As this blog noted in July 2013, a jury awarded a Walgreens customer $1.44 million after finding Walgreens and one of their pharmacists violated the customer’s privacy. In this case, a female pharmacist had looked up and shared the customer’s records when she suspected the female customer had shared a sexually transmitted disease with a man who was the customer’s ex-boyfriend and the pharmacist’s now-husband. The customer first discovered the breach when her ex-boyfriend (and father of her child) texted her that he had a printout of her prescription history that showed she had not renewed her birth control prescription for the two months prior to conception.
When the customer subsequently discovered that her ex-boyfriend was living with a Walgreens pharmacist, she contacted Walgreens to report the breach. Walgreens investigated and confirmed there had been a breach, but could not confirm that the pharmacist had shared the information with anyone else. The pharmacist was given a written warning and required to retake some HIPAA training.
The customer, Abigail Hinchy, subsequently filed a lawsuit against Walgreens and the pharmacist, Audra Withers.
As I also noted at the time of the jury verdict, I was impressed that the employer, Walgreens, was also held liable for the breach.
Not surprisingly, Walgreens appealed the judgement. One of its four arguments on appeal was that the trial court erred by refusing to grant summary judgment or a directed verdict in Walgreen’s favor on claims based on respondeat superior and negligent retention and supervision of an employee. Its fourth argument was that the jury verdict was excessive and based on improper factors.
On November 14, Judge Baker of the Court of Appeals of Indiana issued the court’s opinion in Walgreens v. Hinchy, rejecting all of Walgreen’s arguments and affirming the judgement.
Readers may find the court’s discussion of the respondeat superior aspect interesting, as well as the types of harm the jury had considered in determining their award (pp. 21-23).
Although I do not have any information on this, I do wonder what the jury might have done about Walgreens’ liability if Walgreens had fired the pharmacist promptly on learning of the breach.
h/t, Law360
Update: Carrie Dettmer Slye of BakerHostetler asks the same question I did about whether Walgreens’ disciplinary response influenced the jury’s award. Read her commentary on the court opinion and case on Data Privacy Monitor.