BreachExchange mailing list archives
Evolving litigation of data breach claims
From: Audrey McNeil <audrey () riskbasedsecurity com>
Date: Tue, 29 Sep 2015 18:35:33 -0600
http://www.lexology.com/library/detail.aspx?g=52dd1ee9-3cf6-4874-b398-e769cdeae41b An Illinois circuit court judge has dismissed five of six claims in a consolidated class action against Advocate Health and Hospital Corporation arising from a data breach in July 2013. The judge’s dismissal with prejudice leaves only a negligence claim, based on a duty to reasonably safeguard information, pending against Advocate. The complaint included allegations that the hospital’s written policies, which referenced compliance with data privacy laws, formed part of Advocate’s promise to plaintiffs. The plaintiffs argued that Advocate’s failure to follow its own policies and procedures, and adequately protect patient information, was a breach of contract. However, the circuit court’s order dismissed the claims based on breach of express contract, implied contract, fiduciary duty and unjust enrichment. The dismissal order in the consolidated case represented a new episode in a series of suits filed against Advocate stemming from its announcement that four unencrypted laptop computers were stolen from an administrative office in July 2013. In August 2015, in a federal court case arising from the Advocate data breach, the Seventh Circuit Court of Appeals affirmed a lower court’s decision that Advocate was not a “consumer reporting agency” under the Fair Credit Reporting Act (“FCRA”). Tierney v. Advocate Health and Hospitals Corporation. In part, the federal law defines a consumer reporting agency as a person collecting and furnishing consumer information to third parties in exchange for payment. In affirming dismissal of the FCRA claims, the court determined Advocate was not paid by Medicare and insurance companies for collecting and transmitting patient information, rather, payments received by Advocate were for healthcare services provided by its physicians. Two other state court cases that raised claims of negligence and violations of state data breach laws against Advocate were dismissed earlier this year for lack of standing. On appeal, the Second District Illinois Appellate Court consolidated both cases and affirmed the dismissal orders. Maglio v. Advocate Health and Hospitals Corporation. The Appellate Court held that plaintiffs’ allegations of injury based only on an increased risk for identity theft were speculative and conclusory. As the Advocate cases demonstrate, data breaches will continue to generate claims under both federal and state laws. The federal privacy law, HIPAA, has provided a compliance cornerstone for healthcare providers to safeguard patient information. While HIPAA litigation is alive and well, a developing caveat is that state laws – through data breach and negligence claims – are becoming litigation pressure points for healthcare providers. Additionally, the enactment of new and amended state laws aimed at further protecting the consumer and medical information may provide fertile grounds for data breach claims under state law.
_______________________________________________ Dataloss Mailing List (dataloss () datalossdb org) Archived at http://seclists.org/dataloss/ Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss For inquiries regarding use or licensing of data, e-mail sales () riskbasedsecurity com Supporters: Risk Based Security (http://www.riskbasedsecurity.com/) YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus on the right security. If you need security help or want to provide real risk reduction for your clients contact us!
Current thread:
- Evolving Litigation of Data Breach Claims Audrey McNeil (Sep 28)
- <Possible follow-ups>
- Evolving litigation of data breach claims Audrey McNeil (Sep 30)