In a decision highlighting the division among courts for data breach liability, Michigan’s appellate court recently joined those courts requiring actual proof of injury. On December 18, 2014, the Michigan Court of Appeals decertified a class action lawsuit against Henry Ford Health Systems (HFHS) and its subcontractor over the disclosure of personal health information. Doe v. Henry Ford Health Sys., 2014 Mich. App. LEXIS 2557 (Mich. Ct. App. Dec. 18, 2014). The Court held that the Plaintiff failed to allege the actual injury necessary to plead claims of negligence and breach of contract, and that invasion of privacy is an intentional tort which does not support a negligent cause of action.
The Plaintiff alleged, on behalf of the class of patients, that a Henry Ford’s subcontractor caused sensitive patient records to be disclosed on the Internet between June 3 and July 18, 2008. Upon learning of this problem, HFHS removed the patient data, notified patients of the disclosure, and took steps to protect patient information going forward. Initially, the lower court certified a class action.
The Michigan Court of Appeals held that the only alleged injury was for the cost of account monitoring associated with a possible, future injury potentially stemming from the data breach. The Court ruled that absent the Plaintiff’s showing that the exposed data was actually viewed online or used for an improper purpose, the Plaintiff failed to show actual, present injury, an element of both negligence and breach of contract. Similarly, absent any case law supporting a negligent cause of action, invasion of privacy was an intentional tort under Michigan law which did not support liability for the accidental disclosure of data.
Although this decision limited the liability for Michigan defendants who accidentally disclose sensitive client data without causing injury, much uncertainty still exists regarding the extent of liability in data breach litigation under state and federal law.