[ISN] Omnicell data breach suit dismissal: Healthcare ramifications

http://healthitsecurity.com/2014/01/06/omnicell-data-breach-suit-dismissal-healthcare-ramifications/ By Patrick Ouellette healthitsecurity.com January 6, 2014 A lawsuit against Omnicell stemming from a 2012 health data breach was recently dismissed, in part, because the plaintiff failed to prove damages related to the breach. The interesting part of the dismissal, however, was that there were four separate defendants that were involved that used different defenses. Omnicell served as a business associate (BA) for Sentara Healthcare, South Jersey Health System, Inc., (now Inspira Health Network, Inc.) and the Board of Regents of the University of Michigan when laptop with some of their unencrypted PHI had been stolen from an employee’s car in 2012. Read the dismissal decision here. In dismissing the case, the court provided a strong reminder that suing for damages in a private cause of action related to a data breach puts a heavy burden of proof on plaintiffs to show that (1) the healthcare organizations were at fault for the breach and (2) the damages were a direct result of the breach. Because there were four defendants and the courts divided the case into the four defenses that each group of defendants offered, HealthITSecurity.com spoke with Randy Gainer, partner in the Seattle office of Davis Wright Tremaine. Gainer was able to successfully move to dismiss the putative class action claims against South Jersey Hospital, now known as Inspira, but also discussed some of the other defenses raised in the lawsuit. First, claims against hospitals run by the University of Michigan were dismissed on 11th Amendment grounds. “The court agreed with their argument that the State of Michigan had not waived their sovereign immunity to be subject to these types of claims, and the claims against the Michigan hospitals were dismissed,” Gainer said. The court didn’t even have to review the other defenses that Michigan had raised. […]