[BreachExchange] Lawsuit Filed in Federal Court Over Alleged Data Breach Concerning COVID Contact Tracing Information

[Sophia Kingsbury]

https://www.natlawreview.com/article/lawsuit-filed-federal-court-over-alleged-data-breach-concerning-covid-contact

Last month, a putative class action lawsuit was filed in federal court
concerning a data breach resulting from the alleged improper disclosure of
COVID-contact tracing data.  Read on to learn more, and how this case fits
more broadly into a trend of data breaches involving the healthcare
industry.  Chapman v. Commonwealth of Pennsylvania, et al., No.
1:21-cv-00824 (M.D. Pa.)

As readers of CPW already know from developments this past year, “contact
tracing” is used to notify individuals of exposure to COVID-19.  In this
case, Plaintiff alleges that a contractor was retained by the Pennsylvania
Department of Health (“DOH”) in the midst of the COVID pandemic to contact
individuals who were either diagnosed with or in close proximity to
individuals diagnosed with COVID-19.

Plaintiff alleges that notwithstanding representations that all protected
health information (“PHI”) “obtained in connection with COVID-19 contact
tracing would be kept private and confidential, Defendants (including the
contractor and Pennsylvania DOH) failed to take “appropriate or even the
most basic steps to protect the PHI of Plaintiff and other class members
from being disclosed.”  This included the contractor purportedly having
employees who used “unsecure data storage and communications methods,” that
resulted in the disclosure of Plaintiff’s and class members’ PHI.

The Complaint alleges that Defendants failed to comply with the obligations
imposed on them under the Health Insurance Portability and Accountability
Act (“HIPAA”).  [Note: HIPAA does not contain a private right of action, so
while the Complaint alleges violation of HIPAA, Plaintiff’s claims are not
predicated on HIPAA.]  Plaintiff seeks to certify a class consisting of
“[a]ll persons in the United States whose PHI was compromised in the Data
Breach disclosed by DOH and Insight between March 16, 2020 and April 29,
2021.”

A press release discussing the Data Breach stated that information
disclosed may have included: (1) names of individuals who may have been
exposed to COVID-19 (and if they experienced symptoms), (2) information
about the number of members in their households and their emails and
telephone numbers, and (3) information needed for social-support services
pertaining to COVID-19 related issues.  However, the information impacted
by the breach did not include Social Security numbers, financial account
information or payment card information.

The Breach evidently occurred, based on media reports, because certain
employees of the contractor set up and used several Google accounts for
sharing information as part of an “unauthorized collaboration channel” that
bypassed the contractor’s network security.

In many ways, notwithstanding the unique factual allegations, the claims
and relief sought by Plaintiff are typical of those raised in other data
breach and data event litigations.  The Complaint includes claims for: (1)
negligence, (2) negligence per se, and (3) publicity given to private
life.  The damages sought by the Plaintiff includes, among other things,
“equitable relief compelling Defendants to utilize appropriate methods and
policies with respect to consumer data collection, storage, and safety, and
to disclose with specificity the type of PHI compromised during the Data
Breach.”

As the number of data breaches and data events involving entities in the
healthcare sector continues to rise, so will the number of lawsuits
alleging the improper disclosure of PHI.  For more information on this
litigation and other data privacy developments, stay tuned.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20210602/7d7c85cd/attachment.html>