Dedicated to providing the latest
HIPAA compliance news

Philadelphia Judge Tosses Class Action Data Breach Lawsuit

Share this article on:

A proposed class action lawsuit against the HIPAA-covered entities Keystone Mercy Health Plan and AmeriHealth Mercy Health Plan has been tossed by a Philadelphia judge. The alleged negligence of the health plans was not deemed to warrant a class action lawsuit. Avrum Baum, one of the plaintiffs named in the lawsuit, alleged negligence and unfair trade practices when filing the claim on behalf of his special needs daughter.

The suit was filed after a flash drive containing the Protected Health Information and Personally Identifiable Information of over 200,000 health plan members was lost in 2010. Employees copied the data onto the drive, but then misplaced it and were unable to locate the plug-in device.

A case could have been filed on the grounds of violations of the Health Insurance Portability and Accountability Act (HIPAA), although the plaintiff’s legal team chose to file the suit on the grounds of negligence and a breach of the state of Pennsylvania’s Unfair Trade Practices and Consumer Protection Law (“UTPCPL”).

Class Action Lawsuits under Pennsylvania’s Unfair Trade Practices and Consumer Protection Law

UTPCPL permits a private, individual purchaser to take legal action to recover damages after an unlawful act caused that individual to suffer “ascertainable monetary or property loss.”

The trial court heard the case on July 25, 2013, but denied the motion. “Baum’s complaint specifically alleged both fraudulent and deceptive conduct on the part of Keystone Mercy, the trial court’s denial of the motion to certify his claim as a class action was improper.“ Baum appealed the verdict and was given a second chance to file the claim.

Under UTPCPL, class action claims have had to show justifiable reliance on a defendant’s wrongful conduct and demonstrate subsequent harm was suffered as a result of that reliance. However, it was deemed that the lawsuit was inappropriate on these grounds. The plaintiff claims, citing two previous cases, that “justifiable reliance is not necessary to recover damages where a complaint alleges deceptive conduct.”

However, the case was rejected in late December 2014 by the Pennsylvania Superior Court and the case was referred back to the trial court for further consideration, in particular, regarding the conditions required for class action certification.

Philadelphia Court of Common Pleas Judge Rejects Class Action Lawsuit

Judge Mary D. Colins recently ruled that the Philadelphia court was correct in denying the class action; however the referral to consider the claims for violations of UTPCPL has also resulted in the claim being denied.

The Judge said that Baum had not established and demonstrated that either health plan had “acted deceptively in their pledges of security, nor did they lose any personally identifying information such as his daughter’s Social Security number or name and address.”

The data stored on the drive was not the only copy of the information, so the loss of the flash drive did not constitute loss of PHI and PII. The judge ruled that there was no evidence that data had been lost or even that Baum’s daughter had suffered a loss of privacy. The judge said that even if the data was obtained by a third party, it would not be possible to identify Baum’s daughter based on the information contained on the drive. There was also no “ascertainable loss” suffered as a result of the incident.

Collins also said “There is no evidence on the record that the plaintiff purchased, leased or gave any consideration at all for the policy covering his daughter” – Baum’s daughter’s insurance is paid for by the state – and Baum “could not satisfy the typicality requirement for class actions because he did not demonstrate that he had standing to represent other class members or that he suffered a common loss.”

Author: HIPAA Journal

HIPAA Journal provides the most comprehensive coverage of HIPAA news anywhere online, in addition to independent advice about HIPAA compliance and the best practices to adopt to avoid data breaches, HIPAA violations and regulatory fines.

Share This Post On