Smith v. Triad of Alabama LLC, No. 14-cv-00324 (M.D. Ala.).

As detailed last month, Triad of Alabama (doing business as Flowers Hospital) was hit with a putative class action after notifying patients that a former hospital employee had stolen lab test records containing names, addresses, dates of birth, Social Security numbers and health plan policy numbers, and information about lab tests, but not test results. The complaint included claims for willful and negligent violations of the Fair Credit Reporting Act, negligence, negligence per se, invasion of privacy, and breach of contract. On July 7, Flowers Hospital moved to dismiss the claims. The hospital argued that the plaintiffs lack standing because the filing of fraudulent tax returns—without allegations that plaintiffs were deprived of their tax refunds—and an increased risk of identity theft were not actual injuries and that these alleged injuries were not “fairly traceable” to the data breach. The hospital also maintained that the plaintiffs failed to state their negligenceper se, breach of contract, and invasion of privacy claims. The hospital argued (i) both the negligence and contract claims are impermissible attempts to create a private cause of action under HIPAA, (ii) plaintiffs cannot prove causation for their negligence claim, (iii) the hospital’s privacy notice did not constitute a contract because there was no consideration, and (iv) the plaintiffs failed to allege any basis for vicarious liability in their invasion of privacy claim. As of July 30, the motion has been fully briefed.