NY District Court Kicks Data Breach Lawsuit Against Episcopal Health Services Back to State Court

A lawsuit filed by patients of Uniondale, N.Y-based Episcopal Health Services Inc., whose personal and protected health information was compromised in a phishing attack in 2018, has been kicked back to the New York State Supreme Court for further proceedings.

The lawsuit alleges Episcopal Health Services had failed to protect the private information of its patients from unauthorized disclosures. As a result of those failures, Episcopal Health Services suffered a breach of some of its employee email accounts between August 28, 2018 and October 5, 2018. The email accounts contained a range of sensitive data including patients’ names, addresses, dates of birth, Social Security numbers, and financial information. The PHI of more than 218,000 patients was exposed in the email system breach.

The lawsuit named three plaintiffs who were patients of St. John’s Episcopal Hospital. They claimed injuries had been suffered as a direct result of the disclosure of their confidential information. The lawsuit referenced the Health Insurance Portability and Accountability Act (HIPAA) and the Federal Trade Commission (FTC) Act, with the plaintiffs claiming Episcopal Health Services had violated those laws. The plaintiffs also alleged a breach of fiduciary duty, a breach of implied contract, a delay in issuing notifications about the breach, and negligence with respect to the hiring and training of its employees.

Episcopal Health Services removed the case from the New York State Supreme Court, alleging the claims fell under HIPAA and the FTC Act, which are federal laws. The defendant also sought to have the lawsuit dismissed for lack of standing and failure to state a claim.

The lawsuit was kicked up to the U.S. District Court for the Eastern District of New York, which recently ruled that the lawsuit did not raise any questions about federal law. While HIPAA and the FTC Act were referenced in the lawsuit, the claims were not based on HIPAA or FTC Act violations, instead they were common law causes of action. There is no private cause of action in either HIPAA or the FTC Act. Actions can only be taken over violations of HIPAA by the Department of Health and Human Services or State Attorneys General, while the FTC Act can only be enforced by the Federal Trade Commission.

District Court Judge Dora L. Irizarry ruled that the District Court did not have the authority to preside over the case, so the case was sent back to the New York State Supreme Court for further proceedings. No ruling was made on Episcopal Health Services’ motion to dismiss the lawsuit.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.