Judge lets novel claim stand in UHS patient data breach lawsuit | Reuters
Judge lets novel claim stand in UHS patient data breach lawsuit
Brendan Pierson
A man types on a computer keyboard in this illustration picture February 28, 2013. REUTERS/Kacper Pempel/Illustration/File Photo - D1AEUGXKBSAA
A federal judge has narrowed a lawsuit brought by patients against hospital operator Universal Health Services Inc over a data breach last year, finding that merely having their data exposed did not give patients standing to sue but that one plaintiff could go forward with a claim that he was harmed because the breach delayed his surgery.
In an opinion filed Monday, U.S. District Judge Gerald McHugh said discovery was needed to determine whether even the surviving plaintiff had standing, giving the parties 60 days to address the issue.
John Yanchunis of Morgan & Morgan, a lawyer for the plaintiffs, did not immediately respond to a request for comment. Mark Melodia of Holland & Knight, a lawyer for UHS, declined to comment.
UHS, which runs some 400 hospitals and care centers across the United States and the United Kingdom, revealed that it had experienced a data security breach last September. The breach was later revealed to be a so-called "ransomware" attack, in which the hacker obtains and threatens to reveal private information unless a ransom is paid.
Three patients sued the company, bringing claims for negligence, breach of implied contract, breach of fiduciary duty and breach of confidence.
Two of the plaintiffs, Barry Graham and Angela Morgan, sought damages on the grounds that the breach put them at a greater risk of identity theft.
The third plaintiff, Stephen Motkowicz, said a surgery he needed to treat a medical condition had to be delayed when UHS temporarily suspended procedures in the wake of the breach. He said that, because he continued to miss work as a result of his condition while awaiting surgery, he lost his employer-provided insurance and was forced to buy insurance at a higher price.
McHugh said that allegation was enough for Motkowicz's claim to survive dismissal for now, though he said the theory of causation presented a "significant challenge" and would need to be evaluated again after further discovery.
ExtraHop
Sponsored by ExtraHop
Extend DevSecOps to the Cloud
Learn how security integration paves the way for faster deployment.
See more
"Plaintiff's injury is not speculative, as his financial expenditures allegedly occurred in response to the data breach and the corresponding cancellation of his surgery," he wrote.
The judge dismissed the other two plaintiffs' claims, saying that under precedent set by the 3rd U.S. Circuit Court of Appeals in 2011 in Reilly v. Ceridian Corp, having personal information hacked did not give rise to standing on its own.
He also said the two plaintiffs had not supported their allegation that they were at greater risk of identity theft, noting that the theft of data in a ransomware attack is "generally the means to an end: extorting payment."
"A court is still left to speculate ... whether the hackers acquired plaintiffs' (private health information) in a form that would allow them to make unauthorized transactions in their names, as well as whether plaintiffs are also intended targets of the hackers’ future criminal acts," he said.
Brendan Pierson
A man types on a computer keyboard in this illustration picture February 28, 2013. REUTERS/Kacper Pempel/Illustration/File Photo - D1AEUGXKBSAA
A federal judge has narrowed a lawsuit brought by patients against hospital operator Universal Health Services Inc over a data breach last year, finding that merely having their data exposed did not give patients standing to sue but that one plaintiff could go forward with a claim that he was harmed because the breach delayed his surgery.
In an opinion filed Monday, U.S. District Judge Gerald McHugh said discovery was needed to determine whether even the surviving plaintiff had standing, giving the parties 60 days to address the issue.
John Yanchunis of Morgan & Morgan, a lawyer for the plaintiffs, did not immediately respond to a request for comment. Mark Melodia of Holland & Knight, a lawyer for UHS, declined to comment.
UHS, which runs some 400 hospitals and care centers across the United States and the United Kingdom, revealed that it had experienced a data security breach last September. The breach was later revealed to be a so-called "ransomware" attack, in which the hacker obtains and threatens to reveal private information unless a ransom is paid.
Three patients sued the company, bringing claims for negligence, breach of implied contract, breach of fiduciary duty and breach of confidence.
Two of the plaintiffs, Barry Graham and Angela Morgan, sought damages on the grounds that the breach put them at a greater risk of identity theft.
The third plaintiff, Stephen Motkowicz, said a surgery he needed to treat a medical condition had to be delayed when UHS temporarily suspended procedures in the wake of the breach. He said that, because he continued to miss work as a result of his condition while awaiting surgery, he lost his employer-provided insurance and was forced to buy insurance at a higher price.
McHugh said that allegation was enough for Motkowicz's claim to survive dismissal for now, though he said the theory of causation presented a "significant challenge" and would need to be evaluated again after further discovery.
ExtraHop
Sponsored by ExtraHop
Extend DevSecOps to the Cloud
Learn how security integration paves the way for faster deployment.
See more
"Plaintiff's injury is not speculative, as his financial expenditures allegedly occurred in response to the data breach and the corresponding cancellation of his surgery," he wrote.
The judge dismissed the other two plaintiffs' claims, saying that under precedent set by the 3rd U.S. Circuit Court of Appeals in 2011 in Reilly v. Ceridian Corp, having personal information hacked did not give rise to standing on its own.
He also said the two plaintiffs had not supported their allegation that they were at greater risk of identity theft, noting that the theft of data in a ransomware attack is "generally the means to an end: extorting payment."
"A court is still left to speculate ... whether the hackers acquired plaintiffs' (private health information) in a form that would allow them to make unauthorized transactions in their names, as well as whether plaintiffs are also intended targets of the hackers’ future criminal acts," he said.
