Potential Damage from Data Breach Sufficient for Suit Against Medical Facility Posted on March 11, 2016 by Larry Bodine BMC wrote that patients medical records were “inadvertently made accessible to the public.” A Massachusetts Superior Court judge denied Boston Medical Center’s request to dismiss the data breach case, ruling that the risk of potential injury was sufficient to move the case forward. Former Boston Medical Center (BMC) patients filed suit against BMC, MDF Transcriptions, and its owner Richard J. Fagan, after a letter from the facility described a leak of medical records. Members of the class alleged seven violations of law including an invasion of privacy, breach of fiduciary duty, and breach of confidentiality. Plaintiffs complaint stated, “what goes on the internet, stays on the internet.” The former patients requested refunds for paid medical services from BMS as well as damages for the injury the exposure caused. Was patient information misused? BMC notified the plaintiff their medical records had been “inadvertently made accessible to the public through an independent medical record transcription service.” BMC also noted in the letter that they had “no reason to believe that [the release] led to misuse of any patient information.” See Also: SCOTUS Refuses to Hear Johnson & Johnson Appeal of $140M Motrin Case The court noted that the plaintiffs were still unsure whether their information had been misused or if there was any further disclosure. However, the plaintiffs asked the court to issue an injunction to protect their information from any further exposure. BMC requested the court to dismiss the claims mainly because the facility believed the plaintiff suffered no injuries, because the records were not accessed or misused by any unauthorized persons, and thus they lacked standing to bring their claim. Quoting a recent state supreme court decision, Pugsley v. Police Department, “real and immediate” risk of injury can be enough to have standing to bring the claim. 472 Mass. 367 (2015). Judge Edward Leibensperger in Boston believed at the early stages of case, the plaintiffs had presented enough facts to allow reasonable inferences that their information has been or could have been accessed during the time the data was breached. Additionally, the letter informing of the breach itself is sufficient to state a claim for relief. This case is Walker and O’Rourke v. Boston Medical Center Corp, Case No. 2015-1733-BLS-1, Massachusetts Superior Court Business Litigation Session. Thank you to Mintz Levin PC of Boston, MA for providing the opinion for accurate reporting of this story.
