So much attention has been focused on cybersecurity and data breaches that consumers are focused now more than ever about the privacy of their personal information. Forbes Magazine recently reported on the 20 major consumer data breaches of 2014. Many of the companies on the list were retailers whose customer payment systems were compromised. Customers took action by having credit accounts frozen and cards reissued.
As the data breaches continued to escalate, cyber thieves targeted health insurers like Anthem, MIE, Premera, and Excellus and gained additional information stored in data bases including names, birthdates, social security numbers, and medical coverage information. In some cases, hackers gained access to private health information which could be used to conduct medical identity theft.
Privacy Violations and Employee Access to Records
Cyber-crimes aren’t only perpetrated by anonymous hackers, sometimes the danger could come from employees of a business who have access to sensitive customer information. Two recent lawsuits involving consumer privacy violations shed light on the need to safeguard consumer information from outside as well as inside threats.
Robbins v. The Trustees of Indiana University and Clarian Health Partners, Inc. involves a nurse (“DeBow”) employed by the Indiana University School of Medicine Gastroenterology Department. Court documents indicate that DeBow accessed medical records of Robbins and her children 42 times within a 48-hour period. Robbins was not a patient of the gastroenterology department. DeBow then published protected health information she found by viewing these medical records on an internet blog belonging to Robbins’ former boyfriend. DeBow later admitted that there was no business purpose for her to access Robbins’ medical records and explained that her sole motivation was that she desired revenge.
In that case, the Court ruled in favor of the defendants and held that the employer was not vicariously liable for the employee’s actions since DeBow admitted that she was acting on her own initiative and that it was not within the scope of her employment to access Robbins’ medical file.
Another case that involves an employee violating the privacy of a customer is Hinchy v. Walgreen Co. This case involves a pharmacist employed by Walgreen’s, who accessed patient files stored in the company’s data base, and shared protected health information about the patient, Hinchy, with a third party. The third party was the pharmacist’s husband who was also the former boyfriend of Hinchy. The trial court denied Walgreen’s motion for summary judgment on the issue of vicarious liability. The case then went to trial and the jury awarded Hinchy $1.8 million.
Each of these cases deals with employee access to private client information and the act of sharing that information with unauthorized third parties. The outcome of each case is different but the damage is the same – a person had their privacy violated when the personal information they entrusted to a business was not protected and was instead shared with unauthorized third parties.