Opinion
SUCV2015-01733 BLS1 137475
06-07-2017
Kamyra Walker et al., [1] On Behalf of Themselves and Others Similarly Situated v. Boston Medical Center Corp. et al. [2]
Filed June 8, 2017
MEMORANDUM OF DECISION AND ORDER ON DEFENDANT BOSTON MEDICAL CENTER CORP.'S MOTION FOR SUMMARY JUDGMENT
Mitchell H. Kaplan, Justice.
In March 2014, defendant Boston Medical Center, Corp. (BMC) learned that another health care provider had inadvertently accessed a BMC patient's medical information on a website maintained by defendant MDF Transcriptions, LLC (MDF), a medical transcription company used by both BMC and this other provider. It sent a letter to all its patients who had records that had been transcribed by MDF informing them that there might have been unauthorized access to their medical information. After receiving this letter, the plaintiffs, Kamyra Walker and Anne O'Rourke, filed this putative class action against BMC, MDF, and Richard Fagan, MDF's owner and manager. They assert that the defendants are liable to them, and all other similarly situated BMC patients, for failing to ensure that their medical information was kept confidential. The case is before the court on BMC's motion for summary judgment. BMC argues, among other things, that the plaintiffs lack standing to maintain the claims asserted against it. For the reasons that follow, the motion is ALLOWED .
BMC also argues that the complaint fails to state a claim on which relief may be granted. Having found that the plaintiffs lack standing to bring their claims, the court does not reach this issue.
BACKGROUND
For several years, certain BMC medical practices used MDF to transcribe their physicians' audio recorded patient notes. The transcriptions were available through a " file transfer protocol" (FTP or .ftp) site maintained by MDF.
" FTP, or file transfer protocol, is a protocol for exchanging files over any computer network that supports the TCP/IP protocol (such as the Internet or an intranet). SRI Int'l Inc. v. Internet Sec. Sys., 647 F.Supp.2d 323, 332 n.2 (D.Del. 2009).
On March 4, 2014, Pam Bronson of Access Sports Medicine (ASM), another MDF customer, telephoned BMC. She informed BMC that she saw a BMC transcription record when she accessed MDF's transcription portal using her ASM user name and password. In response, BMC contacted MDF, and MDF took down the FTP site. Shortly thereafter, BMC terminated its relationship with MDF and notified patients, including the plaintiffs, of what had occurred.
The notification letter sent to the plaintiffs informed them that their patient records from office visits with physicians " were inadvertently made accessible to the public through [MDF's] online site." The letter also noted that the site " was not password protected and could potentially be accessed by non-authorized individuals." There is no evidence in the record, however, that the website was ever accessible to the general public, as opposed to an individual that was associated with another MDF customer and who should only have had access to that customer's transcriptions. The only admissible evidence in the summary judgment record is consistent with a finding that the FTP site was only accessible to an MDF customer with a user name and password.
Plaintiffs note that Joseph Cumilus, BMC's 30(b)(6) deponent, stated in his deposition: " it was concerning to me that this information was on an FTP site that wasn't password protected." The court understands this to refer to the incident in which another health care provider customer of MDF was able to access a transcription that should have only been accessible to a BMC user with a system qualified user name and password. There is no evidence that the MDF .ftp site could be accessed by someone who did not have an MDF .ftp user name and password. Indeed, as discussed above, there is only evidence that one other MDF customer was able to access BMC transcriptions on one occasion.
No social security numbers or financial information was contained in the BMC transcription records on MDF's FTP site, including plaintiffs' records. The addresses and birth dates of some individuals were contained in the records on the site, but plaintiffs' addresses and birth dates were not. Walker's transcription records only contained her name, medical record number, and treatment information. O'Rourke's transcription records likewise only contained her name and treatment information. There is no evidence that the transcription record that Bronson saw was associated with either plaintiff.
DISCUSSION
The plaintiffs' complaint contains six counts against BMC: Invasion of Privacy under G.L.c. 214, § 1B (Count I); Breach of Confidentiality (Count II); Breach of Fiduciary Duty (Count III); Negligence (Count IV); Negligent Supervision (Count V); and Breach of Implied Contract (Count VI). The plaintiffs lack standing to bring any of these claims.
To have standing, a plaintiff must show that it has suffered or is in danger of immediately suffering a concrete and legally cognizable injury. See Pugsley v. Boston Police Dept., 472 Mass. 367, 371, 373, 34 N.E.3d 1235 (2015). The injury must be a direct and ascertainable result of the defendant's alleged actions. Sullivan v. Chief Justice for Admin. & Mgt. of the Trial Court, 448 Mass. 15, 21, 858 N.E.2d 699 (2006). Injuries that are speculative, remote, or indirect are insufficient to confer standing. id.; see also Warth v. Seldin, 422 U.S. 490, 501, 95 S.Ct. 2197, 45 L.Ed.2d 343 (1975) (plaintiffs must allege " distinct and palpable injury" to invoke judicial intervention).
