Court Allows Patients to Sue Pharmacy Over Data Breach

A United States Appeals Court overturned a lower court’s decision to dismiss a case and is allowing patients of a pharmacy who were affected by a data breach to continue their lawsuit against the pharmacy.

The Facts

The Massachusetts home-delivery pharmacy maintained its records for patients, which included social security numbers, health insurance, dates of birth, financial information (including credit card numbers), health information (including diagnoses and treatments), and Medicare/Medicaid IDs. Much of this information is considered personally identifiable information (PII), which must be protected under the law.

In January of 2021, the pharmacy suffered a data breach. Hackers accessed the patient records system and gained access to the PII of over 75,000 pharmacy patients. The pharmacy did not discover the breach until May 2021. In the interim, the hackers were able to keep accessing the information.

When the pharmacy discovered the breach, rather than inform patients, the company decided to launch an investigation and implement new data security protocols. It wasn’t until February 2022 that the pharmacy began notifying impacted patients via a letter. Later that year, 2 patients filed a class action lawsuit against the pharmacy. The patients alleged that the breach of their information caused “anxiety, sleep disruption, stress, and fear,” and one patient alleged that a fraudulent tax return had been filed in her name. They claimed the pharmacy had breached its fiduciary duty to protect their information. The pharmacy made a motion to dismiss the case, claiming that the plaintiffs had failed to allege any actual harm. The district court granted the pharmacy’s motion and dismissed the case against it.

The Appeal

The Court of Appeals disagreed with the lower court and reversed its decision, reinstating the case against the pharmacy. The Court held that the “totality of the complaint plausibly alleges an imminent and substantive risk of future misuse of the plaintiffs’ PII,” and that the filing of the false tax return was obviously connected to the breach, despite the pharmacy’s claims that it was unrelated. Specifically, the Court found that the plaintiffs had claims for breach of fiduciary duty on the part of the pharmacy.

The Takeaway

PII must be highly protected, and pharmacies have a duty to ensure the security of such information. If a data breach does occur, transparency is far preferable to waiting until the following year to notify patients.

Reference

Alexis Webb vs Injured Workers Pharmacy, LLC. September 11, 2023. https://www.govinfo.gov/content/pkg/USCOURTS-mad-1_22-cv-10797/pdf/USCOURTS-mad-1_22-cv-10797-1.pdf