Walker, et al. v. Boston Medical Center Corp., et al. (Lawyers Weekly No. 12-081-17)
1
COMMONWEALTH OF MASSACHUSETTS
SUFFOLK, ss SUPERIOR COURT
CIVIL ACTION
- 2015-01733-BLS1
KAMYRA WALKER and another,1
1 Anne O’ Rourke
2 MDF Transcription, LLC and Richard J. Fagan.
on behalf of themselves and other similarly situated
vs.
BOSTON MEDICAL CENTER CORP. and others 2
MEMORANDUM OF DECISION AND ORDER ON
DEFENDANT BOSTON MEDICAL CENTER CORP.’S
MOTION FOR SUMMARY JUDGMENT
In March 2014, defendant Boston Medical Center, Corp. (BMC) learned that another health care provider had inadvertently accessed a BMC patient’s medical information on a website maintained by defendant MDF Transcriptions, LLC (MDF), a medical transcription company used by both BMC and thisother provider. It sent a letter to all its patients who had records that had been transcribed by MDF informingthem that there might have been unauthorized access to their medical information. After receiving this letter, the plaintiffs Kamyra Walker and Anne O’Rourke,filedthisputative classaction against BMC, MDF, and Richard Fagan, MDF’s owner and manager. They assertthat the defendants are liableto them, and all other similarly situated BMC patients,for failing to ensure that their medical information was kept confidential. The case is before the court on BMC’smotionfor summary judgment. BMCargues, among other things, that the plaintiffs lack standing to maintain the claims asserted2
against it.3 For the reasons that follow, the motion isALLOWED.
3 BMC also argues that the complaint fails to state a claim on which relief may be granted. Having found that the
plaintiffs lack standing to bring their claims, the court does not reach this issue.
4 “FTP, or file transfer protocol, is a protocol for exchanging files over any computer network that supports the TCP/IP protocol (such as the Internet or an intranet). SRI Int’l Inc. v. Internet Sec. Sys., 647 F. Supp. 2d 323, 332 n.2 (D. Del. 2009).
5 Plaintiffs note that JosephCumillus, BMC’s 30(b)(6) deponent, stated in his deposition: “it was concerning to me that this information was on an FTP site that wasn’t password protected.” The court understands this to refer
BACKGROUND
For several years, certain BMC medical practices used MDF to transcribe their physicians’ audio recordedpatientnotes. The transcriptions were available through a “file transfer protocol” (FTP or .ftp) site maintained by MDF.4
On March 4, 2014, Pam Bronson of Access Sports Medicine(ASM), anotherMDF customer, telephoned BMC. She informed BMC that she saw a BMC transcription record when she accessed MDF’s transcription portalusing her ASM user name and password. In response, BMC contacted MDF,and MDF took down the FTP site. Shortly thereafter, BMC terminated its relationship with MDF and notified patients, including the plaintiffs, of what had occurred.
The notification letter sent to the plaintiffs informed them that their patient records from office visits with physicians “were inadvertently made accessible to the public through [MDF’s]online site.” The letter also noted that the site “was not password protected and could potentially be accessed by non-authorized individuals.” There is no evidence in the record, however, that the website was ever accessible to thegeneralpublic, as opposed to anindividualthat was associated with another MDF customerand who should only have had access to that customer’s transcriptions. The only admissible evidence in the summary judgment recordis consistent with a findingthat the FTP site was only accessibleto an MDF customerwith a user name and password.5 3
to the incident in which another health care providercustomer of MDFwas able to accessa transcription that should have only been accessible to a BMC user with a system qualified user name and password. There is no evidence that the MDF .ftp site could be accessed by someone who did not have and MDF .ftp user name and password. Indeed, as discussed above, there is only evidence that one other MDF customer was able to access BMC transcriptions on one occasion.
