DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

NY Court of Appeals rules employer not liable for actions of employee acting outside scope of employment

Posted on January 10, 2014 by Dissent

There’s a follow-up to a breach lawsuit involving an employee of Guthrie Health System who shared a patients’ sensitive medical information with a third party – and privacy advocates will not be happy.

As I first noted in March 2011, “John Doe” sued Guthrie Health System after a nurse sent embarrassing text messages about his sexually transmitted disease to his girlfriend.

Doe lost in federal court and appealed to the Second Circuit, which affirmed the dismissal of some of the claims. According to the NY Court of Appeals ruling today:

In a separate opinion (710 F3d 492 [2d Cir 2013]), the Second Circuit found that the nurse’s actions were not foreseeable to defendants, nor were her actions taken within the scope of her employment (id. at 495). The court explained that in his complaint Doe himself alleged that the nurse was motivated by purely personal reasons and “those reasons had ‘nothing to do with [Doe’s] treatment and care'” (id., citing Doe complaint at ¶ 25). “As such,” the court held, the nurse’s “actions cannot be imputed to the defendants on the basis of respondeat superior” (id. at 496). The court certified the question to this Court, however, whether Doe may assert a specific and legally distinct cause of action against defendant, for breach of the fiduciary duty of confidentiality, even when respondeat superior liability is absent (id. at 498).

So before the NY Court of Appeals was this one question:

“Whether, under New York law, the common law right of action for breach of the fiduciary duty of confidentiality for the unauthorized disclosure of medical information may run directly against medical corporations, even when the employee responsible for the breach is not a physician and acts outside the scope of her employment?”

Today, in a 6-1 opinion, the court answered that question in the negative, holding that

a medical corporation’s duty of safekeeping a patient’s confidential medical information is limited to those risks that are reasonably foreseeable and to actions within the scope of employment.

[…]

In cases where an injured plaintiff’s cause of action fails because the employee is acting outside the scope of employment, a direct cause of action against the medical corporation for its own conduct, be it negligent hiring, supervision or other negligence may still be maintained (see Judith M. v Sisters of Charity Hosp., 93 NY2d 932, 934 [1999]). A medical corporation may also be liable in tort for failing to establish adequate policies and procedures to safeguard the confidentiality of patient information or to train their employees to properly discharge their duties under those policies and procedures. These potential claims provide the requisite incentive for medical providers to put in place appropriate safeguards to ensure protection of a patient’s confidential information. Those causes of action in the present case have already been resolved by the federal courts and we therefore do not address them.

In her dissent, Judge Rivera notes:

The majority’s narrow conception of a medical corporation’s duty undermines New York’s public policy to protect the confidentiality of patients’ medical records (see Public Health Law § 2803-c [1] [3] [f]). The ease with which confidential patient information can now spread through personal digital devices and across social networks demands a strong legal regime to protect a patient’s confidentiality. A cause of action directly against a medical corporation, unhampered by questions as to whether an employee’s conduct occurred within the scope of employment, ensures the fullest protections for patients and best addresses the current realities of medical service delivery.

[…]

A hospital should owe a duty to keep a patient’s health information confidential, and a hospital should be directly liable for its own failure to prevent breaches of confidentiality by employees who act outside the scope of their employment.

Not surprisingly, I agree with Judge Rivera.

h/t, Law360.com

[Added link to Second Circuit ruling, thanks to Mark Eckenwiler]

Related posts:

  • Small-Scale Violations of Medical Privacy Often Cause the Most Harm
Category: Health Data

Post navigation

← Target update: 70 million MORE customers affected by breach (Update)
House passes bill to require data breach notification for breaches involving Healthcare.gov and state exchanges →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Disgruntled IT Worker Jailed for Cyber Attack, Huddersfield
  • Hacker helped kill FBI sources, witnesses in El Chapo case, according to watchdog report
  • Texas Centers for Infectious Disease Associates Notifies Individuals of Data Breach in 2024
  • Battlefords Union Hospitals notifies patients of employee snooping in their records
  • Alert: Scattered Spider has added North American airline and transportation organizations to their target list
  • Northern Light Health patients affected by security incident at Compumedics; 10 healthcare entities affected
  • Privacy commissioner reviewing reported Ontario Health atHome data breach
  • CMS warns Medicare providers of fraud scheme
  • Ex-student charged with wave of cyber attacks on Sydney uni
  • Detaining Hackers Before the Crime? Tamil Nadu’s Supreme Court Approves Preventive Custody for Cyber Offenders

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Supreme Court Decision on Age Verification Tramples Free Speech and Undermines Privacy
  • New Jersey Issues Draft Privacy Regulations: The New
  • Hacker helped kill FBI sources, witnesses in El Chapo case, according to watchdog report
  • Germany Wants Apple, Google to Remove DeepSeek From Their App Stores
  • Supreme Court upholds Texas law requiring age verification on porn sites
  • Justices nix Medicaid ‘right’ to choose doctor, defunding Planned Parenthood in South Carolina
  • European Commission publishes its plan to enable more effective law enforcement access to data

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.