Only one claim survived dismissal in a recent putative class action lawsuit alleging that a pathology laboratory failed to safeguard patient data in a cyberattack.  See Order Granting Motion to Dismiss in Part, Thai v. Molecular Pathology Laboratory Network, Inc., No. 3:22-CV-315-KAC-DCP (E.D. Tenn. Sep. 29, 2023), ECF 38.

In December 2021, plaintiffs allege that Molecular Pathology Laboratory Network, Inc. discovered that hackers had infiltrated its network servers and accessed protected health information (“PHI”) and personal identifiable information (“PII”) of over 300,000 patients.  The accessed data allegedly included, among other things, name and date of birth, diagnosis information, medical treatment information, health insurance information, and financial information belonging to both adults and children.  The complaint contended that the defendant failed to take adequate and reasonable measures to safeguard patient data.  It also asserted that the defendant failed to timely report the incident as required under HIPAA, delayed investigation of ascertaining who was impacted by the data breach, and delayed informing the plaintiff of the data breach.

The Eastern District of Tennessee court concluded that the plaintiff may move forward with his negligence claim, rejecting the lab’s argument that plaintiff had not alleged “a present injury” and instead only “injuries that may occur at some point in the future.”  The court found sufficient that the plaintiff alleged that he and the class members already incurred “out-of-pocket expenses associated with the prevention, detection, and recovery from identity theft, tax fraud, and/or unauthorized use of its PHI/PII and financial information.”

However, all other claims were dismissed. The court rejected the negligence per se claim and the TCPA claim because the plaintiff failed to sufficiently allege how the defendant violated the TCPA.  The court dismissed the plaintiff’s invasion of privacy and breach of confidence claims because the complaint lacked allegations that the defendant intruded on the plaintiff’s “private affairs or concerns” or used the plaintiff’s confidences “to obtain some benefit from, or advantage over” the plaintiff.  Finally, the complaint failed to sufficiently allege a “meeting of the minds occurred” as to the formation of an implied contract for the defendant to implement data security features to protect the plaintiff’s data, which was fatal to the plaintiff’s breach of implied contract, breach of implied covenant of good faith and fair dealing, and unjust enrichment claims.

Tags: Data Privacy, Litigation, privacy, technology
Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Ellen Choi Ellen Choi

Ellen Choi is a member of the firm’s Litigation and Investigations Practice Group. She represents clients in complex commercial disputes involving a range of issues such as business torts, consumer protection, and insurance recovery. Ellen also has experience in a range of internal…

Ellen Choi is a member of the firm’s Litigation and Investigations Practice Group. She represents clients in complex commercial disputes involving a range of issues such as business torts, consumer protection, and insurance recovery. Ellen also has experience in a range of internal investigations, including workplace culture investigations. Ellen maintains an active pro bono practice.

Ellen is fluent in Korean and has experience advising Korean companies in litigation and investigation matters.

Prior to joining Covington, Ellen clerked for Judge Philip S. Gutierrez, U.S. District Court, Central District of California. Ellen was a management consultant in the pharmaceutical and biotech space before practicing law.

Read more about Ellen ChoiEmail
Show more Show less
Photo of Kathryn Cahoy Kathryn Cahoy

Kate Cahoy co-chairs the firm’s Class Actions Litigation Practice Group and serves on the leadership committee for the firm’s Technology Industry Group. She defends clients in complex, high-stakes class action disputes and has achieved significant victories across various industries, including technology, entertainment, consumer…

Kate Cahoy co-chairs the firm’s Class Actions Litigation Practice Group and serves on the leadership committee for the firm’s Technology Industry Group. She defends clients in complex, high-stakes class action disputes and has achieved significant victories across various industries, including technology, entertainment, consumer products, and financial services. Kate has also played a key role in developing the firm’s mass arbitration defense practice. She regularly advises companies on the risks associated with mass arbitration and has a proven track record of successfully defending clients against these challenges.

Leveraging her success in class action litigation and arbitration, Kate helps clients develop strategic and innovative solutions to their most challenging legal issues. She has extensive experience litigating cases brought under California’s Section 17200 and other consumer protection, competition, and privacy laws, including the Sherman Act, California Consumer Privacy Act (CCPA), California Invasion of Privacy Act (CIPA), Wiretap Act, Stored Communications Act, Children’s Online Privacy Protection Act (COPPA), Video Privacy Protection Act (VPPA), along with common law and constitutional rights of privacy, among others.

Recent Successes:

  • Represented Meta (formerly Facebook) in a putative nationwide advertiser class action alleging violations under the California Unfair Competition Law (UCL) related to charges from allegedly “fake” accounts. Successfully narrowed claims at the pleadings stage, defeated class certification, opposed a Rule 23(f) petition, won summary judgment, and defended the victory on appeal to the Ninth Circuit. The Daily Journal selected Covington’s defense of Meta as one of its 2021 Top Verdicts, and Law.com recognized Kate as a Litigator of the Week Shoutout.
  • Defeated a landmark class action lawsuit against Microsoft and OpenAI contending that the defendants scraped data from the internet for training generative AI services and incorporated data from users’ prompts, allegedly in violation of CIPA, the Computer Fraud and Abuse Act (CFAA), and other privacy and consumer protection laws.

Kate regularly contributes to the firm’s blog, Inside Class Actions, and was recently featured in a Litigation Daily interview titled “Where Privacy Laws and Litigation Trends Collide.” In recognition of her achievements in privacy and antitrust class action litigation, the Daily Journal named her as one of their Top Antitrust Lawyers (2024), Top Cyber Lawyers (2022), and Top Women Lawyers in California (2023). Additionally, she received the Women of Influence award from the Silicon Valley Business Journal and was recognized by Daily Journal as a Top Attorney Under 40.

Read more about Kathryn CahoyEmail
Show more Show less