RICHMOND, Va.—A data breach lawsuit involving the National Board of Examiners in Optometry Inc. (NBEO) as a defendant is headed back to U.S. District Court following a ruling by the 4th U.S. Circuit Court of Appeals here last week. The suit, which was initially filed in August 2016 in Baltimore, is Rhonda L. Hutton et al. v. National Board of Examiners in Optometry Inc. In the suit, the plaintiffs claimed they had suffered injuries as a result of an alleged data breach affecting NBEO, which is headquartered in Charlotte, N.C.

“Three optometrists, Rhonda L. Hutton, Tawny P. Kaeochinda, and Nicole Mizrahi (the plaintiffs), as representatives of the putative class of victims, specify in two complaints that their personal information and that of the class members was stolen in the NBEO data breach,” the court’s ruling stated. The plaintiffs’ claims allege negligence, breach of contract, breach of implied contract, and unjust enrichment and arise from “NBEO’s failure to adequately safeguard personal information of the Plaintiffs and the class members,” according to the ruling.

The district court dismissed the complaints for lack of subject-matter jurisdiction, based on a failure to establish that the plaintiffs possessed standing to sue and that “the complaints had not sufficiently alleged the necessary injury-in-fact and that, in any event, they failed to sufficiently allege that any injuries suffered by the plaintiffs were fairly traceable to conduct of the NBEO,” the ruling stated.

NBEO officials could not be reached for comment on the court’s ruling at VMAIL’s press time on Friday.

The matter dates to July 2016 when some U.S. optometrists noticed that Chase Amazon Visa credit card accounts had been fraudulently opened in their names. “The creation of those fraudulent accounts — which required the use of an applicant’s correct social security number and date of birth — convinced several of the victims that data containing their personal information had been stolen,” the court stated in the ruling.

According to the ruling, NBEO became aware of the data breach concerns and in early August 2016 released a statement on its Facebook page asserting that, “[a]fter a thorough investigation and extensive discussions with involved parties,” the NBEO had determined that its “information systems [had] NOT been compromised.” Later in August, “NBEO revised its earlier announcements ‘with a cryptic message stating its internal review was still ongoing and that it may take a number of additional weeks to complete,’” the ruling stated.

The plaintiffs filed their lawsuit just a few days later, according to the court ruling.

The lower federal court had dismissed the case, finding that the plaintiffs “simply alleged speculative harms that could only occur in the future,” according to the ruling. And the district court ruling noted that any alleged injury “was not traceable” to NBEO.

Last week, the three-judge panel at the Circuit Court here unanimously reinstated the litigation. Other national optometry organizations do not gather or store Social Security numbers, the ruling also noted.