Banner Health Class Action Claims Survive Motion to Dismiss

Patterson Belknap Webb & Tyler LLP
Contact

Wednesday, a federal district court in Arizona denied in part and granted in part Banner Health’s motion to dismiss class action claims arising from a 2016 data breach. 

As we reported in a previous post, hackers gained access to Banner Health’s “point-of-sale” system at food and beverage outlets at some of the health-care provider’s locations.  Banner Health announced that, because of the breach, hackers may have gained “unauthorized access to patient information” and “payment card data” for approximately 3.7 million patients, employees, health-plan members, food and beverage customers, and physicians.

After the breach was disclosed, some of Banner Health’s patients, plan members, healthcare providers, and employees promptly filed suit.  According to plaintiffs, Banner Health failed to separate its systems and servers containing personally identifying information (“PII”) and protected health information (“PHI”) from those used for its point-of-sale system.  Banner Health moved to dismiss.

U.S. District Judge Susan R. Bolton found that plaintiffs’ allegations were sufficient to establish standing to sue under Article III.  Like the Sixth and Seventh Circuits, the district court held that it was enough that plaintiffs “alleg[ed] an increased risk of identity theft due to the theft of [their] PII” to satisfy the threshold issue of harm to confer standing.

Plaintiffs, however, received a mixed decision on the substance of their claims.  The district court dismissed plaintiffs’ claims for breaches of contract, of the implied covenant of good faith and fair dealing, and of the duty to perform with reasonable care.  Banner’s Health Summary Plan Description, Medical Treatment Agreement, and Employee Handbook did not contain “reasonably ascertainable express promises to maintain data security” beyond the company’s “preexisting duties under the law.” 

But the rest of plaintiffs’ claims fared better.  Judge Bolton held that plaintiffs plausibly alleged a claim for unjust enrichment: Banner Health’s patients and members paid money “to be used for the costs of data security,” and Banner Health “failed to provide adequate data security.”  Likewise, the court concluded that plaintiffs adequately pleaded claims under Arizona’s consumer-protection law, because they alleged that Banner Health’s “notices” did “not contain information about Defendant’s allegedly inadequate security practices.” 

Plaintiffs’ negligence claim also survived the motion to dismiss.  The district court concluded that plaintiffs properly pleaded that they incurred damages: Some of the named plaintiffs “suffered actual misuse of their personal information,” and others incurred “out-of-pocket expenses to mitigate the future risk of identity theft.”  And, the court held, they adequately alleged that Banner Health’s conduct caused those damages.  According to plaintiffs, the company’s “inadequate security practices” left their PII and PHI exposed, their PHI and PII was stolen, and the breach “led to identity theft and an increase risk of identity theft.”

The Banner Health breach was one of the largest in its sector.  We will continue to monitor the case, so stay tuned for further updates.

 

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Patterson Belknap Webb & Tyler LLP | Attorney Advertising

Written by:

Patterson Belknap Webb & Tyler LLP
Contact
more
less

Patterson Belknap Webb & Tyler LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.