Dismissed Adventist Lawsuit ResurfacesRejected Federal Breach Case Filed in State Court
After a federal court dismissed a class action lawsuit filed against Adventist Health System in the aftermath of a data breach affecting 763,000 patients, another case was immediately filed in a state court.
See Also: The Global State of Online Digital Trust
The lawsuit stems from a breach involving improper access by a former emergency department worker to the electronic health records of more than 763,000 patients. Authorities say patient information was sold for profit by the employee with a co-conspirator to third parties who pitched legal and chiropractic services to individuals injured in motor vehicle accidents.
The federal lawsuit sought unspecified damages for individuals whose sensitive information was inappropriately accessed. It also asked the court to order Adventist to protect all data collected in compliance with HIPAA and industry standards. The suit filed with a state court includes similar details.
In his July 3 order, Justice Roy B. Dalton of the U.S. District Court, Middle District of Florida Orlando Division, dismissed the lawsuit filed in the federal court in April, saying the matter should be handled at the state level instead. He cited "lack of subject matter jurisdiction" related to the plaintiff's HIPAA claims.
The attorneys who filed the federal lawsuit then immediately re-filed the case in Orange County Circuit Court in Orlando on behalf of Richard Faircloth against Adventist Health System/SunBelt Inc. (see: Health Data Theft Case Prompts Lawsuit).
Not A Federal Case
"HIPAA does not provide a private right of action, so plaintiffs generally bring health information privacy or security actions under state law," explains privacy attorney Adam Greene, a partner at Davis Wright Tremaine. "The plaintiffs may allege that a violation of HIPAA is evidence that the defendant violated state law."
Regarding the federal case filed against Adventist, Greene says, "The court held that this implication of HIPAA is insufficient to create jurisdiction in federal court."
In his ruling, Dalton wrote, "The plaintiff contends that this [federal] court has subject-matter jurisdiction over this case because his state law claims 'turn on substantial questions of federal law, specifically whether [Adventist] violated HIPAA and its associated regulations.' The defendant argues that this court lacks subject-matter jurisdiction because the mere implication of HIPAA in the plaintiff's state law claims does not mean that the claims arise. The court agrees with the defendant."
Many other class action lawsuits involving health data breaches are pending in state, not federal, courts. That includes a suit against against Sutter Health in California in the wake of a breach that impacted 4.2 million patients.
Edmund Normand, an attorney for the plaintiff in the Adventist case, told Information Security Media Group: "We will seek a remedy for all state and federal violations in state court. The privacy of our medical and financial information is too important to ignore massive security breaches, and our clients deserve the privacy security that they paid for when they purchased the treatment."
Mayanne Downs, an attorney who's representing Adventist, declined to comment on the lawsuit.
Center of Claim
The breach at the heart of Adventist lawsuit involved a former emergency department worker at Florida Hospital Celebration, one of 37 hospitals in Adventist's network.
Over a two-year period from 2009 to 2011, the worker improperly accessed the electronic records of more than 763,000 patients treated at several Florida Hospital locations and sold personal information on about 12,000 patients to a co-conspirator, law enforcement officials say. That information was used to solicit legal and chiropractic services for patients involved in motor vehicle accidents, according to law enforcement officials (see: Prison Time for Health Data Theft).
The former hospital worker, Dale Munroe II, pleaded guilty and was sentenced in January to a year in federal prison for selling patient information he improperly accessed (see: Selling Records for Profit Alleged).
Two co-conspirators, Munroe's wife Katrina, who was a former insurance worker at Florida Hospital Celebration, and Sergei Kusyakov, who was involved with the operation of two Florida chiropractic centers, also pleaded guilty. Kusyakov, who authorities allege paid Munroe for the stolen patient information, was recently sentenced to four years in federal prison. Katrina Munroe is awaiting sentencing.
Normand did not provide a total for the number of individuals expected to be part of the class action against Adventist.
"We do not have any class certified, but the related criminal actions show many thousands were alleged to have had their data integrity breached and some of them allegedly had data sold to third parties according to the criminal allegations," he says. "When a healthcare provider violates HIPPA and other medical privacy laws, when they do not provide the acceptable standards for data protection, then the health care provider has failed to perform that aspect of the contract."