A group of New York patients claiming that Episcopal Health Services Inc. failed to protect their private information from unauthorized disclosures can proceed in state court, a federal court in New York said.
Episcopal improperly removed the case from the state court in which it was filed, the U.S. District Court for the Eastern District of New York said Thursday. The patients’ complaint didn’t raise any questions of federal law, it said.
The patients brought a class action against Episcopal, alleging the health-care provider failed to maintain adequate cybersecurity protections to keep hackers from accessing their financial, medical, and other personal information, including social security numbers and home addresses.
The hospital removed the case to federal court, arguing that the patients raised claims under two federal laws, the Health Insurance Portability and Accountability Act and the Federal Trade Commission Act. It also moved to dismiss the complaint.
The patients argued the complaint alleged only state common-law claims for negligent hiring and training of employees, breach of fiduciary duty, breach of implied contract, and delay in notifying them of the data breach.
Though the patients’ complaint referred to HIPAA and the FTCA, neither law allows people to sue for violations of them, the court said. Only the U.S. Health and Human Services Department can enforce HIPAA, and FTCA enforcement actions fall within the Federal Trade Commission’s exclusive jurisdiction.
The patients’ claims thus didn’t arise under federal law, and the court didn’t have authority to preside over the case, it said. The court sent the case back to the state court and didn’t rule on the motion to dismiss.
Judge Dora L. Irizarry wrote the opinion.
Law Offices of Paul M. Sod and Finkelstein, Blankinship, Frei-Pearson & Garber LLP represent the patients. Greenberg Traurig LLP represents Episcopal.
The case is Dumay v. Episcopal Health Servs., 2020 BL 226760, E.D.N.Y., No. 19-cv-6213, 6/18/20.