Data Breach Leads to Patient Lawsuit Based on State Law

Joseph L. Fink III, JD, BSPharm, DSc (Hon), FAPhA;

News

Media

Conferences

Publications

Clinical

Events

Resources

Publication

Article

November 26, 2024

Pharmacy Times

November 2024

Volume90

Issue 11

Data Breach Leads to Patient Lawsuit Based on State Law

Author(s):

Joseph L. Fink III, JD, BSPharm, DSc (Hon), FAPhA

At least 1 patient had a fraudulent tax return filed using illegally obtained personal information.

The Issue of the Case

When hackers accessed the database of patient information at a mail-order pharmacy, they gained access to information that could be misused. The question then became whether the patients could maintain a lawsuit against the pharmacy based on state law rather than the Health Insurance Portability and Accountability Act (HIPAA).

Medical healthcare pharmacy compliance law and regulation, rules and rights on prescription drugs for eligible patients - Image credit: neirfy | stock.adobe.com

Image credit: neirfy | stock.adobe.com

The Facts of the Case

In January 2021, a data breach occurred at a mail-order pharmacy in New England serving workers’ compensation patients in several states, exposing the personally identifiable information (PII) of more than 75,000 individuals. Two of the affected patients filed a lawsuit in US District Court advancing several bases for alleged liability and seeking to have the matter certified as a class action lawsuit against the pharmacy on behalf of everyone exposed to potential damage.

About the Author

Joseph L. Fink III, JD, DSc (Hon), BSPharm, FAPhA, is professor emeritus of pharmacy law and policy and former Kentucky Pharmacists Association Professor of Leadership at the University of Kentucky College of Pharmacy in Lexington.

The information in the illicitly accessed database included patients’ full names, Social Security numbers, and dates of birth, along with financial information such as credit card information, health insurance, medications being used, diagnoses, treatments, health care providers, and Medicare/Medicaid identification numbers. When patients signed up with the pharmacy, they received assurances that their PII would be secure.

Although the breach occurred in January, it was not discovered until May of that year. During the intervening months, the hackers were able to continue accessing the database of PII. Moreover, when pharmacy officials learned of the breach, they did not immediately notify the patients; rather, they initiated a 7-month investigation and worked to implement new data security safeguards. Notification of affected patients about the breach began in February 2022— more than a year later.

Based on state law, the lawsuit asserted claims of negligence, breach of implied contract, unjust enrichment, invasion of privacy, and breach of fiduciary duty. It is highly noteworthy that this lawsuit was not tied to HIPAA. The access to federal court was based on the parties’ locations in different states (diversity jurisdiction), not on the case presenting a federal question arising under a federal statute.

The pharmacy motioned with the trial court to have the matter dismissed because the plaintiffs’ complaints “did not plausibly allege an injury in fact.” The trial court judge granted that motion, dismissing the case, and the plaintiffs appealed to the relevant US Court of Appeals.

The Court’s Ruling

There were several issues presented to the appellate court to address. The most important issue was standing: Had the plaintiffs presented proven information about an injury? The appellate panel ruled that they had indeed met that expectation.

The Court’s Reasoning

The main injury identified by the plaintiffs was the “actual misuse of PII to file a fraudulent tax return,” which happened to at least 1 patient. Additionally, the plaintiffs had shown “imminent and substantial risk for future harm, as well as a present and concrete harm resulting from the exposure to this risk.” Taken in sum, the net result was that the matter was returned to the trial court for a trial to proceed.