No Pseudonymity for Plaintiff in Medical Data Breach Case

From A.S. v. Anthem Ins. Cos., Inc., decided Wednesday by Magistrate Judge Mario Garcia (S.D. Ind.):

Plaintiff's Motion asks to proceed semi-anonymously, using only his or her initials, "A.S." A.S. argues that proceeding under only initials is appropriate here because A.S. is an alleged victim of a healthcare data breach and is therefore concerned about "privacy and security should [A.S.'s] name be included in this action and made publicly available." A.S. contends that "[f]urther disclosure of [A.S.'s] name would permit the public, and perhaps additional criminals, to link [A.S.'s] name to the subject data breach and thereby link [A.S.] to the breach by name." Another reason to proceed semi-anonymously, says A.S., is because "the data breach involved [A.S.]'s current employer and [A.S.] desires to maintain … confidentiality as the Plaintiff in this matter on that basis as well." A.S. says Defendant "will suffer no undue prejudice" if the Court permits A.S. to proceed under initials.

"The use of fictitious names is disfavored, and the judge has an independent duty to determine whether exceptional circumstances justify such a departure from the normal method of proceeding in federal court." That is so because "judicial proceedings, civil as well as criminal, are to be conducted in public," and "[i]dentifying the parties to the proceeding is an important dimension of publicness" because "[t]he people have a right to know who is using their courts." There are narrow exceptions to the presumption of public proceedings that permit the use of fictitious names, such as "to protect the privacy of children, rape victims, and other particularly vulnerable parties or witnesses." …

[T]he lawsuit [does not] involve[] disclosure of "information of the utmost intimacy" …. This case does not concern A.S.'s medical treatments. It's a case about Defendants' alleged negligence in how it handles information. Furthermore, to the extent sensitive medical information becomes relevant, the Court can address such information via a proper motion under S.D. Ind. L.R. 5-11 or a protective order. See Noe v. Carlos (N.D. Ind. 2008) ("Though Noe's name would be listed on the court's docket, her medical records containing private information can be filed under seal, and disclosure of that information will not be required."). The Seventh Circuit has also made clear that "the fact that a case involves a medical issue is not a sufficient reason for allowing the use of a fictitious name." …

Plaintiff's brief largely focuses on the [argument that] … identifying Plaintiff will put him or her at risk of suffering injury. Plaintiff says publishing his or her name will increase prospects of experiencing identity theft from the alleged data breach. However, an individual's name is not sensitive data in and of itself, and Plaintiff does not explain how publication of Plaintiff's name would place Plaintiff's data at further risk. Plaintiff also contends that "a public display of [A.S.'s] name in association with the breach would put [A.S.] at risk of further emotional distress related to the breach and invasion of [A.S.'s] privacy." However, attention brought to oneself by virtue of filing the lawsuit is not a legitimate harm in and of itself. In sum, Plaintiff's Motion does not support a finding that requiring him or her to proceed under their actual name will subject Plaintiff to the kind of physical or mental injury that this Court and the Seventh Circuit have found may support a plaintiff proceeding anonymously….

For more on the subject, see The Law of Pseudonymous Litigation.