American Journal of Law & Medicine

Increasing Recognition of "Risk of Harm" as an Injury Sufficient to Warrant Standing in Class Action Medical Data Breach Cases

Increasing Recognition of "Risk of Harm" as an Injury Sufficient to Warrant Standing in Class Action Medical Data Breach Cases--Walker v. Boston Medical Center Corp. (1)--On November 20, 2015, the Superior Court of Massachusetts (the "Trial Court") for Suffolk County denied Defendant Boston Medical Center Corporation's (herein after "Defendant" or "BMC") motion to dismiss for lack of standing. Patients of BMC brought a class action on behalf of themselves and similarly situated patients after they received notice from BMC that their patient records "were inadvertently made accessible to the public through an independent medical record transcription service's online site." (2) Plaintiffs filed suit on June 10, 2015 against BMC, BMC's medical record transcription servicer, MDF Transcription, LLC ("MDF"), and MDF's manager and owner, Richard Fagan ("Fagan") (collectively "Defendants"). Plaintiffs sued Defendants for invasion of privacy, breach of confidentiality, breach of fiduciary duty, negligence, negligent supervision, and breach of implied contract. (3) Plaintiffs also sued MDF and Fagan, individually, for breach of contract. (4)

On April 23, 2014, Plaintiffs and other BMC patients were notified by letter (the "Letters") of a data breach involving their patient records--information that is protected under the federal Health Insurance Portability and Privacy Act's ("HIPAA") Privacy Rule, (5) and, more broadly, under Massachusetts' protections on personal information (6) and general right of privacy. (7) The Letters were sent pursuant to HIPAA's mandatory data breach notification procedures. (8) The Letters indicated that although the patients' medical records could be accessed by unauthorized individuals, there was no evidence of any actual misuse of patient information; (9) however, BMC could not identify how long the information was accessible through MDF's online site. (10) Plaintiffs conceded that they "do not know ... whether any unauthorized person actually gained access to their medical records ... however ... 'what goes on the internet, stays on the internet.'" (11) Thus, the basis for their claims is the risk that their information has been, or will be, misused.

In response to Plaintiffs class action, BMC filed a motion to dismiss arguing that Plaintiffs' complaint "fail[ed] to allege any specific injury," and absent such allegation, "plaintiffs lack standing and fail[ed] to state a claim." (12) In response to BMC's motion, Plaintiffs asserted that they were entitled to discovery to learn the extent of the data breach and whether their records were actually accessed and misused by unauthorized individuals. (13)

The Trial Court denied Defendant's motion to dismiss, concluding that Plaintiffs were entitled to discovery because a '"real and immediate' risk of injury may be enough for standing" and that such determinations "should await a more full record and be decided upon a motion for summary judgment," rather than a motion to dismiss. (14) The Trial Court inferred a risk of injury from the "general allegations of injury from the data breach." (15) The Trial Court relied on the Letters to Plaintiffs as evidence of a "serious risk of disclosure" sufficient to establish risk of actual or future unauthorized access to Plaintiffs' confidential medical information. …

Log in to your account to read this article – and millions more.