Only one claim survived dismissal in a recent putative class action lawsuit alleging that a pathology laboratory failed to safeguard patient data in a cyberattack. See Order Granting Motion to Dismiss in Part, Thai v. Molecular Pathology Laboratory Network, Inc., No. 3:22-CV-315-KAC-DCP (E.D. Tenn. Sep. 29, 2023), ECF 38.
In December 2021, plaintiffs allege that Molecular Pathology Laboratory Network, Inc. discovered that hackers had infiltrated its network servers and accessed protected health information (“PHI”) and personal identifiable information (“PII”) of over 300,000 patients. The accessed data allegedly included, among other things, name and date of birth, diagnosis information, medical treatment information, health insurance information, and financial information belonging to both adults and children. The complaint contended that the defendant failed to take adequate and reasonable measures to safeguard patient data. It also asserted that the defendant failed to timely report the incident as required under HIPAA, delayed investigation of ascertaining who was impacted by the data breach, and delayed informing the plaintiff of the data breach.
The Eastern District of Tennessee court concluded that the plaintiff may move forward with his negligence claim, rejecting the lab’s argument that plaintiff had not alleged “a present injury” and instead only “injuries that may occur at some point in the future.” The court found sufficient that the plaintiff alleged that he and the class members already incurred “out-of-pocket expenses associated with the prevention, detection, and recovery from identity theft, tax fraud, and/or unauthorized use of its PHI/PII and financial information.”
However, all other claims were dismissed. The court rejected the negligence per se claim and the TCPA claim because the plaintiff failed to sufficiently allege how the defendant violated the TCPA. The court dismissed the plaintiff’s invasion of privacy and breach of confidence claims because the complaint lacked allegations that the defendant intruded on the plaintiff’s “private affairs or concerns” or used the plaintiff’s confidences “to obtain some benefit from, or advantage over” the plaintiff. Finally, the complaint failed to sufficiently allege a “meeting of the minds occurred” as to the formation of an implied contract for the defendant to implement data security features to protect the plaintiff’s data, which was fatal to the plaintiff’s breach of implied contract, breach of implied covenant of good faith and fair dealing, and unjust enrichment claims.