Only one claim survived dismissal in a recent putative class action lawsuit alleging that a pathology laboratory failed to safeguard patient data in a cyberattack.  See Order Granting Motion to Dismiss in Part, Thai v. Molecular Pathology Laboratory Network, Inc., No. 3:22-CV-315-KAC-DCP (E.D. Tenn. Sep. 29, 2023), ECF 38.

In December 2021, plaintiffs allege that Molecular Pathology Laboratory Network, Inc. discovered that hackers had infiltrated its network servers and accessed protected health information (“PHI”) and personal identifiable information (“PII”) of over 300,000 patients.  The accessed data allegedly included, among other things, name and date of birth, diagnosis information, medical treatment information, health insurance information, and financial information belonging to both adults and children.  The complaint contended that the defendant failed to take adequate and reasonable measures to safeguard patient data.  It also asserted that the defendant failed to timely report the incident as required under HIPAA, delayed investigation of ascertaining who was impacted by the data breach, and delayed informing the plaintiff of the data breach.

The Eastern District of Tennessee court concluded that the plaintiff may move forward with his negligence claim, rejecting the lab’s argument that plaintiff had not alleged “a present injury” and instead only “injuries that may occur at some point in the future.”  The court found sufficient that the plaintiff alleged that he and the class members already incurred “out-of-pocket expenses associated with the prevention, detection, and recovery from identity theft, tax fraud, and/or unauthorized use of its PHI/PII and financial information.”

However, all other claims were dismissed. The court rejected the negligence per se claim and the TCPA claim because the plaintiff failed to sufficiently allege how the defendant violated the TCPA.  The court dismissed the plaintiff’s invasion of privacy and breach of confidence claims because the complaint lacked allegations that the defendant intruded on the plaintiff’s “private affairs or concerns” or used the plaintiff’s confidences “to obtain some benefit from, or advantage over” the plaintiff.  Finally, the complaint failed to sufficiently allege a “meeting of the minds occurred” as to the formation of an implied contract for the defendant to implement data security features to protect the plaintiff’s data, which was fatal to the plaintiff’s breach of implied contract, breach of implied covenant of good faith and fair dealing, and unjust enrichment claims.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Ellen Choi Ellen Choi

Ellen Choi is a member of the firm’s Litigation and Investigations Practice Group. She represents clients in complex commercial disputes involving a range of issues such as business torts, consumer protection, and insurance recovery. Ellen also has experience in a range of internal…

Ellen Choi is a member of the firm’s Litigation and Investigations Practice Group. She represents clients in complex commercial disputes involving a range of issues such as business torts, consumer protection, and insurance recovery. Ellen also has experience in a range of internal investigations, including workplace culture investigations. Ellen maintains an active pro bono practice.

Ellen is fluent in Korean and has experience advising Korean companies in litigation and investigation matters.

Prior to joining Covington, Ellen clerked for Judge Philip S. Gutierrez, U.S. District Court, Central District of California. Ellen was a management consultant in the pharmaceutical and biotech space before practicing law.

Photo of Kathryn Cahoy Kathryn Cahoy

Kate Cahoy uses her substantial class action experience to help clients develop strategic and innovative solutions to their most challenging litigation matters. She regularly defends clients in complex, high-stakes class action disputes involving privacy, antitrust, and consumer protection claims and has achieved significant victories…

Kate Cahoy uses her substantial class action experience to help clients develop strategic and innovative solutions to their most challenging litigation matters. She regularly defends clients in complex, high-stakes class action disputes involving privacy, antitrust, and consumer protection claims and has achieved significant victories for clients in the technology, entertainment, consumer product, and financial services industries. In addition, Kate has substantial experience litigating cases brought under California’s Section 17200 and other consumer protection, competition, and privacy laws, including the Sherman Act, California Consumer Privacy Act (CCPA), California Invasion of Privacy Act (CIPA), Wiretap Act, Stored Communications Act, Children’s Online Privacy Protection Act (COPPA), Video Privacy Protection Act (VPPA), and common law and constitutional rights of privacy, among others.