Omnicell data breach suit dismissal: Healthcare ramifications

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://healthitsecurity.com/2014/01/06/omnicell-data-breach-suit-dismissal-healthcare-ramifications/

A lawsuit against Omnicell stemming from a 2012 health data breach was
recently dismissed, in part, because the plaintiff failed to prove damages
related to the breach. The interesting part of the dismissal, however, was
that there were four separate defendants that were involved that used
different defenses. Omnicell served as a business associate (BA) for
Sentara Healthcare, South Jersey Health System, Inc., (now Inspira Health
Network, Inc.) and the Board of Regents of the University of Michigan when
laptop with some of their unencrypted PHI had been stolen from an
employee’s car in 2012.

Read the dismissal decision here (
http://healthitsecurity.com/wp-content/uploads/Polanco-Dismissal-Opinion.pdf
).

In dismissing the case, the court provided a strong reminder that suing for
damages in a private cause of action related to a data breach puts a heavy
burden of proof on plaintiffs to show that (1) the healthcare organizations
were at fault for the breach and (2) the damages were a direct result of
the breach. Because there were four defendants and the courts divided the
case into the four defenses that each group of defendants offered,
HealthITSecurity.com spoke with Randy Gainer, partner in the Seattle office
of Davis Wright Tremaine. Gainer was able to successfully move to dismiss
the putative class action claims against South Jersey Hospital, now known
as Inspira, but also discussed some of the other defenses raised in the
lawsuit.

First, claims against hospitals run by the University of Michigan were
dismissed on 11th Amendment grounds. “The court agreed with their argument
that the State of Michigan had not waived their sovereign immunity to be
subject to these types of claims, and the claims against the Michigan
hospitals were dismissed,” Gainer said. The court didn’t even have to
review the other defenses that Michigan had raised.

Next were the claims by Sentera hospital in which the stolen laptop
included Sentera hospital data and was stolen. Neither the plaintiff, nor
her daughter, Gainer explained, had been treated at those hospitals and the
court held that they couldn’t show constitutional standing against Sentera
because it nothing to cause the breach to occur. And nor did it cause any
damage to the plaintiff, Gainer said.

And then Gainer’s client, Inspira, which purchased South Jersey Hospital
where the plaintiff’s daughter had been treated, was involved because
Omnicell had been doing some work for Inspira. Gainer said his arguments
synced up with Omnicell’s, which was that although the data may have been
on the laptop, there was no evidence that the plaintiff had pleaded any
facts that she or her daughter had been injured in any way. The court
accepted that Constitutional standing requirement and dismissed the claims
against Inspira and Omnicell, Gainer said.

For Gainer, there were three significant things about the decision:

1. 11th Amendment sovereign immunity can be a defense

It’s useful for publically-run hospitals that the court accepted the 11th
Amendment sovereign immunity argument from the University of Michigan. So
going forward, it’s clear that publically-run hospitals who haven’t waived
sovereign immunity will be able to rely on that defense on appeal.

2. Causation

The causation argument is also important. Many of these types of cases make
that argument, but I’m not aware of many that focus on a causation issue,
so that’s critical for defendants that are facing these types of claims.

3. The need for substantial damage proof

And then the decision that stated the plaintiffs failed to prove harm under
constitutional standing and was grounds for dismissal was important. There
are other cases that have gone that way in the decisions, but it’s always
good to have courts say that they’re not even going to entertain lawsuits
if the plaintiffs can’t prove genuine economic damages. The plaintiff
intended by saying that had driven further for treatment for her daughter
because she was concerned about the security at the hospital. The court,
like some others before it, said that the argument wasn’t good enough. It
said those were self-imposed damages based on fear that bad things may
happen in the future, which isn’t good enough to show Constitutional harm.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security offers security intelligence, risk management services and customized security solutions. The 
YourCISO portal gives decision makers access to tools for evaluating their security posture and prioritizing risk 
mitigation strategies. Cyber Risk Analytics offers actionable threat information and breach analysis.