While the notification letter sent to plaintiffs painted a disquieting picture that might have alarmed a BMC patient who received it, there is no evidence in the summary judgment record that any unauthorized person ever saw either transcriptions relating to either plaintiff's medical treatment at BMC. In fact, there is no evidence that what happened on the MDF .ftp portal constituted the type of data breach that has garnered so much media attention and provoked anxiety among consumers. All the summary judgment record in this case demonstrates is that in March 2014, an employee of ASM, another MDF health care provider customer, inadvertently accessed one file associated with an unidentified BMC patient and promptly reported that fact to BMC. The plaintiffs have submitted no evidence that this healthcare provider or any other third party viewed the plaintiffs' records or misused the information contained therein. Nor have they offered any evidence that BMC patient information, more generally, was ever accessed by members of the public or even additional MDF customers during this period of time. Plaintiffs have therefore failed to show that they suffered or are in danger of immediately suffering a concrete injury related to the March 2014 incident. Compare Galaria v. Nationwide Mut. Ins. Co., 663 Fed.Appx. 384, 387-91 (6th Cir. 2016) (plaintiffs had standing where hackers stole their personal information from insurance company); Remijas v. Neiman Marcus Grp., LLC, 794 F.3d 688, 692-94 (7th Cir. 2015) (plaintiffs had standing where hackers stole their credit card numbers from department store and over 9, 200 credit cards were known to have been used fraudulently); Resnick v. AvMed, Inc., 693 F.3d 1317, 1323-24 (11th Cir. 2012) (plaintiffs had standing where healthcare provider's unencrypted laptop computers containing customers' sensitive information were stolen and plaintiffs became victims of identity theft). In other words, lacking in this case is any evidence that any unauthorized person ever saw plaintiffs' transcriptions; the possibility that it could have happened is inadequate to confer standing. See Clapper v. Amnesty Int'l USA, 568 U.S. 398, 133 S.Ct. 1138, 185 L.Ed.2d 264 (2013) (Where the Supreme Court explained that a " theory of standing[ ] which relies on a highly attenuated chain of possibilities[ does not satisfy the requirement that threatened injury must be certainly impending").
Walker maintains that fraudulent income tax returns were filed in her name in 2012 and 2013 but fails to provide any evidence that links those filings with any personal information contained in her BMC transcription. A tax return requires a social security number, something that was not in Walker's transcriptions.
In arguing that they have standing, plaintiffs principally rely on Tabata v. Charleston Area Medical Center, Inc., 233 W.Va. 512, 759 S.E.2d 459 (2014). In Tabata, the West Virginia court found that the plaintiffs' personal and medical information (i.e., their names, contact details, social security numbers, dates of birth, and certain basic respiratory care) was placed on the internet for six months in a manner that could have been accessed by the general public using " an advanced internet search." Id. at 462 & n.1. Although discovery revealed no unauthorized or malicious users who had attempted to obtain the information, the Court concluded, without very much analysis, that the plaintiffs had standing to bring their invasion of privacy and breach of confidentiality claims. Id. at 463-65. The decision is inapposite. Even assuming that Massachusetts appellate courts would follow Tabata and find that the potential exposure of one's personal information to others constitutes a cognizable injury, the plaintiffs' claims in this case are quite different. The information in the BMC transcriptions theoretically available to an authorized user was very different than the detailed personal information at issue in Tabata . Moreover, the only " unauthorized" persons who might have had access to the plaintiffs' information were, at most, other medical provider customers of MDF, who were also subject to the confidentiality restraints applicable to all health care providers.
The plaintiffs argue that the possibility of disclosure of private facts, like those allegedly contained in the transcriptions, without more will constitute an invasion of privacy in violation of G.L.c. 214, § 1B. See, e.g., Polay v. McMahon, 468 Mass. 379, 10 N.E.3d 1122 (2014) (" To sustain an invasion of privacy, the invasion must be both unreasonable and substantial or serious"). This distinguishes their claim from those alleging economic loss in which courts have held that when data was stolen for the deliberate purpose of obtaining credit card information, there was an objectively reasonable likelihood that injury had occurred or was impending, but when the possibility of harm from unauthorized viewing was speculative plaintiffs had no standing. See, e.g., Remijas v. Neiman Marcus Grp., LLC, 794 F.3d 688, 693 (7th Cir. 2015). The court disagrees. Even if the transcriptions contained very personal, health care information (an allegation the court declines to address), the plaintiffs must provide evidence, beyond mere speculation, that there was unauthorized viewing of the information.
The plaintiffs seemingly suggest that it is BMC's fault that they do not have any evidence of unauthorized access of their transcriptions to support their claims. They blame BMC for failing to conduct a thorough investigation into the scope and nature of the " breach." Whether, for other purposes, BMC should have conducted a more intensive investigation is not an issue germane to the pending motion. In the context of this civil litigation, it was not BMC's responsibility to prove that the BMC records on the FTP site were never accessed or misused by others. As the plaintiffs in this lawsuit, it was their burden to present some evidence in the summary judgment record establishing harm or immediate risk of harm related to the March 2014 incident. Plaintiffs, however, did little to develop their case in discovery after filing their complaint. For example, there is no evidence in the summary judgment record suggesting that they undertook steps to obtain information about whether any other customers in addition to ASM had experienced a similar incident in which that customer had access to transcriptions relating to the patient of some other health care provider, let alone BMC. In fact, there is no evidence in the summary judgment record that any ASM employee other than Bronson viewed records on the FTP site relating to a patient of some other health care provider, whether BMC or some other provider. In consequence, plaintiffs have been unable to offer any evidence that their records were viewed or misused, or that there is an immediate danger that this will occur. Absent such evidence, they cannot demonstrate they have standing to bring their claims.
In opposing the motion, plaintiffs rely on an affidavit from Fagan. The information contained in that affidavit, however, is not based on personal knowledge, does not relate to the incident in question, and is not useful on the question of standing.
ORDER
For the foregoing reasons, the defendant Boston Medical Corp.'s motion for summary judgment is ALLOWED . Although there are two remaining defendants in this action, MDF Transcription, LLC and Richard J. Fagan, MDF has apparently ceased operations and never answered the complaint and Fagan has filed a bankruptcy petition which is still pending. The court therefore finds that there is no just reason for delay and directs that a final judgment enter dismissing this action as to the defendant Boston Medical Corp.