Last month, a putative class action lawsuit was filed in federal court concerning a data breach resulting from the alleged improper disclosure of COVID-contact tracing data.  Read on to learn more, and how this case fits more broadly into a trend of data breaches involving the healthcare industry.  Chapman v. Commonwealth of Pennsylvania, et al., No. 1:21-cv-00824 (M.D. Pa.)

As readers of CPW already know from developments this past year, “contact tracing” is used to notify individuals of exposure to COVID-19.  In this case, Plaintiff alleges that a contractor was retained by the Pennsylvania Department of Health (“DOH”) in the midst of the COVID pandemic to contact individuals who were either diagnosed with or in close proximity to individuals diagnosed with COVID-19.

Plaintiff alleges that notwithstanding representations that all protected health information (“PHI”) “obtained in connection with COVID-19 contact tracing would be kept private and confidential, Defendants (including the contractor and Pennsylvania DOH) failed to take “appropriate or even the most basic steps to protect the PHI of Plaintiff and other class members from being disclosed.”  This included the contractor purportedly having employees who used “unsecure data storage and communications methods,” that resulted in the disclosure of Plaintiff’s and class members’ PHI.

The Complaint alleges that Defendants failed to comply with the obligations imposed on them under the Health Insurance Portability and Accountability Act (“HIPAA”).  [Note: HIPAA does not contain a private right of action, so while the Complaint alleges violation of HIPAA, Plaintiff’s claims are not predicated on HIPAA.]  Plaintiff seeks to certify a class consisting of “[a]ll persons in the United States whose PHI was compromised in the Data Breach disclosed by DOH and Insight between March 16, 2020 and April 29, 2021.”

A press release discussing the Data Breach stated that information disclosed may have included: (1) names of individuals who may have been exposed to COVID-19 (and if they experienced symptoms), (2) information about the number of members in their households and their emails and telephone numbers, and (3) information needed for social-support services pertaining to COVID-19 related issues.  However, the information impacted by the breach did not include Social Security numbers, financial account information or payment card information.

The Breach evidently occurred, based on media reports because certain employees of the contractor set up and used several Google accounts for sharing information as part of an “unauthorized collaboration channel” that bypassed the contractor’s network security.

In many ways, notwithstanding the unique factual allegations, the claims and relief sought by Plaintiff are typical of those raised in other data breach and data event litigations.  The Complaint includes claims for: (1) negligence, (2) negligence per se, and (3) publicity given to private life.  The damages sought by the Plaintiff includes, among other things, “equitable relief compelling Defendants to utilize appropriate methods and policies with respect to consumer data collection, storage, and safety, and to disclose with specificity the type of PHI compromised during the Data Breach.”

As the number of data breaches and data events involving entities in the healthcare sector continues to rise, so will the number of lawsuits alleging the improper disclosure of PHI.  For more information on this litigation and other data privacy developments, stay tuned.  CPW will be there.