Recently, the Pennsylvania Superior Court ruled in favor of data breach plaintiff Avrum Baum, giving him a second chance to certify a class action suit against Keystone Mercy Health Plan.  Baum brought suit against the insurer and its affiliate, AmeriHealth Mercy Health Plan, after it misplaced an unencrypted flash drive containing the personal health records of more than 200,000 subscribers.  Baum contends that Keystone Mercy violated the privacy rights of these subscribers, including his daughter, when electronically stored names, addresses, dates of birth, Social Security numbers, and clinical and health screening information were lost.

Keystone Mercy’s Chief Compliance and Privacy Officer discovered that the flash drive was missing in September of 2010.  As a result of the breach, the insurer offered credit monitoring services to 808 individuals whose partial or complete Social Security numbers were maintained on the drive.  They also provided notice of the missing data to the Pennsylvania Department of Public Welfare and the Federal Department of Health and Human Services Office of Civil Rights.

After lodging allegations that Keystone Mercy violated the catchall provision of Pennsylvania’s Unfair Trade Practices and Consumer Protection Law (“UTPCPL”), Baum filed a motion with the Philadelphia Court of Common Pleas for class action certification.  His complaint characterized the potential class as all subscribers whose personal health records or other confidential or private information was compromised through Keystone Mercy’s improper handling of the flash drive.  The trial court conducted a hearing and, on July 25, 2013, entered an order denying the motion.  Baum subsequently appealed. 

The UTPCPL allows any private, individual purchaser who suffers ascertainable monetary or property loss as a result of an unlawful act to recover actual damages.  This consumer protection law seeks to prevent unfair competition and deceptive conduct in trade or commerce and, according to the Supreme Court of Pennsylvania, should be construed liberally in order to “effect its legislative goal.”  See Fazio v. Guardian Life Ins. Co. of Am., 62 A.3d 396, 405 (Pa. Super. 2013). 

Historically, UTPCPL plaintiffs were required to show justifiable reliance on a defendant’s wrongful conduct and subsequent harm suffered as a result of that reliance.  Yocca v. Pittsburgh Steelers Sports, Inc., 854 A.2d 425, 438 (Pa. 2004).  In this way, the trial court concluded, class treatment of Baum’s allegations sounding in fraud were inappropriate. 

The Superior Court, however, held that plaintiffs pursuing claims under the UTPCPL’s catchall provision do not need to show reliance, citing to Grimes v. Enterprise Leasing Co. of Phila., LLC, 66 A.3d 330, 337 n.4 (Pa. Super. 2013); Bennett v. A.T. Masterpiece Homes at Broadsprings, LLC, 40 A.3d 145, 152 n.5 (Pa. Super. 2012).  The court explained that the provision defines unfair methods of competition and business practices as “fraudulent ordeceptive conduct” which creates confusion or misunderstanding.  In this way, justifiable reliance is not necessary to recover damages where a complaint alleges deceptive conduct.  Therefore, because Baum’s complaint specifically alleged both fraudulent and deceptive conduct on the part of Keystone Mercy, the trial court’s denial of the motion to certify his claim as a class action was improper.   

The Superior Court three-judge panel remanded Baum’s case to the trial court for further consideration of the conditions required for class action certification.  Whether the class will be certified remains to be seen, but the Superior Court’s holding may provide another avenue for data breach plaintiffs to have their day in court.