Searching over 5,500,000 cases.


searching
Buy This Entire Record For $7.95

Download the entire decision to receive the complete text, official citation,
docket number, dissents and concurrences, and footnotes for this case.

Learn more about what you receive with purchase of this case.

Walker v. Boston Medical Center Corp.

Superior Court of Massachusetts, Suffolk, Business Litigation Session

June 7, 2017

Kamyra Walker et al., [1] On Behalf of Themselves and Others Similarly Situated
v.
Boston Medical Center Corp. et al. [2]

          Filed June 8, 2017

          MEMORANDUM OF DECISION AND ORDER ON DEFENDANT BOSTON MEDICAL CENTER CORP.'S MOTION FOR SUMMARY JUDGMENT

          Mitchell H. Kaplan, Justice.

         In March 2014, defendant Boston Medical Center, Corp. (BMC) learned that another health care provider had inadvertently accessed a BMC patient's medical information on a website maintained by defendant MDF Transcriptions, LLC (MDF), a medical transcription company used by both BMC and this other provider. It sent a letter to all its patients who had records that had been transcribed by MDF informing them that there might have been unauthorized access to their medical information. After receiving this letter, the plaintiffs, Kamyra Walker and Anne O'Rourke, filed this putative class action against BMC, MDF, and Richard Fagan, MDF's owner and manager. They assert that the defendants are liable to them, and all other similarly situated BMC patients, for failing to ensure that their medical information was kept confidential. The case is before the court on BMC's motion for summary judgment. BMC argues, among other things, that the plaintiffs lack standing to maintain the claims asserted against it.[3] For the reasons that follow, the motion is ALLOWED .

         BACKGROUND

         For several years, certain BMC medical practices used MDF to transcribe their physicians' audio recorded patient notes. The transcriptions were available through a " file transfer protocol" (FTP or .ftp) site maintained by MDF.[4]

         On March 4, 2014, Pam Bronson of Access Sports Medicine (ASM), another MDF customer, telephoned BMC. She informed BMC that she saw a BMC transcription record when she accessed MDF's transcription portal using her ASM user name and password. In response, BMC contacted MDF, and MDF took down the FTP site. Shortly thereafter, BMC terminated its relationship with MDF and notified patients, including the plaintiffs, of what had occurred.

         The notification letter sent to the plaintiffs informed them that their patient records from office visits with physicians " were inadvertently made accessible to the public through [MDF's] online site." The letter also noted that the site " was not password protected and could potentially be accessed by non-authorized individuals." There is no evidence in the record, however, that the website was ever accessible to the general public, as opposed to an individual that was associated with another MDF customer and who should only have had access to that customer's transcriptions. The only admissible evidence in the summary judgment record is consistent with a finding that the FTP site was only accessible to an MDF customer with a user name and password.[5]

         No social security numbers or financial information was contained in the BMC transcription records on MDF's FTP site, including plaintiffs' records. The addresses and birth dates of some individuals were contained in the records on the site, but plaintiffs' addresses and birth dates were not. Walker's transcription records only contained her name, medical record number, and treatment information. O'Rourke's transcription records likewise only contained her name and treatment information. There is no evidence that the transcription record that Bronson saw was associated with either plaintiff.

         DISCUSSION

         The plaintiffs' complaint contains six counts against BMC: Invasion of Privacy under G.L.c. 214, § 1B (Count I); Breach of Confidentiality (Count II); Breach of Fiduciary Duty (Count III); Negligence (Count IV); Negligent Supervision (Count V); and Breach of Implied Contract (Count VI). The plaintiffs lack standing to bring any of these claims.

          To have standing, a plaintiff must show that it has suffered or is in danger of immediately suffering a concrete and legally cognizable injury. See Pugsley v. Boston Police Dept., 472 Mass. 367, 371, 373, 34 N.E.3d 1235 (2015). The injury must be a direct and ascertainable result of the defendant's alleged actions. Sullivan v. Chief Justice for Admin. & Mgt. of the Trial Court, 448 Mass. 15, 21, 858 N.E.2d 699 (2006). Injuries that are speculative, remote, or indirect are insufficient to confer standing. id.; see also Warth v. Seldin, 422 U.S. 490, 501, 95 S.Ct. 2197, 45 L.Ed.2d 343 (1975) (plaintiffs must allege " distinct and palpable injury" to invoke judicial intervention).

