Walker v. Boston Medical Center Corp. , 33 Mass. L. Rptr. 179 ( 2015 )

By letters dated April 23, 2014, or earlier, defendant, Boston Medical Center Corp. (“BMC”), notified plaintiffs and others similarly situated that their patient records from office visits with physicians “were inadvertently made accessible to the public through an independent medical record transcription service’s online site.” The letters noted that the medical records “could potentially be accessed by non-authorized individuals” although BMC had “no reason to believe that this led to the misuse of any patient information.” BMC could not say “how long the information was publicly accessible through the site.”1

Plaintiffs commenced this action on June 10, 2015. In their complaint, plaintiffs seek an injunction against further disclosure of their records and damages for the unauthorized exposure of their medical information to the public. They sue BMC, the medical record transcription servicer, MDF Transcription, LLC (“MDF”), and MDF’s manager and owner, Richard J. Fagan. BMC and Fagan now move to dismiss the complaint.2

Plaintiffs do not know, at this stage, whether any unauthorized person actually gained access to their medical records. They allege, however, that “what goes on the internet, stays on the internet.” They are fearful that their private information has been or will be disclosed to the public, a risk acknowledged by BMC’s notice to them. They seek the opportunity to take discovery to learn the details regarding the length of time of the data breach, whether their records have been accessed and what steps have been taken to remedy the inadvertent disclosure. Their complaint contains seven counts: Count I, Invasion of Privacy *180under G.L.c. 214, §1B; Count II, Breach of Confidentiality; Count III, Breach of Fiduciary Duty; Count IV, Negligence; CountV, Negligent Supervision; Count VI, Breach of Implied Contract; and Count VII, Breach of Contract against MDF and Fagan. Plaintiffs claim that the breach by BMC and Fagan caused them injury. They seek an award of damages for that injury. In their breach of contract counts, plaintiffs also seek damages in the amount of a refund of amounts paid to BMC for medical services as a remedy for BMC’s alleged breach.

BMC moves to dismiss pursuant to Mass.R.Civ.P. 12(b)(1) and 12(b)(6). The sum and substance ofBMC’s motion is that the complaint fails to allege any specific injury. In short, without an allegation that their medical records have actually been accessed by an unauthorized person or that their personal information is being utilized by an unauthorized person, plaintiffs lack standing and fail to state a claim.3

With respect to BMC’s standing argument, I note the recent decision of the Supreme Judicial Court in Pugsley v. Police Department of Boston, 472 Mass. 367 (2015). There, the Court affirmed a dismissal for lack of standing upon a motion for summary judgment, not a motion to dismiss. Id. at 370. In doing so it articulated that an alleged injury must not be speculative, remote or indirect, but the Court also acknowledged that “real and immediate” risk of injury may be enough for standing. Id. at 371. Where, as here, plaintiffs allege facts that, if true, suggest a real risk of harm from the data breach at BMC, I conclude that the standing question should await a more full record and be decided upon a motion for summary judgment.4

With respect to a motion under Mass.R.Civ.P. 12(b)(6), it is required that the complaint set forth “factual ‘allegations plausibly suggesting (not merely consistent with)’ an entitlement to relief ...” Iannacchino v. Ford Motor Co., 451 Mass. 623, 636 (2008), quoting Bell At.l Corp. v. Twombly, 550 U.S. 544, 557 (2007). The court must, however, accept as true the allegations of the complaint and draw every reasonable inference in favor of the plaintiff. Curtis v. Herb Chambers 1-95, Inc., 458 Mass. 674, 676 (2011).

Applying that standard, plaintiffs’ complaint adequately states a cognizable claim for relief. Support for that conclusion starts with drawing a reasonable inference from BMC’s own letter informing plaintiffs of the data breach. From that letter it may be inferred that plaintiffs’ medical records were available to the public on the internet for some period of time and that there is a serious risk of disclosure. It is reasonable to infer the next step—that plaintiffs’ records either were accessed or likely to be accessed by an unauthorized person. Plaintiffs are entitled to discovery to determine what access, if any, has occurred, among other things.

Plaintiffs general allegation of injury from the data breach, inferring, as I do, that there likely was or will be access to plaintiffs’ confidential medical information by unauthorized persons, is sufficient. For example, a claim for an invasion of privacy involving disclosure of confidential medical records may give rise to damages for mental distress, harm to interest in privacy and special or economic harm. Restatement (Second) of Torts §652H (1977). Depending on the identity of a person who accessed the records, there could be financial damages. At the pleading stage, before discovery has determined whether plaintiffs’ records were accessed, more specificity regarding the kind of injury suffered by plaintiffs is not required.

For the reasons stated above, BMC’s motion to dismiss is DENIED. Fagan’s motion to dismiss is also DENIED.