NY District Court Kicks Back Data Breach Lawsuit Against Episcopal Health Services to State Court

Patients of Episcopal Health Services Inc. based in Uniondale, N.Y. filed a lawsuit over the compromise of their personal and protected health information in a phishing attack in 2018. The New York State Supreme Court has kicked back the lawsuit for further proceedings.

The lawsuit asserts Episcopal Health Services did not safeguard the private data of its patients from unauthorized exposures. Due to those downfalls, some employee email accounts of Episcopal Health Services experienced a breach between August 28, 2018 and October 5, 2018. The types of information contained in the email accounts included the patients’ names, birth dates, addresses, Social Security numbers, and financial information. The PHI of over 218,000 patients was exposed in the email system breach.

The lawsuit mentioned three plaintiffs, both of which were patients of St. John’s Episcopal Hospital. They stated they suffered injuries because of the exposure of their confidential information. The lawsuit referenced the Health Insurance Portability and Accountability Act (HIPAA) and the Federal Trade Commission (FTC) Act, with the plaintiffs saying that Episcopal Health Services had violated those regulations. The plaintiffs additionally alleged there was a breach of fiduciary duty, a breach of implied contract, a late issuance of breach notifications, and negligence with regard to the hiring and training of its workers.

Episcopal Health Services removed the legal case from the New York State Supreme Court, saying the claims were under HIPAA and the FTC Act, which are federal regulations. The defendant additionally desired to have the lawsuit dismissed because of a lack of standing and failing to point out a claim.

Lately, the lawsuit was kicked up to the U.S. District Court for the Eastern District of New York, which decided that the lawsuit didn’t raise any issues with regard to federal law. Although HIPAA and the FTC Act were referenced in the lawsuit, the claims were not based on violations of the HIPAA or FTC Act, instead, they were usual law causes of action. There is no private cause of action in either HIPAA or the FTC Act. Actions may just be taken for violations of HIPAA by the Department of Health and Human Services or State Attorneys General, while the FTC Act may just be implemented by the Federal Trade Commission.

District Court Judge Dora L. Irizarry decided that the District Court didn’t have the authority to preside over the legal case, therefore the case was brought back to the New York State Supreme Court for further proceedings. There is no ruling applied to Episcopal Health Services’ motion to dismiss the lawsuit.