DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

NY Court of Appeals rules employer not liable for actions of employee acting outside scope of employment

Posted on January 10, 2014 by Dissent

There’s a follow-up to a breach lawsuit involving an employee of Guthrie Health System who shared a patients’ sensitive medical information with a third party – and privacy advocates will not be happy.

As I first noted in March 2011, “John Doe” sued Guthrie Health System after a nurse sent embarrassing text messages about his sexually transmitted disease to his girlfriend.

Doe lost in federal court and appealed to the Second Circuit, which affirmed the dismissal of some of the claims. According to the NY Court of Appeals ruling today:

In a separate opinion (710 F3d 492 [2d Cir 2013]), the Second Circuit found that the nurse’s actions were not foreseeable to defendants, nor were her actions taken within the scope of her employment (id. at 495). The court explained that in his complaint Doe himself alleged that the nurse was motivated by purely personal reasons and “those reasons had ‘nothing to do with [Doe’s] treatment and care'” (id., citing Doe complaint at ¶ 25). “As such,” the court held, the nurse’s “actions cannot be imputed to the defendants on the basis of respondeat superior” (id. at 496). The court certified the question to this Court, however, whether Doe may assert a specific and legally distinct cause of action against defendant, for breach of the fiduciary duty of confidentiality, even when respondeat superior liability is absent (id. at 498).

So before the NY Court of Appeals was this one question:

“Whether, under New York law, the common law right of action for breach of the fiduciary duty of confidentiality for the unauthorized disclosure of medical information may run directly against medical corporations, even when the employee responsible for the breach is not a physician and acts outside the scope of her employment?”

Today, in a 6-1 opinion, the court answered that question in the negative, holding that

a medical corporation’s duty of safekeeping a patient’s confidential medical information is limited to those risks that are reasonably foreseeable and to actions within the scope of employment.

[…]

In cases where an injured plaintiff’s cause of action fails because the employee is acting outside the scope of employment, a direct cause of action against the medical corporation for its own conduct, be it negligent hiring, supervision or other negligence may still be maintained (see Judith M. v Sisters of Charity Hosp., 93 NY2d 932, 934 [1999]). A medical corporation may also be liable in tort for failing to establish adequate policies and procedures to safeguard the confidentiality of patient information or to train their employees to properly discharge their duties under those policies and procedures. These potential claims provide the requisite incentive for medical providers to put in place appropriate safeguards to ensure protection of a patient’s confidential information. Those causes of action in the present case have already been resolved by the federal courts and we therefore do not address them.

In her dissent, Judge Rivera notes:

The majority’s narrow conception of a medical corporation’s duty undermines New York’s public policy to protect the confidentiality of patients’ medical records (see Public Health Law § 2803-c [1] [3] [f]). The ease with which confidential patient information can now spread through personal digital devices and across social networks demands a strong legal regime to protect a patient’s confidentiality. A cause of action directly against a medical corporation, unhampered by questions as to whether an employee’s conduct occurred within the scope of employment, ensures the fullest protections for patients and best addresses the current realities of medical service delivery.

[…]

A hospital should owe a duty to keep a patient’s health information confidential, and a hospital should be directly liable for its own failure to prevent breaches of confidentiality by employees who act outside the scope of their employment.

Not surprisingly, I agree with Judge Rivera.

h/t, Law360.com

[Added link to Second Circuit ruling, thanks to Mark Eckenwiler]

Category: Health Data

Post navigation

← Target update: 70 million MORE customers affected by breach (Update)
House passes bill to require data breach notification for breaches involving Healthcare.gov and state exchanges →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Hearing on the Federal Government and AI
  • Nigerian National Sentenced To More Than Five Years For Hacking, Fraud, And Identity Theft Scheme
  • Data breach of patient info ends in firing of Miami hospital employee
  • Texas DOT investigates breach of crash report records, sends notification letters
  • PowerSchool hacker pleads guilty, released on personal recognizance bond
  • Rewards for Justice offers $10M reward for info on RedLine developer or RedLine’s use by foreign governments
  • New evidence links long-running hacking group to Indian government
  • Zaporizhzhia Cyber ​​Police Exposes Hacker Who Caused Millions in Losses to Victims by Mining Cryptocurrency
  • Germany fines Vodafone $51 million for privacy, security breaches
  • Google: Hackers target Salesforce accounts in data extortion attacks

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • The Decision That Murdered Privacy
  • Hearing on the Federal Government and AI
  • California county accused of using drones to spy on residents
  • How the FBI Sought a Warrant to Search Instagram of Columbia Student Protesters
  • Germany fines Vodafone $51 million for privacy, security breaches
  • Malaysia enacts data sharing rules for public sector
  • U.S. Enacts Take It Down Act

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.