BJC HealthCare Data Breach Lawsuit Survives Motions to Dismiss

HIPAA Journal reports:

A class action lawsuit filed by two former patients against BJC HealthCare over a March 2020 email data breach has survived two motions to dismiss.

Leaha Sweet and Bradley Dean Taylor took legal action against St. Louis-based BJC HealthCare in September 2020 after being notified that their protected health information had potentially been compromised in a data breach.

According to HIPAA Journal, in her June 29 order, Chief Judge Nancy J. Rosentengel dismissed an invasion of privacy claim as Illinois law states that the party alleging an invasion of privacy must demonstrate the act was intentional — a claim that the plaintiffs were unalbe to demonstrate. The plaintiffs’ claim of bailment was also dismissed because the plaintiffs did not allege that they sought a return of their property (their protected health information) or that the health system had failed to return it.

BJC Healthcare must face the remaining 8 counts, though.

Read more on HIPAA Journal.

BJC Healthcare has disclosed a number of HIPAA breaches involving PHI over the past five years, as previous coverage on this site (below) demonstrates, but this one potentially impacted the largest number of patients:

• MO: BJC HealthCare warns patients of possible data breach (the May, 2020 phishing incident that compromised several employee email accounts: 287,876 patients)
• MO: Use BJC’s patient portal to pay your bills? Company announces possible malware breach.  (December, 2018: 5,850 patients)
• Medical and personal information on 33,420 BJC HealthCare patients left exposed on Internet (March, 2018: 33,420 patients)
• BJC HealthCare Raising St. Louis Notifies Participants of Unencrypted Emails (March, 2017: 644 patients)
• BJC HealthCare Accountable Care Organization Notifies Patients of Unencrypted Email (February, 2016:  2,393 patients  patients)