         While the notification letter sent to plaintiffs painted a disquieting picture that might have alarmed a BMC patient who received it, there is no evidence in the summary judgment record that any unauthorized person ever saw either transcriptions relating to either plaintiff's medical treatment at BMC. In fact, there is no evidence that what happened on the MDF .ftp portal constituted the type of data breach that has garnered so much media attention and provoked anxiety among consumers. All the summary judgment record in this case demonstrates is that in March 2014, an employee of ASM, another MDF health care provider customer, inadvertently accessed one file associated with an unidentified BMC patient and promptly reported that fact to BMC. The plaintiffs have submitted no evidence that this healthcare provider or any other third party viewed the plaintiffs' records or misused the information contained therein.[6] Nor have they offered any evidence that BMC patient information, more generally, was ever accessed by members of the public or even additional MDF customers during this period of time. Plaintiffs have therefore failed to show that they suffered or are in danger of immediately suffering a concrete injury related to the March 2014 incident. Compare Galaria v. Nationwide Mut. Ins. Co., 663 Fed.Appx. 384, 387-91 (6th Cir. 2016) (plaintiffs had standing where hackers stole their personal information from insurance company); Remijas v. Neiman Marcus Grp., LLC, 794 F.3d 688, 692-94 (7th Cir. 2015) (plaintiffs had standing where hackers stole their credit card numbers from department store and over 9, 200 credit cards were known to have been used fraudulently); Resnick v. AvMed, Inc., 693 F.3d 1317, 1323-24 (11th Cir. 2012) (plaintiffs had standing where healthcare provider's unencrypted laptop computers containing customers' sensitive information were stolen and plaintiffs became victims of identity theft). In other words, lacking in this case is any evidence that any unauthorized person ever saw plaintiffs' transcriptions; the possibility that it could have happened is inadequate to confer standing. See Clapper v. Amnesty Int'l USA, 568 U.S. 398, 133 S.Ct. 1138, 185 L.Ed.2d 264 (2013) (Where the Supreme Court explained that a " theory of standing[ ] which relies on a highly attenuated chain of possibilities[ does not satisfy the requirement that threatened injury must be certainly impending").

         In arguing that they have standing, plaintiffs principally rely on Tabata v. Charleston Area Medical Center, Inc., 233 W.Va. 512, 759 S.E.2d 459 (2014). In Tabata, the West Virginia court found that the plaintiffs' personal and medical information (i.e., their names, contact details, social security numbers, dates of birth, and certain basic respiratory care) was placed on the internet for six months in a manner that could have been accessed by the general public using " an advanced internet search." Id. at 462 & n.1. Although discovery revealed no unauthorized or malicious users who had attempted to obtain the information, the Court concluded, without very much analysis, that the plaintiffs had standing to bring their invasion of privacy and breach of confidentiality claims. Id. at 463-65. The decision is inapposite. Even assuming that Massachusetts appellate courts would follow Tabata and find that the potential exposure of one's personal information to others constitutes a cognizable injury, the plaintiffs' claims in this case are quite different. The information in the BMC transcriptions theoretically available to an authorized user was very different than the detailed personal information at issue in Tabata . Moreover, the only " unauthorized" persons who might have had access to the plaintiffs' information were, at most, other medical provider customers of MDF, who were also subject to the confidentiality restraints applicable to all health care providers.[7]

         The plaintiffs seemingly suggest that it is BMC's fault that they do not have any evidence of unauthorized access of their transcriptions to support their claims. They blame BMC for failing to conduct a thorough investigation into the scope and nature of the " breach." Whether, for other purposes, BMC should have conducted a more intensive investigation is not an issue germane to the pending motion. In the context of this civil litigation, it was not BMC's responsibility to prove that the BMC records on the FTP site were never accessed or misused by others. As the plaintiffs in this lawsuit, it was their burden to present some evidence in the summary judgment record establishing harm or immediate risk of harm related to the March 2014 incident. Plaintiffs, however, did little to develop their case in discovery after filing their complaint. For example, there is no evidence in the summary judgment record suggesting that they undertook steps to obtain information about whether any other customers in addition to ASM had experienced a similar incident in which that customer had access to transcriptions relating to the patient of some other health care provider, let alone BMC. In fact, there is no evidence in the summary judgment record that any ASM employee other than Bronson viewed records on the FTP site relating to a ...


Buy This Entire Record For $7.95

Download the entire decision to receive the complete text, official citation,
docket number, dissents and concurrences, and footnotes for this case.

Learn more about what you receive with purchase of this case.