BreachExchange mailing list archives
Omnicell data breach suit dismissal: Healthcare ramifications
From: Audrey McNeil <audrey () riskbasedsecurity com>
Date: Fri, 10 Jan 2014 17:29:10 -0700
http://healthitsecurity.com/2014/01/06/omnicell-data-breach-suit-dismissal-healthcare-ramifications/ A lawsuit against Omnicell stemming from a 2012 health data breach was recently dismissed, in part, because the plaintiff failed to prove damages related to the breach. The interesting part of the dismissal, however, was that there were four separate defendants that were involved that used different defenses. Omnicell served as a business associate (BA) for Sentara Healthcare, South Jersey Health System, Inc., (now Inspira Health Network, Inc.) and the Board of Regents of the University of Michigan when laptop with some of their unencrypted PHI had been stolen from an employee’s car in 2012. Read the dismissal decision here ( http://healthitsecurity.com/wp-content/uploads/Polanco-Dismissal-Opinion.pdf ). In dismissing the case, the court provided a strong reminder that suing for damages in a private cause of action related to a data breach puts a heavy burden of proof on plaintiffs to show that (1) the healthcare organizations were at fault for the breach and (2) the damages were a direct result of the breach. Because there were four defendants and the courts divided the case into the four defenses that each group of defendants offered, HealthITSecurity.com spoke with Randy Gainer, partner in the Seattle office of Davis Wright Tremaine. Gainer was able to successfully move to dismiss the putative class action claims against South Jersey Hospital, now known as Inspira, but also discussed some of the other defenses raised in the lawsuit. First, claims against hospitals run by the University of Michigan were dismissed on 11th Amendment grounds. “The court agreed with their argument that the State of Michigan had not waived their sovereign immunity to be subject to these types of claims, and the claims against the Michigan hospitals were dismissed,” Gainer said. The court didn’t even have to review the other defenses that Michigan had raised. Next were the claims by Sentera hospital in which the stolen laptop included Sentera hospital data and was stolen. Neither the plaintiff, nor her daughter, Gainer explained, had been treated at those hospitals and the court held that they couldn’t show constitutional standing against Sentera because it nothing to cause the breach to occur. And nor did it cause any damage to the plaintiff, Gainer said. And then Gainer’s client, Inspira, which purchased South Jersey Hospital where the plaintiff’s daughter had been treated, was involved because Omnicell had been doing some work for Inspira. Gainer said his arguments synced up with Omnicell’s, which was that although the data may have been on the laptop, there was no evidence that the plaintiff had pleaded any facts that she or her daughter had been injured in any way. The court accepted that Constitutional standing requirement and dismissed the claims against Inspira and Omnicell, Gainer said. For Gainer, there were three significant things about the decision: 1. 11th Amendment sovereign immunity can be a defense It’s useful for publically-run hospitals that the court accepted the 11th Amendment sovereign immunity argument from the University of Michigan. So going forward, it’s clear that publically-run hospitals who haven’t waived sovereign immunity will be able to rely on that defense on appeal. 2. Causation The causation argument is also important. Many of these types of cases make that argument, but I’m not aware of many that focus on a causation issue, so that’s critical for defendants that are facing these types of claims. 3. The need for substantial damage proof And then the decision that stated the plaintiffs failed to prove harm under constitutional standing and was grounds for dismissal was important. There are other cases that have gone that way in the decisions, but it’s always good to have courts say that they’re not even going to entertain lawsuits if the plaintiffs can’t prove genuine economic damages. The plaintiff intended by saying that had driven further for treatment for her daughter because she was concerned about the security at the hospital. The court, like some others before it, said that the argument wasn’t good enough. It said those were self-imposed damages based on fear that bad things may happen in the future, which isn’t good enough to show Constitutional harm.
_______________________________________________ Dataloss Mailing List (dataloss () datalossdb org) Archived at http://seclists.org/dataloss/ Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss For inquiries regarding use or licensing of data, e-mail sales () riskbasedsecurity com Supporters: Risk Based Security (http://www.riskbasedsecurity.com/) Risk Based Security offers security intelligence, risk management services and customized security solutions. The YourCISO portal gives decision makers access to tools for evaluating their security posture and prioritizing risk mitigation strategies. Cyber Risk Analytics offers actionable threat information and breach analysis.
Current thread:
- Omnicell data breach suit dismissal: Healthcare ramifications Audrey McNeil (Jan 14)