Thursday, 16 January 2014 22:21

Polanco et al. v. Omnicell, Inc., et al.: Data Breach Class Action

Written by 
Rate this item
(0 votes)

The United States District Court for the District of New Jersey ruled against the plaintiffs in a class action lawsuit brought by Bobbi Polanco on behalf of herself and others in similar circumstances for breaches of state security notification laws, violations of consumer fraud laws in New Jersey, Virginia, and Michigan, fraud, negligence, and conspiracy.

The class action stemmed from the November 14, 2012, theft of a laptop computer from the car of an Omnicell Inc. employee. Omnicell Inc. sells automatic and analytic solutions that allow health care facilities to obtain, manage, dispense and administer medications and medical and surgical supplies.

An amended complaint naming additional defendants was also filed. The additional defendants were Sentara Healthcare, which owns hospitals in Virginia; South Jersey Health System, Inc. (now known as Inspira), which provided medical care to Polanco’s daughter; and the University of Michigan Health System (UMHS).

After receiving letter from Omnicell on December 31, 2012, notifying her of the laptop theft, and stating that "Omnicell is entrusted with patient information," Polanco alleged that she was not assured by the defendants that her personal information would be protected from subsequent losses, and due to these concerns, went to a more distance health care facility to obtain medical treatment for her daughter, incurring additional expenses.

In her suit, Polanco alleged that the stolen laptop contained unencrypted Personal Confidential Information (PCI) that was related to thousands of patients at health care facilities including Sentara, Inspira, and UMHS.

According to court documents, the plaintiffs alleged that Polanco wanted to "remedy the harmful effects of the breach of …. privacy interests of Plaintiff and the Class, the failure to timely and reasonably notify [Plaintiff and the Class] of such breach …, and the misleading and deceptive notification sent on December 31, 2012.”

The court dismissed Polanco's suit because she only "alleged injury based on anticipation of future harm" and therefore lacked the standing to bring the case. The Defendants’ motions to dismiss were then granted. The court also noted that individuals have no right to sue health care providers under the Health Insurance Portability and Accountability Act (HIPAA) just because their personally identifying information was compromised.

Individuals do not have the right to sue healthcare providers under the Health Insurance Portability and Accountability Act simply because their personal information was compromised, a federal judge recently ruled. Additionally, the court dismissed Polanco's argument that her distrust of Omnicell and the facilities that used Omnicell's services forced her to obtain medical care for her daughter at another health care institution, stating that "expenses incurred in anticipation of future harm" are not enough to constitute standing to bring this type of lawsuit to a federal court. The court dismissed the case without prejudice, however, meaning that Polanco may pursue the matter in a state court.

In dismissing the case, the court relied in part on the ruling of the United States Supreme Court’s ruling in the case of Clapper v. Amnesty International.


U.S. District Court for the District of New Jersey, Polanco et al. v. Omnicell Inc., Order

U.S. District Court for the District of New Jersey, Polanco et al. v. Omnicell Inc., Opinion

U.S. Supreme Court, Clapper v. Amnesty International

"Judge Dismisses HIPAA Claims Arising From Omnicell Laptop Theft," Tim Mullaney, McKnight's, January 6, 2014

"New Jersey Federal Court Applies Supreme Court’s Clapper Decision and Dismisses Data Breach Class Action," Judy Selby, BakerHostetler, January 7, 2014


Read 3062 times Last modified on Thursday, 16 January 2014 22:26
Login to post comments