Confidentiality: Hospital’s Accidental Posting of Patient Information Results in Class Action

​The Supreme Court of Appeals of West Virginia has permitted a class action to proceed against a hospital that in 2011 "accidentally" posted the plaintiffs' personal and medical information in a publically accessible electronic database and website. The names of 3,655 patients, their contact information, social security numbers, dates of birth, and certain "basic respiratory care information" could be accessed by anyone conducting an "advanced" Internet search. The information remained vulnerable to exposure from September 2010 to February 2011. The organization notified the patients and offered a full year of credit monitoring to individuals whose data had been at risk of exposure.

Alleging breach of duty of confidentiality, invasion of privacy, and negligence, several individuals filed a lawsuit against the organization on behalf of themselves and a class of persons "similarly situated." Pretrial discovery revealed that neither the defendants nor the plaintiffs were aware of any attempted unauthorized access or actual unauthorized or malicious access and that none of the individual plaintiffs experienced actual or attempted identity theft, property damage, or other economic loss as a result of the mishap. A lower court dismissed the litigation on the grounds that the plaintiffs failed to show that they in fact suffered an injury that is not merely "hypothetical or conjectural" and that...