• Court Decertifies Class Action Suit against Henry Ford Health System for Data Breach
  • March 20, 2015 | Authors: Zachary W. Behler; Michael R. Blum; Lauren Bernice Dunn; Samuel J. Frederick; Gilbert M. Frimet
  • Law Firms: Foster, Swift, Collins & Smith, P.C. - Lansing Office ; Foster, Swift, Collins & Smith, P.C. - Detroit Office ; Foster, Swift, Collins & Smith, P.C. - Lansing Office ; Foster, Swift, Collins & Smith, P.C. - Farmington Hills Office
  • The Michigan Court of Appeals recently decertified a class action suit against Henry Ford Health System (HFHS) and its subcontractor, a medical transcription service, for inadvertently disclosing sensitive patient information online. On December 18, 2014, a unanimous three-judge panel reversed the trial court’s denial of summary judgment in favor of the defendants. The court held that an invasion of privacy claim requires an intentional act rather than mere negligence and that the plaintiff’s claims for negligence and breach of contract require proof of an actual injury.

    The class consisted of 159 patients who visited HFHS between June 3, 2008 and July 18, 2008. The case arose when the defendant subcontractor made a configuration change to its server which left certain patient records unsecured. As a result, Google’s automated web server, “Googlebot,” indexed the information and made it available for users to search online. The information included each patient’s name, date of service, and diagnoses. The unnamed lead plaintiff alleged that her records revealed a sexually transmitted disease.

    After HFHS learned of the problem, it removed the information from the Internet, notified the affected patients, and took steps to more adequately protect patient information.

    The plaintiff brought suit for negligence, invasion of privacy in the form of public disclosure of private facts, and breach of contract.

    The court first held that invasion of privacy is an intentional tort under Michigan law. It was undisputed that the disclosure of patient information in this case was due to negligence. The plaintiff therefore could not establish an invasion of privacy claim.

    With respect to the negligence and breach of contract claims, the court ruled that the plaintiff failed to provide proof of an actual injury. The plaintiff argued that she suffered injuries by spending money on identify theft protection services. The court held that the costs for credit monitoring were merely incurred in “anticipation of possible future injury” rather than an actual, present injury.