A Flowers Hospital data breach lawsuit has survived another motion to dismiss. U.S District Judge, William Keith Watkins, has agreed with the recommendations of a magistrate judge and will allow the case to proceed. Flowers Hospital had protested that the case had no standing as there is no damage to compensate the plaintiffs for. The judge disagreed.
Five defendants have now added their name to the lawsuit which has been filed against Flowers Hospital’s parent company, Triad of Alabama. The plaintiffs allege that the exposure of their Protected Health Information (PHI) entitles them to claim damages. They also maintain that Flowers Hospital violated the Federal Credit Reporting Act and state laws by failing to prevent the data breach.
The lawsuit claims the defendants were negligent for failing to install appropriate controls to keep the PHI of patients protected, and also that the healthcare provider violated the privacy of patients and breached the terms of its contract with its patients.
The data breach was caused when an employee of the hospital stole patient data, with the offenses taking place between June 2013 and February 2014. Kamarian Deshaun Millender, stole the data and has since admitted to one count of felony identity theft in both a federal and local court and is now currently serving a prison term of 2 years for the crimes.
Social Security numbers and other personal information were stolen to allow Millender to file bogus tax returns in the names of the victims; however it is claimed that the information stolen is still circulating, and that the victims now potentially face a lifetime of increased risk of suffering identity theft and fraud.
Following the discovery of the data breach, Flowers Hospital notified patients of the incident and offered credit monitoring and identity theft protection services to mitigate risk; however a lawsuit was still filed for the invasion of privacy. That case was dismissed due to a lack of standing and the plaintiffs permitted to revise the suit. That has now happened and the hospital looks unlikely to escape a trial.
Even though the breach victims do not appear to have actually suffered fraud or identity theft, they have had to cover the cost of mitigating risk, with the plaintiffs also claiming they have suffered mental distress and anxiety as a result of the exposure of their PHI and PII.
Should the case succeed, the costs could be considerable. The lawsuit names five defendants, but the class-action suit also lists “other similarly situated” patients, which potentially number in the thousands.
The case went before a magistrate judge earlier this year who sided with the plaintiffs. According to Judge Paul Greene, “Though they were given careful consideration, [the] defendant’s arguments are ultimately unpersuasive.” The hospital’s legal team claimed that no actual losses had been suffered, and without demonstrable losses, there could be no claim for damages. Additionally, the defendants had taken steps to mitigate risk and protect patients following the data breach, such as providing all affected individuals with a year of credit monitoring services without charge.
However, the defendants’ attempts to have the case dismissed have fallen on deaf ears again. Judge Watkins similarly didn’t find the defense’s claims persuasive. The case will now proceed to the discovery stage.