No social security numbers or financial information was contained in the BMC transcription records on MDF’s FTP site, including plaintiffs’ records. The addresses and birth dates of some individuals were contained in the records on the site,but plaintiffs’ addresses and birth dates were not. Walker’s transcription records only contained her name, medical record number, and treatment information. O’Rourke’s transcription records likewise only contained her name and treatment information. There is no evidence that the transcription recordthatBronson sawwas associated with either plaintiff.
DISCUSSION
The plaintiffs’ complaint contains six counts against BMC: Invasion of Privacy under G.L. c. 214, § 1B (Count I); Breach of Confidentiality (Count II); Breach of Fiduciary Duty (Count III); Negligence (Count IV); Negligent Supervision (Count V); and Breach of Implied Contract (Count VI). The plaintiffs lack standing to bring any of these claims.
To have standing, a plaintiff must show that it has suffered or is in danger of immediately suffering a concrete and legally cognizable injury. See Pugsley v. Boston Police Dept., 472 Mass. 367, 371, 373 (2015). The injury must be a direct and ascertainable result of the defendant’s alleged actions. Sullivan v. Chief Justice for Admin. & Mgt. of the Trial Court, 448 Mass. 15, 21 (2006). Injuries that are speculative, remote, or indirect are insufficient to confer standing. Id.; see alsoWarthv. Seldin, 422 U.S. 490, 501 (1975) (plaintiffs must allege “distinct and palpable injury” to invoke judicial intervention).
While the notification letter sent to plaintiffs painted a disquieting picturethat might have alarmed a BMC patient who received it, there is no evidence in the summary judgment record 4
that any unauthorized person ever saw eithertranscriptionsrelating to either plaintiff’smedical treatment at BMC.In fact, there is no evidencethat what happened on the MDF .ftp portal constituted the type of data breach that has garnered so much media attention and provoked anxiety among consumers. All the summary judgmentrecord in this case demonstrates isthat in March 2014,an employee of ASM,another MDF health care provider customer,inadvertently accessed one file associated with an unidentified BMCpatient and promptly reported that fact to BMC. The plaintiffs have submitted no evidence that this healthcare provider or any other third party viewed the plaintiffs’ records or misused theinformation contained therein.6 Nor have they offered any evidence that BMC patient information, more generally, was ever accessed by members of the public or even additional MDF customers during this period of time. Plaintiffs have therefore failed to show that they suffered or are in danger of immediately suffering a concrete injury related to the March 2014 incident. Compare Galaria v. Nationwide Mut. Ins. Co., 663 F. App’x 384, 387-391 (6thCir. 2016) (plaintiffs had standing where hackers stole theirpersonal information from insurance company); Remijas v. Neiman Marcus Grp., LLC, 794 F.3d 688, 692-694 (7th Cir. 2015) (plaintiffs had standing where hackers stole theircredit card numbers from department store and over 9,200 credit cards were known to have been used fraudulently); Resnick v. AvMed, Inc., 693 F.3d 1317, 1323-1324 (11th Cir. 2012) (plaintiffs had standing where healthcare provider’s unencrypted laptop computers containing customers’ sensitive information were stolen and plaintiffs became victims of identity theft).In other words, lacking in this case is any evidence that any unauthorized person ever saw plaintiffs’transcriptions;the possibility that it could have happened is inadequate to confer standing.See
6 Walker maintains that fraudulent income tax returns were filed in her name in 2012 and 2013 but fails to provide any evidencethatlinks thosefilings with anypersonal information contained in her BMC transcription. A tax return requires a social security number, something that was not in Walker’s transcriptions. 5
Clapper v. Amnesty Int’l USA, 1333 S. Ct. 1138 (2013) (Where the Supreme Court explained that a “theory of standing[] which relies on a highly attenuated chain of possibilities[] does not satisfy the requirement that threatened injury must be certainly impending.”)
