There’s an update to an insider-wrongdoing lawsuit that I first noted back in September, 2013, after some employees at Rensselaer County Jail filed suit against their employer for snooping in their medical records.
As I’ve reported in the past, the breaches occurred against a backdrop where the county jail uses Samaritan Hospital to provide services to inmates and employees, but the jail also has its own medical personnel. In this case, a nurse left her login information conveniently handy for others who did not have access to the medical database and some unauthorized employees allegedly used those login credentials to snoop on inmates and coworkers. As my previous digging into this case indicated, the breaches began in 2008, were discovered in 2011 by Samaritan Hospital, but were not disclosed to those affected until 2013 – allegedly because the Sheriff, who became a defendant in the litigation, asked the hospital to delay notification. The Sheriff’s role also became significant in the litigation because employees claimed that he was misusing access to see if they were complying with his policies about not taking excessive medical leave from work.
In any event, in 2016, the lawsuits were dismissed, with prejudice, in part because the court held that the employees had not demonstrated that anything in their medical records was sensitive enough that if viewed by an employer, would expose them to discrimination. The claims under CFAA were dismissed for failure to state a claim.
The plaintiffs appealed, and now the Second Circuit Court of Appeals has affirmed in part and reversed in part.
Of special note, the court held that even individuals with non‐stigmatizing medical conditions have a right to privacy in their medical records, even if their interest in privacy might be less (than someone with a stigmatizing condition). So the court has remanded the case back to the district court, but instructed the lower court to also consider whether qualified immunity might apply.
Continue to stay tuned.
h/t, Law360.com who reported on this update first.