Share this article on:
Lawyers representing Flowers Hospital in Dothan, AL, have urged a federal judge to dismiss a proposed class action data breach lawsuit filed against the hospital, against the recommendation of a magistrate judge.
The lawsuit was first filed in May 2014, after a former employee of the hospital – Kamarian Millender, 29, of Headland, AL – was discovered to have stolen the Protected Health Information (PHI) of patients, with the intent of using the data to file false tax returns.
Patient names, dates of birth, Social Security numbers and health plan information were stolen from the hospital between June 2013 and February 2014. The hospital discovered the theft on February 26, and Millender’s employment contract was terminated. Millender was subsequently charged with trafficking in stolen identities, and admitted to filing at least 73 fraudulent tax returns in the names of the victims. Flowers hospital issued breach notification letters to the victims shortly after the discovery of the privacy violation, and offered the affected patients a year of credit monitoring services without charge.
Back in July, 2014, Flowers Hospital submitted a motion to dismiss the proposed class-action lawsuit and urged U.S. District Judge W. Keith Watkins to toss the case because the plaintiffs were unable to link the theft of their data to financial losses. There was no doubt that the plaintiffs had had false tax returns filed in their names, but they were unable to provide evidence that they had been denied tax refunds, or had incurred expenses which had not been reimbursed. The judge did not toss the case, instead he gave the plaintiffs the opportunity to amend their claims against the hospital.
The plaintiffs had claimed that the hospital had been negligent and alleged the data theft represented a violation of the Health Insurance Portability and Accountability Act (HIPAA); a claim vehemently denied by the hospital. Lawyers for the hospital maintained that even if HIPAA Rules had been violated, it would not constitute negligence on the part of the hospital.
The lawsuit survived the first motion to dismiss; however a second amended complaint has since been filed, this time claiming a violation of the Fair Credit Reporting Act. The plaintiffs claim that Flowers Hospital failed to fulfil its responsibility to protect the private data of patients, and did not do enough to prevent the theft by Millender.
According to the hospital’s lawyers, “The second amended complaint goes no further than to merely include the conclusory statement that plaintiffs suffered ‘economic damages’ as a result of a fraudulent tax return. No further facts are provided to support this claim for damages.”
In contrast to many class-action lawsuits filed against healthcare providers for the exposure of PHI, the plaintiffs have not claimed they face an increased risk of suffering financial harm as a result of the data breach. In this case the actually suffered “concrete economic loss of their tax refunds.” They also claim they can accurately trace the losses back to the hospital, as the employee confessed to stealing their data and using the information to file fraudulent tax returns.
Lawyers for the hospital have argued that there were no losses, and tax returns had only been delayed. Even if the case was to be certified, the lawyers have said a claim could only be made to cover the cost of credit monitoring services; which were actually offered to the plaintiffs for a year without charge.
The magistrate judge dismissed the claim for the invasion of privacy suffered by the plaintiffs, but said that the case had standing based on the fact that losses had actually been suffered. The magistrate judge also said the claims for a breach of contract could be maintained “even though the contract is a general privacy notice required under HIPAA,” and also that HIPAA can provide the basis for a negligence claim.
The class action data breach lawsuit may have standing, and the plaintiffs have grounds for making a negligence claim, but what has yet to be established is whether the hospital could realistically have put sufficient protections in place to prevent a single employee from stealing patient data.