Alabama judge certifies data privacy breach case

Posted on: March 27th, 2017 by Keith Dubanevich

An Alabama federal judge has certified two subclasses of patients who accuse a hospital of negligence and breach of contract for its failure to prevent and minimize the impact of a former worker’s theft of their personal information.

In a 46-page order, Chief U.S. District Judge W. Keith Watkins concluded the plaintiffs had met the requirements for certification of their proposed class of all patients who had their blood drawn by a medical provider that sent the blood to be tested by Flowers Hospital, where a phlebotomist stole their personal information and used it to file fraudulent tax returns. The phlebotomist was subsequently arrested and charged with trafficking in stolen identities.

The judge certified a pair of subclasses to distinguish between patients who received the notice of privacy practices (NPP) that the Alabama hospital sends to all patients and those that did not. The patients argued that the NPP bolstered their claim for breach of express contract because it constitutes a binding contract setting forth Flowers Hospital’s obligation to maintain patient confidentiality.

The judge separately certified a class of individuals who did not receive the NPP and could only pursue an implied contract claim under Alabama law.

The case is Smith et al. v. Triad of Alabama LLC d/b/a Flowers Hospital, case number 1:14-cv-00324, in the U.S. District Court for the Middle District of Alabama.