In August, 2014, I noted a report involving a transcription contractor of Boston Medical Center exposing patient information on the Internet. BMC notified approximately 15,000 patients and fired MDF Transcription Services because of the incident. Of note, BMC told patients in a notification letter that it had no reason to believe their information had been misused – or even accessed. The incident, which had been reported to HHS in April 2014, appears on HHS’s breach tool under MDF’s name as the Business Associate. There is no indication in the breach tool that OCR has closed its investigation into that incident as of today’s date.
Unbeknownst to me, there was a lawsuit that followed the incident: Walker et al v. Boston Medical Center Corp. Not surprisingly, the defendants moved to dismiss for lack of standing. After all, there was no evidence the data had even been accessed, much less misused, and because… Clapper.
BMC must have gotten a real shock when the opinion was issued. Kevin M. McGinty of Mintz Levin explains:
A Massachusetts Superior Court judge held that a plaintiff has standing to sue for money damages based on the mere exposure of plaintiff’s private information in an alleged data breach. The court concluded that the plaintiff had pleaded a “real and immediate risk” of injury despite failing to allege that any unauthorized persons had even seen or accessed that information.
Read more on Mintz Levin.