor     necessarily    determinative,        but   they    do    provide
    guidance.    See, e.g., McMorris v. Carlos Lopez & Assocs., LLC, 
    995 F.3d 295
    , 302        (2d Cir. 2021)         ("[D]etermining standing is an
    inherently fact-specific inquiry . . . .").                These considerations
    accord with other circuits' approach to determining when the risk
    of future misuse of PII following a data breach is imminent and
    substantial.        The Second Circuit considers:
    - 16 -
    (1) whether the plaintiffs' data has been
    exposed as the result of a targeted attempt to
    obtain that data; (2) whether any portion of
    the dataset has already been misused, even if
    the plaintiffs themselves have not yet
    experienced identity theft or fraud; and (3)
    whether the type of data that has been exposed
    is sensitive such that there is a high risk of
    identity theft or fraud.
    Id. at 303; see also id. at 300-03 (explaining the relevance of
    these factors).6   The Third Circuit also considers these factors.
    See Clemens v. ExecuPharm Inc., 
    48 F.4th 146
    , 153-54, 157 (3d Cir.
    2022).   Both circuits emphasize that these factors are "non-
    exhaustive."   McMorris, 995 F.3d at 303; Clemens, 48 F.4th at 153.
    Other circuits look to similar considerations.   See McMorris, 995
    F.3d at 300-03 (collecting cases and synthesizing principles).
    It stands to reason that data compromised in a targeted
    attack is more likely to be misused.    See Anderson, 
    659 F.3d at 164
    ; see also, e.g., McMorris, 995 F.3d at 301; Clemens, 48 F.4th
    at 153; Galaria v. Nationwide Mut. Ins. Co., 
    663 F. App'x 384
    , 388
    (6th Cir. 2016); Remijas v. Neiman Marcus Grp., LLC, 
    794 F.3d 688
    ,
    693 (7th Cir. 2015); In re Zappos.com, Inc., Customer Data Sec.
    Breach Litig., 
    888 F.3d 1020
    , 1029 n.13 (9th Cir. 2018); In re:
    6    McMorris and many of the other circuit cases discussed
    below were decided before TransUnion. Nevertheless, we think the
    factors the Second Circuit listed remain relevant to assessing the
    risk of future PII misuse.     See Clemens v. ExecuPharm Inc., 
    48 F.4th 146
    , 153-54, 157 (3d Cir. 2022) (citing McMorris and applying
    similar factors post-TransUnion).
    - 17 -
    U.S. Off. of Pers. Mgmt. Data Sec. Breach Litig., 
    928 F.3d 42
    , 58-
    59 (D.C. Cir. 2019) ("OPM").
    That at least some information stolen in a data breach
    has already been misused also makes it likely that other portions
    of the stolen data will be similarly misused.                See Anderson, 
    659 F.3d at 164
    ;    see   also,   e.g.,   McMorris,    995   F.3d    at   301-02;
    Remijas, 
    794 F.3d at 693-94
    ; Zappos.com, 888 F.3d at 1027 n.7;
    OPM, 
    928 F.3d at 58-59
    .
    And the risk of future misuse may be heightened where
    the compromised data is particularly sensitive.                "Naturally, the
    dissemination of high-risk information such as Social Security
    numbers and dates of birth -- especially when accompanied by
    victims' names -- makes it more likely that those victims will be
    subject to future identity theft or fraud."            McMorris, 995 F.3d at
    302; see also Clemens, 48 F.4th at 154; OPM, 
    928 F.3d at 49, 59
    ;
    Attias, 
    865 F.3d at 628
    .          In contrast, the risk of future misuse
    may be lower where the stolen data is "less sensitive, . . . such
    as basic publicly available information, or data that can be
    rendered useless to cybercriminals."            McMorris, 995 F.3d at 302;
    see also Tsao v. Captiva MVP Rest. Partners, LLC, 
    986 F.3d 1332
    ,
    1343 (11th Cir. 2021) (emphasizing fact that plaintiff did not
    allege that his Social Security number or date of birth were
    compromised    in    data   breach);      SuperValu,   
    870 F.3d at 770-71
    (similar).
    - 18 -
    We hold that the totality of the complaint plausibly
    alleges an imminent and substantial risk of future misuse of the
    plaintiffs' PII.   The complaint alleges that the data breach was
    the result of an attack by "cybercriminals" who "infiltrated IWP's
    patient records systems" and "stole[] PII."     These hackers were,
    by IWP's own admission, able to compromise multiple employee email
    accounts and to remain undetected for almost four months.       The
    complaint further alleges that at least some of the stolen PII has
    already been misused to file a fraudulent tax return in Webb's
    name.   And the complaint alleges that the stolen PII "include[s]
    . . . patients' names and [S]ocial [S]ecurity numbers."   We do not
    hold that individuals face an imminent and substantial future risk
    in every case in which their information is compromised in a data
    breach. But on the facts alleged here, the complaint has plausibly
    demonstrated such a risk.
