Class-Action Suit Over Lost Mercy Health USB Drive Dismissed in PA Court

Class-Action Suit Over Lost Mercy Health USB Drive Dismissed in PA Court

A class-action lawsuit arising from improper handling of a USB drive with confidential patient information has been dismissed.

Plaintiffs in the case Baum v. Keystone Mercy Health Plan [PDF], filed a class action lawsuit against Keystone Mercy Health Plan and Amerihealth Mercy Health Plan for losing a USB flash drive that allegedly contained sensitive information for approximately 300,000 patients. The plaintiffs were alleging that Mercy Health had been negligent, fraudulent and deceptive.

The claims were brought under the Uniform Trade Practices and Consumer Protection Law (UTPCPL). But the Pennsylvania Superior Court said that the suit did not meet the requirements for going forward.

“As stated previously, on December 9, 2014, a panel of this Court affirmed the trial court’s denial of class certification on Appellant’s negligence claims but vacated its decision to deny class certification on the UTPCPL deceptive conduct claim,” said Judge Correale F. Stevens. “In doing so, the panel noted the trial court had concluded that Appellant’s UTPCPL claim did not satisfy the commonality requirement of Rule 1702(2) because a plaintiff who brings a private cause of action under the UTPCPL must show reliance…”

Also, the lead plaintiff, Avrum Baum, has a daughter impacted by the incident; but he himself was not, and he was unable to prove that it had been her personally identifiable information that was on the device. That invalidated Baum’s standing to bring the suit, the court ruled.

“The trial court also questioned Appellant’s standing to bring a private action under the UTPCPL as it pertained to a determination of ‘typicality’ under Rule 1702(3) because he did not purchase his daughter’s policy or suffer an ‘ascertainable loss,’” the Superior Court said.

Healthcare data breach class action lawsuits have not been wildly successful so far. For instance, a lawsuit against the University of Pittsburgh Medical Center (UPMC) was dismissed last year, filed by former UPMC employees. They alleged that UPMC and its payroll vendor, by allowing themselves to be breached, meant that it failed in its duty to protect private employee information and exposed those employees to tax return fraud.

However, the judge ruled that because UPMC was the victim of a cybersecurity breach, a better system for storing sensitive information would not have necessarily prevented the incident from taking place.

Additionally, a lawsuit against Horizon Blue Cross Blue Shield of New Jersey was dismissed last year. That case stemmed from an incident in 2013 where stolen laptops led to the potential exposure of 840,000 Horizon BCBS members’ PHI. The judge ruled that the plaintiffs failed to prove that hypothetical future injuries could potentially take place.

Photo © Joe Gough

Source: Information Security Magazine