Around September 20, 2010, health insurance carriers Keystone Mercy Health Plan and Amerihealth Mercy Health Plan lost an unencrypted flash drive containing the personal and confidential health information of over 200,000 individuals. The theft of the information contained on the flash drive not only violated the carriers’ own privacy practices, but breached both federal and states laws, including the HIPPA Privacy Rule and Pennsylvania’s Privacy of Consumer Health Information law.
As a result,Avrum Baum, the father of a special-needs minor insured by the carriers elected to bring suit on behalf of himself, his daughter, and other similarly situated individuals. On behalf of this group, he asserted claims for negligence, negligence per se, and a violation of the Pennsylvania Unfair Trade Practices and Consumer Protection Law (UTPCPL), 73 Pa.C.S. § 201-1, et seq. What is more, Baum sought to certify the class of individuals who he alleged had their privacy compromised as a result of the flash drive loss.
On July 25, 2013, the Court of Common Pleas denied the plaintiff’s motion for class certification on all of the courts asserted.
On appeal, the Superior Court upheld the denial of class certification on the negligence claim. The Court found that there was no evidence that the plaintiff or any members of the purported class were at risk of identity theft because the personal health information on the flash drive could not be linked to individuals by name. However, where the Philadelphia Court found that the plaintiff could not establish typicality on the UTPCPL claims, the Superior Court elected to remand the case back to the Court of Common Pleas to determine whether the class could be certified based on the UTPCPL “catch-all provision.”
Thus, the question left to the court was: is there a class to be certified on plaintiff’s claim of deceptive practices under the “catch-all” provision of the UTPCPL which prohibits one from “engaging in any other fraudulent or deceptive conduct which creates a likelihood of confusion or of misunderstanding.” 73 Pa.C.S. § 201-2(4)(xxi).
Ultimately, the Court of Common Please determined that Baum could not satisfy the typicality and adequacy standards that are required for class certification. The Court found that unlike other members of the class, the plaintiff’s daughter did not lose her personal data. None of the information on the flash drive could be linked to her identity. As such, plaintiff was rendered an inadequate representation of the group. Furthermore, the plaintiff did not give any consideration in exchange for the policy covering his daughter. Instead, the insurance was paid for by the state through Medicaid.
Baum serves as a reminder of the difficulties associated with data breach claims. If this case is any indication, these difficulties will not be going away any time soon. Please email Brian Gibbons with any questions. Thanks to Erica Woebse for her contribution.