    2.
    To establish standing to pursue damages, the complaint
    must also plausibly allege a separate concrete, present harm caused
    "by [the plaintiffs'] exposure to [this] risk [of future harm]."
    TransUnion, 141 S. Ct. at 2211.      We conclude that the complaint
    has done so based on the allegations of the plaintiffs' lost time
    spent taking protective measures that would otherwise have been
    - 19 -
    put to some productive use.7           See Compl. ¶¶ 13, 56 (alleging
    "opportunity costs" and "lost wages" associated with "the time and
    effort expended addressing . . . future consequences of the [d]ata
    [b]reach").
    The    complaint    alleges      that    both   plaintiffs    spent
    "considerable    time   and   effort   monitoring      [their]    accounts   to
    protect [themselves] from . . . identity theft."                 The complaint
    elsewhere identifies the harms of lost time as "[l]ost opportunity
    costs and lost wages."        The loss of this time is equivalent to a
    monetary injury, which is indisputably a concrete injury.               See id.
    at 2204; see also Dieffenbach v. Barnes & Noble, Inc., 
    887 F.3d 826
    , 828 (7th Cir. 2018) (Easterbrook, J.) (recognizing that the
    opportunity cost of "one's own time needed to set things straight"
    following a data breach "can justify money damages, just as [it]
    support[s] standing"); In re: Gen. Motors LLC Ignition Switch
    Litig.,   
    339 F. Supp. 3d 262
    ,   307      (S.D.N.Y.   2018)    ("[T]he
    overwhelming majority of states adhere to the view that lost-time
    damages are the equivalent of lost earnings or income.").8              We join
    7    The complaint does not allege that Webb or Charley
    purchased identity theft insurance or credit monitoring services
    or incurred similar mitigation costs. See TransUnion, 141 S. Ct.
    at 2204; see also, e.g., Clemens, 48 F.4th at 156; Hutton v. Nat'l
    Bd. of Exam'rs in Optometry, Inc., 
    892 F.3d 613
    , 622 (4th Cir.
    2018).
    8    Because we conclude that the complaint plausibly alleges
    the loss of time that would otherwise have been put to profitable
    use, we do not consider whether the loss of personal time is either
    a tangible injury or an intangible injury with a "close historical
    - 20 -
    other circuits in concluding that time spent responding to a data
    breach can constitute a concrete injury sufficient to confer
    standing, at least when that time would otherwise have been put to
    profitable use.       See, e.g., Clemens, 48 F.4th at 158; Hutton v.
    Nat'l Bd. of Exam'rs in Optometry, Inc., 
    892 F.3d 613
    , 622 (4th
    Cir. 2018); Galaria, 663 F. App'x at 388-89; Lewert v. P.F. Chang's
    China Bistro, Inc., 
    819 F.3d 963
    , 967 (7th Cir. 2016); Equifax,
    999 F.3d at 1262.
    Because      this   alleged    injury   was   a   response   to   a
    substantial and imminent risk of harm, this is not a case where
    the plaintiffs seek to "manufacture standing by incurring costs in
    anticipation of non-imminent harm."        Clapper, 
    568 U.S. at 422
    ; see
    also, e.g., McMorris, 995 F.3d at 303; Hutton, 
    892 F.3d at 622
    .
    C.
    The     complaint's      allegations      also     satisfy    the
    traceability    and    redressability    standing   requirements.       The
    complaint alleges that IWP's actions led to the exposure and actual
    or potential misuse of the plaintiffs' PII, making their injuries
    fairly traceable to IWP's conduct.         See Evenflo, 54 F.4th at 41;
    Lexmark Int'l, Inc. v. Static Control Components, Inc., 
    572 U.S. 118
    , 134 n.6 (2014) ("Proximate causation is not a requirement of
    or common-law analogue." TransUnion, 141 S. Ct. at 2204; cf. Gen.
    Motors LLC, 339 F. Supp. 3d at 307 ("[M]ost states do not treat
    lost personal time as a compensable form of injury.").
    - 21 -
    Article III standing, which requires only that the plaintiff's
    injury be fairly traceable to the defendant's conduct.").                "And
    monetary    relief    would   compensate    [the    plaintiffs]    for   their
    injur[ies], rendering the injur[ies] redressable."                Evenflo, 54
    F.4th at 41.
    D.
