Class Certification Order Lifted in Data Breach Lawsuit Against West Virginia University Health System

A class action lawsuit filed against West Virginia University Health System over a breach of the protected health information of 7,445 patients has had the class certification order lifted by the Supreme Court of Appeals of West Virginia.

The lawsuit is related to an insider data breach that occurred in 2016. Between March 2016 and January 2017, Angela Roberts, a former registration specialist at Berkeley Medical Center and Jefferson Medical Center, which are affiliated with West Virginia University Health System, accessed the medical records of 7,445 patients with a view to committing identity theft and fraud. When the unauthorized access was discovered, Roberts admitted she had accessed the medical records for work purposes, but also to steal patient data to provide to her boyfriend and co-defendant Ajarhi “Wayne” Roberts.

When viewing the medical records for legitimate work purposes, Ms. Roberts determined whether there was enough information to allow her and her boyfriend to steal patients’ identities. If sufficient information was there, the information was stolen and provided to Mr. Roberts with a view to committing identity theft. Fake Social Security cards were then produced in order to commit bank fraud.

Ms. Roberts was charged in a 36-count indictment and signed a plea agreement to one count of identity theft in 2017. She admitted unlawfully acquiring the names, signatures, dates of birth, Social Security numbers, and driver’s license numbers of 10 patients, and that she passed that information to her boyfriend who used the information to open accounts. Victims suffered monetary losses of $20,757 and Roberts was ordered to pay $5,189.25 in restitution.

A lawsuit was filed on behalf of plaintiffs Deborah Welch and Eugene Roman that sought class action status covering the patients whose medical records were impermissibly accessed. Welch and Roman successfully certified a class of 7,445 patients; however, the defendants argued that the class representatives lacked standing as they had suffered no injury-in-fact from the legitimate accessing of their medical records by Ms. Roberts.

The Supreme Court of Appeals recently determined Welch lacked standing to sue for a breach of confidentiality or an invasion of privacy because she had suffered no injury-in-fact from the employee’s legitimate accessing her medical records, and other prerequisites to class certification were not met. The Supreme Court of Appeals ruled that Roman, who represented a subclass of 109 individuals, also failed to meet the prerequisites for class certification and that the circuit court failed to provide a thorough analysis of the typicality prerequisite in light of Roman’s circumstances and claims. The class certification order was lifted as in order for a class action lawsuit to proceed, at least one of the named plaintiffs must have standing.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.