NY District Court Brings Back Data Breach Suit Against Episcopal Health Services to State Court

Patients of Episcopal Health Services Inc. located in Uniondale, N.Y. filed a legal case in relation to the exposure of their private and protected health information due to a phishing attack in 2018. The New York State Supreme Court has kicked back the legal case for further proceedings.

The lawsuit claims Episcopal Health Services was unable to secure the private details of its patients from unauthorized disclosures. Because of those setbacks, certain employee email accounts of Episcopal Health Services encountered a breach from August 28, 2018 to October 5, 2018. The types of sensitive data held in the email accounts included the patients’ names, dates of birth, addresses, Social Security numbers, and financial data. The PHI of about 218,000 patients was compromised in this email system breach.

The legal case named three plaintiffs, both of which were St. John’s Episcopal Hospital’s patients. They alleged they experienced injuries due to the compromise of their personal data. The case referred to the Federal Trade Commission (FTC) Act and the Health Insurance Portability and Accountability Act (HIPAA), with the plaintiffs alleging that Episcopal Health Services had broken those rules. The plaintiffs likewise claimed there was a breach of implied contract, breach of fiduciary duty, a delayed sending of notifications about the breach, and negligence regarding the employment and training of its personnel.

Episcopal Health Services took away the lawsuit from the New York State Supreme Court, purporting that the claims were covered by HIPAA and the FTC Act, which are federal rules. The defendant likewise wanted to have the legal case dismissed due to a lack of standing and inability to assert a claim.

The legal case was kicked up to the U.S. District Court for the Eastern District of New York, which not long ago determined that the legal action didn’t bring up any concerns related to federal law. Though The FTC Act and HIPAA were mentioned in the legal case, the claims weren’t founded on HIPAA or FTC Act violations, rather they were typical law causes of action. There’s no private cause of action in either HIPAA or the FTC Act. Actions could simply be undertaken for breach of HIPAA by the Department of Health and Human Services or State Attorneys General, whereas the FTC Act could merely be enacted by the Federal Trade Commission.

District Court Judge Dora L. Irizarry determined that the District Court had no power to preside the lawsuit, thus the lawsuit was returned to the New York State Supreme Court for other proceedings. There is no regulation done on Episcopal Health Services’ motion to disregard the legal case.