I’ve blogged about the Omnicell breach of November 2012 a number of times on this blog as new information emerged about who was affected by the breach. As a quick reminder, a laptop with unencrypted PHI was stolen from an employee’s car. Omnicell is a business associate of numerous hospitals, providing them with medication dispensing/pharmacy management services.
I was not aware of it at the time, but Omnicell and the affected covered entities – Sentara Healthcare, South Jersey Health System, Inc., [now Inspira Health Network, Inc.], and the Board of Regents of the University of Michigan – were all sued over the breach (Polanco v. Omnicell). The case was dismissed (order), however, on December 26.
Jeff Drummond notes that the dismissal was for failure to demonstrate damages.
Reading the full opinion, I see there were actually a number of problems with the complaint. The Board of Regents of U. of Michigan successfully argued that they had immunity under the Eleventh Amendment as an arm of the state, and Sentara Healthcare successfully argued that they had absolutely no relationship to the named plaintiff or the chain of events leading to her situation. So it was down to Omnicell and the South Jersey Health System. And the plaintiff couldn’t demonstrate actual damages from their conduct. The court rejected her argument that her decision to travel to another hospital further away where she felt PHI would be better protected gave her standing. Nor could she demonstrate that anyone had even viewed her daughter’s PHI, much less misused it.
So failing to demonstrate a ‘concrete and particularized’ or ‘actual or imminent’ injury,” the plaintiff’s case was dismissed.
Looking at HHS’s breach tool, I see no summary notation on this breach for the U. Michigan and South Jersey Health System entries, which may indicate that OCR is still investigating this breach. Curiously, the Sentara part of the breach (56,000 patients) does not appear on HHS’s breach tool, and I have e-mailed HHS to ask why that breach report does not appear on the breach tool.
But as Jeff Drummond noted, the court’s dismissal of the case for lack of standing and demonstration of actual damages is a good reminder of why we need enforcement by HHS for violation of HIPAA and HITECH. In this case, one could also envision FTC looking at Omnicell’s practices to see if their security program was inadequate and whether Omnicell’s failure to deploy readily available and commercially reasonable measures such as encryption on the laptop constituted an unfair practice that was directly responsible for any significant injury experienced by consumers.