In arguingthatthey have standing, plaintiffs principally relyon Tabata v. Chalreston Area Medical Center, Inc., 233 W. Va. 512 (2014). In Tabata, the West Virginia court found that the plaintiffs’ personal and medical information (i.e., their names, contact details, social security numbers, dates of birth, and certain basic respiratory care) was placed on the internet for six monthsin a manner that could have been accessed by the general publicusing “an advanced internet search”. Id. at 462 & n.1. Although discovery revealed no unauthorized or malicious users who had attempted to obtainthe information, the Court concluded, without very much analysis, that the plaintiffs had standing to bring their invasion of privacy and breach of confidentiality claims. Id. at463-465. The decision is inapposite. Even assumingthat Massachusetts appellate courts would followTabataandfindthat the potential exposure of one’s personal information to others constitutes a cognizable injury, the plaintiffs’claims in this caseare quite different.Theinformation in the BMCtranscriptions theoretically available to an authorized user wasvery different thanthe detailed personal information at issue in Tabata.Moreover, the only “unauthorized” persons who might have had access to the plaintiffs’ information were, at most,other medical provider customers of MDF,who were also subject to the confidentiality restraints applicable to all health care providers.7
7 The plaintiffs argue that the possibility of disclosure of private facts, like those allegedly contained in the transcriptions, without more will constitute an invasion of privacy in violation of G.L. c. 214, § 1B. See, e.g., Polay v. McMahon, 468 Mass. 379 (2014) (“To sustain an invasion of privacy, the invasion must be both unreasonable and substantial or serious.”). This distinguishes their claim from those alleging economic loss in which courts have held that when data was stolen for the deliberate purpose of obtaining credit card information, there was an objectively reasonable likelihood that injury had occurred or was impending, but when the possibility of harm from unauthorized viewing was speculative plaintiffs had no standing. See, e.g., Remijas v. Neiman Marcus Grp., LLC, 794 F.3d 688,693 (7th Cir. 2015). The court disagrees. Even if the transcriptions 6
contained very personal, health care information (an allegation the court declines to address), the plaintiffs must provide evidence, beyond mere speculation, that there was unauthorized viewing of the information.
8 In opposing the motion, plaintiffs rely on an affidavit from Fagan. The informationcontainedin that affidavit, however, is not based on personal knowledge, does not relate to the incident in question, and is not useful on the question of standing.
The plaintiffs seemingly suggestthat it is BMC’sfault that they do not haveanyevidence of unauthorized access of their transcriptionstosupport their claims. They blame BMC for failing to conduct a thorough investigation into the scope and nature of the “breach.” Whether,for other purposes,BMC should have conducted a more intensive investigation is not an issue germane to the pending motion.Inthe context of thiscivillitigation, it was not BMC’s responsibility to prove that theBMCrecords on the FTP site were neveraccessed or misused by others. As the plaintiffs in this lawsuit, it was their burden to present some evidence in the summary judgment record establishingharm or immediate risk of harm related to the March 2014 incident. Plaintiffs, however, did little to develop their case in discovery after filing their complaint. For example, there is no evidence in the summary judgment record suggesting that they undertook steps toobtain information about whether any other customers in addition to ASMhadexperienced asimilar incidentin which that customer had access to transcriptions relating to the patient of some other health care provider, let alone BMC.In fact, there is no evidence in the summary judgment record that any ASM employee other than Bronson viewed records on the FTP siterelating to a patient of some other health care provider, whether BMC or some other provider. In consequence, plaintiffs have beenunable to offer anyevidence that their records were viewed or misused, or that there is an immediate danger that this will occur. Absent suchevidence, they cannot demonstrate they have standing to bring their claims.8 7
ORDER
For the foregoing reasons, the defendant Boston Medical Corp.’s motion for summary judgment is ALLOWED.Although there are two remaining defendants in this action, MDF Transcription, LLC and Richard J. Fagan, MDF has apparently ceased operations and never answered the complaint and Fagan has filed a bankruptcy petition which is still pending. The court therefore finds that there is no just reason for delay and directs that a final judgment enter dismissing this action as to the defendant Boston Medical Corp.
______________________________
Mitchell H. Kaplan
Justice of the Superior Court
Dated: June 7, 2017