Kevin Grasha has an update on a breach previously noted on this site.
University of Cincinnati Medical Center can’t be sued after an employee leaked private medical records about a patient who had syphilis, a judge ruled Monday.
The patient, a woman in her early 20s, filed the lawsuit last year. A screen shot of the woman’s private medical records from the hospital was posted on the Facebook group, “Team No Hoes,” in September 2013. The records listed the woman’s diagnosis as “maternal syphilis.” She was pregnant at the time.
Read more on Cincinnati.com.
In a way, and even though the patient may appeal the ruling, this ruling is consistent with other cases where covered entities were found not liable for employees’ egregious conduct that were outside the employee’s scope of work duties. In this case, the employee was reportedly in the financial services department.
It is not known what, if any, action HHS/OCR has taken as a result of their investigation into the incident.
Update: Jeff Drummond’s blog about this case mentions that this case has a different result than Hinchy v. Walgreens, a case that I covered last year, but temporarily forgot about it in writing up the Ohio case. So we have cases in two states that found no employer liability and one case in a third state that found for the plaintiff/patient.
I am not responsible for what my employee does with the information I give them and the time I pay them for.
If my employee causes me and others harm, not my problem.
If my employee posts a screenshot of all my customers, or of my secret process, not my problem.
If my employee posts all the emails she has privy to of my best government customers drunken exploits with that 3500$ call girl I paid for to keep the contract, not my problem.
This better be appealed and won, otherwise I’ll just give up in believing people have certain rights to privacy.
I’m annoyed at reading this, obviously.
The opinion that it’s similar to (mentioned in my post) is a case in NY that did go up to the appellate court, who affirmed the dismissal of that patient’s lawsuit. You can read more about it here: http://www.databreaches.net/ny-court-of-appeals-rules-employer-not-liable-for-actions-of-employee-acting-outside-scope-of-employment/