Health care data breach case highlights risk to companies for unauthorized use of data by employees



May 13, 2016

Health Care Alert

Author(s): Tina Sciocchetti, Laurie T. Cohen, Michal E. Ovadia

A recent settlement in a data breach case serves as a reminder that companies maintaining sensitive information should have policies regarding employee access to sensitive data.

Last week, the parties in Weinberg v. Advanced Data Processing, Inc., et al., 15-CV-61598 (S.D. Fla. filed Aug. 4, 2015), filed a stipulation of dismissal in the Southern District of Florida that dismissed plaintiff’s claims with prejudice and the putative class members’ claims without prejudice, and gave no award of attorneys’ fees, costs or other expenses.

This litigation arose out of a 2012 data breach at Intermedix, a health care payment and data processing company run by the defendants Advanced Data Processing (ADP) and Intermedix Corp. According to the complaint, between June and October 2012, an Intermedix employee accessed the personal information of “hundreds (if not thousands)” of patients who used ambulances and for whom Intermedix had provided billing and payment processing. Plaintiff alleged that the stolen data was then used to obtain tax refunds through the filing of fraudulent tax returns using the victims’ identities. Plaintiff maintained that Intermedix failed to supervise employee access to patient data, to timely investigate the breach and to timely and adequately notify potential victims. Allegedly, notification first took place in late 2014 when Intermedix posted a notice of the data breach on its website.

Last fall, the district court dismissed plaintiff’s claim for breach of fiduciary duty, but the negligence and unjust enrichment claims survived the motion to dismiss. The court ruled that the negligence cause of action could not be maintained under HIPAA because the law does not provide a private right of action. However, the court agreed with plaintiff’s assertion that the negligence claim was valid under Florida’s “undertaker doctrine,” which imposes a duty to act carefully upon someone who voluntarily provides a service to others. Following the court’s decision, the parties participated in court-ordered mediation and ultimately agreed to dismiss the case under nonpublic settlement terms.

Although the court had determined that the negligence claim could not be maintained under HIPAA, the Intermedix case serves as an important reminder that all companies which collect or maintain personal information, such as social security numbers, may face claims of negligence under state law for failing to ensure the privacy and security of such information. For example, the unauthorized use of personal information by an employee may expose companies to claims of negligent hiring and failure to supervise culpable employees.

Therefore, data privacy and security policies and procedures should address and limit, to the extent possible, unauthorized access, not only by external sources, but also by internal sources who are acting beyond the scope of their employment. Data privacy training of all employees, at hire, and periodically thereafter, as well as routine monitoring of employee compliance with company policies and procedures should be implemented. The intentional misuse of data by an employee should also be considered when drafting hiring and disciplinary policies. Lastly, data privacy and security policies should address timely investigations of potential breaches, as well as the issuance of breach notifications to state and federal authorities and impacted individuals as required by applicable state and federal breach notification laws.

The foregoing has been prepared for the general information of clients and friends of the firm. It is not meant to provide legal advice with respect to any specific matter and should not be acted upon without professional counsel. If you have any questions or require any further information regarding these or other related matters, please contact your regular Nixon Peabody LLP representative. This material may be considered advertising under certain rules of professional conduct.

Back to top