The answer depends on the details of the allegations. In a recent case, a group of patients filed a class action lawsuit against a New York health system accusing the group of failing to protect their financial, medical and personal information from security leaks. The failure, they allege, resulted in a cyber attack that put the privacy of information like social security numbers in jeopardy.
Where to file the claim?
The patients filed the claim in a state court, but the hospital system moved to have the claim removed to a federal court instead. The hospital system stated a federal court provided the right venue, as the issue touched on two federal laws: The Health Insurance Portability and Accountability Act (HIPAA) and the Federal Trade Commission Act (FTCA). It then moved to dismiss the claim.
Were they right?
Ultimately, the federal court stated that although claims involving these laws would move forward in the federal court system, only the United States Health and Human Services Department (HHS) can enforce HIPAA violations and the Federal Trade Commission enforces FTCA actions. The federal system was not the proper venue because these federal agencies were not currently involved. As a result, the federal court sent the case back to state court to review whether the court should dismiss the remaining claims.
What comes next?
The patients are moving forward with claims the hospital system violated state laws including negligent hiring and training of employees, breach of fiduciary duty and a delay in notifying the patients of the data breach. Although the hospital system lost its fight to change the venue of the dispute to federal courts, it could still win its motion to dismiss the claims. If successful, the lawsuit would likely end. If not, the hospital system would need to review the allegations and tailor a defense to counter the claims.