DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Lawsuit against Omnicell dismissed

Posted on January 3, 2014 by Dissent

I’ve blogged about the Omnicell breach of November 2012 a number of times on this blog as new information emerged about who was affected by the breach. As a quick reminder, a laptop with unencrypted PHI was stolen from an employee’s car. Omnicell is a business associate of numerous hospitals, providing them with medication dispensing/pharmacy management services.

I was not aware of it at the time, but Omnicell and the affected covered entities – Sentara Healthcare, South Jersey Health System, Inc., [now Inspira Health Network, Inc.], and the Board of Regents of the University of Michigan –  were all sued over the breach (Polanco v. Omnicell).  The case was dismissed (order), however, on December 26.

Jeff Drummond notes that the dismissal was for failure to demonstrate damages.

Reading the full opinion, I see there were actually a number of problems with the complaint. The Board of Regents of U. of Michigan successfully argued that they had immunity under the Eleventh Amendment as an arm of the state, and Sentara Healthcare successfully argued that they had absolutely no relationship to the named plaintiff or the chain of events leading to her situation. So it was down to Omnicell and the South Jersey Health System. And the plaintiff couldn’t demonstrate actual damages from their conduct. The court rejected her argument that her decision to travel to another hospital further away where she felt PHI would be better protected gave her standing. Nor could she demonstrate that anyone had even viewed her daughter’s PHI, much less misused it.

So failing to demonstrate a ‘concrete and particularized’ or ‘actual or imminent’ injury,” the plaintiff’s case was dismissed.

Looking at HHS’s breach tool, I see no summary notation on this breach for the U. Michigan and South Jersey Health System entries, which may indicate that OCR is still investigating this breach.  Curiously, the Sentara part of the breach (56,000 patients) does not appear on HHS’s breach tool, and I have e-mailed HHS to ask why that breach report does not appear on the breach tool.

But as Jeff Drummond noted, the court’s dismissal of the case for lack of standing and demonstration of actual damages is a good reminder of why we need enforcement by HHS for violation of HIPAA and HITECH. In this case, one could also envision FTC looking at Omnicell’s practices to see if their security program was inadequate and whether Omnicell’s failure to deploy readily available and commercially reasonable measures such as encryption on the laptop constituted an unfair practice that was directly responsible for any significant injury experienced by consumers.

Related posts:

  • Update on Omnicell stolen device breach: 56,000 Sentara patients impacted
  • OCR Secures $2.175 Million HIPAA Settlement after Sentara Hospitals Failed to Properly Notify HHS of a Breach of Unsecured Protected Health Information
  • Sentara Health terminates remote employees after realizing they couldn’t be sure who was doing the work.
  • 1,040 Sentara Heart Hospital patients notified of HIPAA breach
Category: Health Data

Post navigation

← In which I remind HHS of Einstein's point…
University of Pennsylvania Health System says approximately 1,000 patients' privacy was compromised by printing error at RevSpring →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Horizon Healthcare RCM discloses ransomware attack in December
  • Disgruntled IT Worker Jailed for Cyber Attack, Huddersfield
  • Hacker helped kill FBI sources, witnesses in El Chapo case, according to watchdog report
  • Texas Centers for Infectious Disease Associates Notifies Individuals of Data Breach in 2024
  • Battlefords Union Hospitals notifies patients of employee snooping in their records
  • Alert: Scattered Spider has added North American airline and transportation organizations to their target list
  • Northern Light Health patients affected by security incident at Compumedics; 10 healthcare entities affected
  • Privacy commissioner reviewing reported Ontario Health atHome data breach
  • CMS warns Medicare providers of fraud scheme
  • Ex-student charged with wave of cyber attacks on Sydney uni

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Supreme Court Decision on Age Verification Tramples Free Speech and Undermines Privacy
  • New Jersey Issues Draft Privacy Regulations: The New
  • Hacker helped kill FBI sources, witnesses in El Chapo case, according to watchdog report
  • Germany Wants Apple, Google to Remove DeepSeek From Their App Stores
  • Supreme Court upholds Texas law requiring age verification on porn sites
  • Justices nix Medicaid ‘right’ to choose doctor, defunding Planned Parenthood in South Carolina
  • European Commission publishes its plan to enable more effective law enforcement access to data

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.