Episcopal Health Services Data Breach Lawsuit Sent Back to State Court for Further Proceedings

A lawsuit filed against Episcopal Health Services following a phishing attack that exposed the protected health information of more than 218,000 patients has been sent back to the State courts by a judge of the U.S. District Court for the Eastern District of New York.

The breach in question occurred in September 2018, when hackers gained access to the email accounts of several Episcopal Health employees. The accounts contained a considerable amount of patient information, including the types of information sought by identity thieves: Names, dates of birth, addresses, and Social Security numbers, along with health information and other sensitive data. The attackers had plenty of time to exfiltrate patient data, as the phishing attack was not detected for around two months.

Three patients affected by the breach took legal action against Episcopal Health alleging they had suffered injuries as a result of the breach. In the lawsuit, the patients alleged Episcopal Health had failed to protect their personal and protected health information, lacked appropriate cybersecurity protections, that Episcopal Health had breached its fiduciary duty, and was negligent in hiring and training its employees. The patients also alleged Episcopal Health did not provide timely notification about the breach. It took until May 2019 for Episcopal Health to discover some patients had been affected by the breach, and they were notified around 8 months after the breach occurred.

Episcopal Health moved to have the lawsuit dismissed for a lack of standing and the failure to state a claim, and removed the case to the New York District Court because the lawsuit stated that HIPAA and the FTC Act had been breached, which are federal laws.

While HIPAA and the FTC Act were referenced in the lawsuit, the District Court judge ruled that the claims made by the plaintiffs were common law causes of action and the lawsuit did not raise questions about either HIPAA or the FTC Act. Consequently, the judge ruled that the District Court did not have jurisdiction and the lawsuit was sent back to the New York Supreme Court for further proceedings. No ruling was made on the motion to dismiss as the District Court lacked jurisdiction, so that motion must now be considered by the New York Supreme Court.