Getty Images/iStockphoto

Judge Sends Episcopal Health Data Breach Lawsuit Back to State Court

Citing a lack of standing for a federal lawsuit, a New York federal judge sent a data breach lawsuit against Episcopal Health down to state court as the allegations fall under HIPAA.

A federal judge of the U.S. District Court for the Eastern District of New York has sent a data breach lawsuit against Episcopal Health Services back to state level courts, saying it lacked the grounds for a federal lawsuit, first reported by Bloomberg Law.

In September 2018, the New York health system discovered several email accounts were hacked after multiple employees fell victim to phishing attacks. The accounts were breached for about two months before it was discovered by Episcopal Health.

The compromised data included a trove of patient information, including health information, Social Security numbers, medical histories, and other sensitive data.

First reported to the Department of Health and Human Services in 2018, the provider released a second breach notification about the incident in May 2019 after discovering more patients were potentially impacted by the hack. There were more than 218,000 patients potentially affected by the incident.

Three of the patients filed a lawsuit against the provider in response, claiming officials failed to protect patient information from unauthorized disclosures and breached fiduciary duty. Citing HIPAA failures and a breach of the Federal Trade Commission Act, the patients also claimed they suffered injuries as a direct result of the breach.

Further, the lawsuit argues the provider lacked adequate cybersecurity procedures and policies, failed to provide timely notification, and was negligent in the hiring and training of employees, while breaching an implied contract.

Episcopal Health sought to have the case dismissed citing a lack of standing and a failure to state a claim, as well as removing the case from the New York Supreme Court as the allegations made by patients fell under HIPAA and the FTC Act -- Federal laws.

The Federal judge sided with Episcopal Health over the assertion that the breach fell under HIPAA and the FTC Act, and the lawsuit did not raise questions about federal laws. Instead, the lawsuit centered around common law causes of action and not HIPAA or FTC Act violations.

Those laws do not allow individuals to pursue a private cause of action. HIPAA violations can only be enforced by HHS. As a result, the judge ruled the district court lacked the authority to preside over the lawsuit and bumped the case down to the New York Supreme Court.

The judge did not make a ruling on Episcopal Health Services’ request to dismiss the lawsuit.

“Here, the defendant has failed to meet its burden of proving that this court has subject matter jurisdiction,” according to the ruling. “Defendant argues that removal to this Court is proper... because Plaintiffs' claims are ‘expressly and affirmatively premised on duties allegedly arising under HIPAA and the Federal Trade Commission Act.’”

“As the court lacks subject matter jurisdiction, the court declines to rule on defendant's motion to dismiss and remands this action to state court for further proceedings,” it continued.

Healthcare data breach lawsuits have become more common in the past year, but with mixed results. While some courts have opted to dismiss some lawsuits based on a lack of actual harm, others have revived cases citing “legally cognizable” injuries as with the Athens Orthopedic Clinic lawsuit over a 2016 data hack by the notorious “thedarkoverlord.”

Next Steps

Dig Deeper on HIPAA compliance and regulation