A New York federal judge ruled on June 18 that a group of Episcopal Health Services patients suing the Uniondale, N.Y-based health system over a data security incident had grounds to continue the class-action lawsuit in state court, Bloomberg Law reports.
Five notes:
1. The group of patients filed a class-action lawsuit in New York state court on Sept. 11, 2019, claiming Episcopal Health Services failed to protect their financial, medical and other personal information from cyberattacks.
2. As patients of St. John's Episcopal Hospital, the group alleged that one or more of the hospital's employees' email accounts were hacked between Aug. 28, 2018, and Oct. 5, 2018, exposing their information such as Social Security numbers and dates of birth to unauthorized access.
3. On Nov. 4, 2019, Episcopal Health Services removed the case to federal court, claiming the patients' allegations fell under two federal laws, HIPAA and the Federal Trade Commission Act. The health system also moved to dismiss the complaint.
4. The patients argued that their lawsuit alleged only state common-law claims for negligent hiring and training of employees, breach of fiduciary duty, breach of implied contract and delay in notifying affected individuals of the breach.
5. The court ruled that while the patients' complaints referred to HIPAA and the FTCA, neither law allows people to sue for violations and the patients' claims thus do not fall under federal law. The court sent the case back to the state court and did not rule on the motion to dismiss.