West Virginia University Health System is facing a class-action lawsuit over a breach of the protected health information (PHI) of 7,445 patients, but the Supreme Court of Appeals of West Virginia has lifted the class certification order.
The lawsuit is associated with an insider data breach that happened in 2016. Between March 2016 and January 2017, Angela Roberts, a registration specialist working previously at Berkeley Medical Center and Jefferson Medical Center, which are associated with West Virginia University Health System, accessed the medical information of 7,445 individuals with the purpose of performing identity theft and fraud. Upon discovery of the unauthorized access, Roberts confessed she got access to the health data for work reasons and also for stealing patient information to give to Ajarhi “Wayne” Roberts, her partner and co-defendant.
When accessing the medical files for valid work requirements, Ms. Roberts confirmed whether there was sufficient data to permit her and her boyfriend to steal patients’ identities. When there was sufficient information, the records were stolen and sent to Mr. Roberts with the intent of doing identity theft. Bogus Social Security cards were then created so as to carry out bank fraud.
Ms. Roberts was charged in a 36-count indictment and affixed her signature to a plea agreement to one count of identity theft in 2017. She confessed to illegitimately getting the names, dates of birth, signatures, Social Security numbers, and driver’s license numbers of 10 individuals, and that she sent that data to her boyfriend who utilized the details to open accounts. Victims had lost money amounting to $20,757 and Roberts was required to pay $5,189.25 in a settlement.
Legal action was submitted on behalf of plaintiffs Eugene Roman and Deborah Welch that desired class-action status covering the patients who had their health data impermissibly accessed. Welch and Roman succeeded in certifying a class of 7,445 patients; nevertheless, the defendants contended that the class representatives were missing standing because they had experienced no injury-in-fact from the legal access of their medical information by Ms. Roberts.
The Supreme Court of Appeals lately decided Welch didn’t have enough standing to sue for a breach of confidentiality or an invasion of privacy since she had encountered no injury-in-fact from the employee’s lawful accessing of her health data, and other prerequisites to class certification were not met. The Supreme Court of Appeals made a decision that Roman, who represented a subclass of 109 persons, also did not meet the requirements for class certification and that the circuit court didn’t deliver a complete analysis of the typicality prerequisite in light of Roman’s circumstances and claims. The class certification order was lifted in order for a class-action lawsuit to continue, at least one of the named plaintiffs should have standing.