    Defendants do not contend that the plaintiffs' ability
    to pursue emotional distress as a specific category of damages
    presents an independent Article III standing issue even after
    plaintiffs have shown an actual injury supporting their claim for
    damages generally under each cause of action, and for good reason.
    "It is firmly established in our cases that the absence of a valid
    .   .   .   cause    of   action   does    not    implicate   subject-matter
    jurisdiction, i.e., the courts' statutory or constitutional power
    to adjudicate the case."           Steel Co. v. Citizens for a Better
    Environment, 
    523 U.S. 83
    , 89 (1998).             On the appeal before us we
    consider only whether the plaintiffs have "demonstrate[d] standing
    for each claim that they press and for each form of relief that
    they seek."    TransUnion, 141 S.Ct. at 2208.         Having concluded that
    plaintiffs have supported each of their five causes of action for
    damages with at least one injury in fact caused by the defendant
    and redressable by a court order, we venture no further.                   Cf.
    Attias, 
    865 F.3d at
    626 n.2 (declining to address standing based
    on past identity theft because the risk of future identity theft,
    - 22 -
    along with associated mitigation expenses, sufficed to confer
    standing); Linman v. Marten Transp., Ltd., No. 22-CV-204-JDP, 
    2023 WL 2562712
    , at *3 (W.D. Wis. Mar. 17, 2023) (finding time spent
    mitigating the risk of identity theft sufficient for standing and
    declining    to       decide   whether    other   alleged    injuries   such   as
    emotional distress are sufficient); TransUnion, 141 S. Ct. at 2211
    & n.7.    Whether the plaintiffs have stated a claim for damages
    specifically arising out of their emotional distress is a question
    for IWP's 12(b)(6) motion which, as discussed below, we do not
    reach.
    IV.
    We    next    consider   the       plaintiffs'   standing   to   seek
    injunctive relief.         We conclude that the plaintiffs lack standing
    to pursue such relief because their requested injunctions are not
    likely to redress their alleged injuries.              See Lujan, 
    504 U.S. at 568-71
    .
    The only allegation in the complaint that injunctive
    relief is necessary is that plaintiffs' "PII [is] still maintained
    by [IWP] with [its] inadequate cybersecurity system and policies."
    Naturally,       an     injunction       requiring    IWP    to   improve      its
    cybersecurity systems cannot protect the plaintiffs from future
    misuse of their PII by the individuals they allege now possess it.
    Any such relief would safeguard only against a future breach.
    - 23 -
    But the plaintiffs do not allege that any such future
    breach will occur.            "Standing for injunctive relief depends on
    'whether [the plaintiffs are] likely to suffer future injury.'"
    Laufer v. Acheson Hotels, LLC, 
    50 F.4th 259
    , 276 (1st Cir. 2022)
    (quoting City of Los Angeles v. Lyons, 
    461 U.S. 95
    , 105 (1983)).
    Here, any available inference that IWP's prior data breach might
    make    a    future    data    breach    more    likely    is    undercut    by    the
    plaintiffs' own allegation that "[f]ollowing the [d]ata [b]reach,
    IWP implemented new security safeguards to prevent and mitigate
    data breaches -- measures that should have been in place before
    the data breach."          Instead, IWP faces much the same risk of future
    cyberhacking as virtually every holder of private data.                      If that
    risk    were      deemed   sufficiently    imminent       to   justify    injunctive
    relief, virtually every company and government agency might be
    exposed      to    requests   for   injunctive     relief       like   the   one   the
    plaintiffs seek here.           We decline to hold as much.              Because the
    plaintiffs have not shown that their requested injunction would
    likely redress their alleged injuries, they lack standing to pursue
    that form of relief.          Cf. Lujan, 
    504 U.S. at 568-71
    .
    The plaintiffs also request that the district court
    "[e]njoin[] [IWP] from further deceptive and unfair practices and
    making untrue statements about the [d]ata [b]reach and the stolen
    PII."       But nowhere do the plaintiffs allege that IWP is likely to
    make deceptive statements about that past breach in the future or
    - 24 -
    that any such statements would harm the plaintiffs, particularly
    now that they know about the breach.    Here, too, the plaintiffs'
    requested injunction would have no chance of redressing any alleged
    injury, and they lack standing to pursue it.
    V.
    We do not reach IWP's Rule 12(b)(6) arguments.       The
    district court did not rule on these arguments, see Webb, 
    2022 WL 10483751
    , at *1 n.2, and will have the opportunity to do so in the
    first instance on remand, see, e.g., Evenflo, 54 F.4th at 41.
    VI.
    For the foregoing reasons, we affirm in part, reverse in
    part, and remand for further proceedings consistent with this
    opinion.   No costs are awarded.
    - 25 -