HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

BJC HealthCare Email Data Breach Lawsuit Survives Motions to Dismiss

A class action lawsuit filed by two former patients against BJC HealthCare over a March 2020 email data breach has survived two motions to dismiss.

Leaha Sweet and Bradley Dean Taylor took legal action against St. Louis-based BJC HealthCare in September 2020 after being notified that their protected health information had potentially been compromised in a data breach.

BJC HealthCare had discovered the email accounts of three of its employees had been accessed by unauthorized individuals. The email accounts contained a range of sensitive patient data including Social Security numbers, driver’s license numbers, dates of birth, medical record numbers, patient account numbers, and treatment and clinical information.

The lawsuit listed 10 counts against the defendants: Unjust enrichment, breach of contract, negligence, negligence per se, breach of covenant of good faith and fair dealing, invasion of privacy, vicarious liability, bailment, and violations of the Missouri Merchandising Practicing Act (MMPA) and Illinois Consumer Fraud and Deceptive Business Practices Act (ICFA).

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

The defendants – BJC HealthCare and BJC Collaborative, LLC – filed two separate motions to dismiss, arguing that the United States District Court for the Southern District of Illinois lacked personal jurisdiction over BJC HealthCare, that the plaintiffs failed to allege an injury sufficient to confer standing, that the compliant should be dismissed in its entirety for failure to state a claim, and that individual counts should be dismissed for the failure to state a claim.

In a June 29, 2021 order, Chief Judge Nancy J. Rosentengel dismissed the invasion of privacy claim as Illinois law states that the party alleging an invasion of privacy must demonstrate the act was intentional. The plaintiffs were unable to prove that was the case. The claim of bailment was also dismissed as the plaintiffs did not allege that they sought a return of their property (their protected health information) or that the health system had failed to return it.

The lawsuit will now proceed and BJC Healthcare must face the remaining 8 counts.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.