Tuesday, January 26, 2021 While many federal courts have weighed in on the issue of what suffices for Article III standing in the context of a data breach litigation, not all state courts have. Last week, the Superior Court of Delaware found that a group of plaintiffs who received a notice that their personal information had been potentially compromised in a data breach had not alleged an injury in fact, and did not have standing to bring suit. In Abernathy v. Brandywine Urology Consultants, P.A., No. N20C-05-057 MMJ CCLD, 2021 Del. Super. LEXIS 46 (Del. Super. Ct. Jan. 21, 2021), defendant Brandywine Urology Consultants (“Brandywine”) experienced a ransomware attack in January 2020 that blocked access to its computer system and data, including patient records. During the pendency of the attack, the cybercriminals also encrypted patient records that contained sensitive personal and financial information. Brandywine took steps to remedy the attack, including removing the malware and hiring an outside security firm to investigate whether protected health information (“PHI”) had been compromised (the security firm later confirmed that it had not). In March 2020, Brandywine sent a notice to its patients about the attack, informing them that their data could potentially have been compromised.