HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Philadelphia Judge Tosses Class Action Data Breach Lawsuit

A proposed class action lawsuit against the HIPAA-covered entities Keystone Mercy Health Plan and AmeriHealth Mercy Health Plan has been tossed by a Philadelphia judge. The alleged negligence of the health plans was not deemed to warrant a class action lawsuit. Avrum Baum, one of the plaintiffs named in the lawsuit, alleged negligence and unfair trade practices when filing the claim on behalf of his special needs daughter.

The suit was filed after a flash drive containing the Protected Health Information and Personally Identifiable Information of over 200,000 health plan members was lost in 2010. Employees copied the data onto the drive, but then misplaced it and were unable to locate the plug-in device.

A case could have been filed on the grounds of violations of the Health Insurance Portability and Accountability Act (HIPAA), although the plaintiff’s legal team chose to file the suit on the grounds of negligence and a breach of the state of Pennsylvania’s Unfair Trade Practices and Consumer Protection Law (“UTPCPL”).

Class Action Lawsuits under Pennsylvania’s Unfair Trade Practices and Consumer Protection Law

UTPCPL permits a private, individual purchaser to take legal action to recover damages after an unlawful act caused that individual to suffer “ascertainable monetary or property loss.”

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

The trial court heard the case on July 25, 2013, but denied the motion. “Baum’s complaint specifically alleged both fraudulent and deceptive conduct on the part of Keystone Mercy, the trial court’s denial of the motion to certify his claim as a class action was improper.“ Baum appealed the verdict and was given a second chance to file the claim.

Under UTPCPL, class action claims have had to show justifiable reliance on a defendant’s wrongful conduct and demonstrate subsequent harm was suffered as a result of that reliance. However, it was deemed that the lawsuit was inappropriate on these grounds. The plaintiff claims, citing two previous cases, that “justifiable reliance is not necessary to recover damages where a complaint alleges deceptive conduct.”

However, the case was rejected in late December 2014 by the Pennsylvania Superior Court and the case was referred back to the trial court for further consideration, in particular, regarding the conditions required for class action certification.

Philadelphia Court of Common Pleas Judge Rejects Class Action Lawsuit

Judge Mary D. Colins recently ruled that the Philadelphia court was correct in denying the class action; however the referral to consider the claims for violations of UTPCPL has also resulted in the claim being denied.

The Judge said that Baum had not established and demonstrated that either health plan had “acted deceptively in their pledges of security, nor did they lose any personally identifying information such as his daughter’s Social Security number or name and address.”

The data stored on the drive was not the only copy of the information, so the loss of the flash drive did not constitute loss of PHI and PII. The judge ruled that there was no evidence that data had been lost or even that Baum’s daughter had suffered a loss of privacy. The judge said that even if the data was obtained by a third party, it would not be possible to identify Baum’s daughter based on the information contained on the drive. There was also no “ascertainable loss” suffered as a result of the incident.

Collins also said “There is no evidence on the record that the plaintiff purchased, leased or gave any consideration at all for the policy covering his daughter” – Baum’s daughter’s insurance is paid for by the state – and Baum “could not satisfy the typicality requirement for class actions because he did not demonstrate that he had standing to represent other class members or that he suffered a common loss.”

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.