Indiana Court of Appeals Upholds $1.44 Million Jury Verdict Against Walgreen Co. in a Privacy Breach Case; Denies Rehearing

Indiana Court of Appeals Upholds $1.44 Million Jury Verdict Against Walgreen Co. in a Privacy Breach Case; Denies Rehearing
On November 14, 2014, the Court of Appeals of Indiana issued a decision in the Hinchy v. Walgreen Co. case, upholding the jury verdict in favor of Ms. Hinchy. After a four-day jury trial that began in July 23, 2013, the jury found that Ms. Hinchy suffered damages in the amount of $1.8 million, with $1.4 million of that (80%) to be borne jointly by Walgreens and Ms. Withers, a Walgreen's pharmacist. The rest (20%) was to be borne by Mr. Peterson, Ms. Hinchy's ex-boyfriend and the father of her child and Ms. Withers's husband.

In upholding the jury verdict, which courts are "loathe to disturb," the Appellate Court began its decision as follows: "In this case, a pharmacist breached one of her most sacred duties by viewing the prescription records of a customer and divulging the information she learned from those records to the client's ex-boyfriend."[1] Walgreens vowed to appeal the decision to the Indiana Supreme Court, but first petitioned the Appellate Court for a rehearing. On January 15, 2015, the Court of Appeals of Indiana ruled on Walgreen Co.'s petition for a rehearing and declined to disturb its original decision.[2] As such, the Court of Appeals of Indiana's decision to uphold the jury verdict stands. Walgreen may yet appeal to the Indiana Supreme Court.

A few preliminary comments....The Hinchy case has garnered a good amount of attention in the media, among attorneys, and more importantly, businesses that handle protected health information. While this case does arise under Indiana law, as Mr. Eggeson, the attorney that tried this case on behalf of Ms. Hinchy noted to me in an interview I conducted with him in December 2014, "[this case] has now created a precedent which will make life MUCH easier for privacy victims across the country--showing those victims how to bring their claims, how to structure and argue their claims so as to make corporate employers liable for the acts of their employees, and how to earn large damages awards from the jury." (The full interview is to be published in an upcoming article for the Journal of Health Care Compliance.)

Covered entities, business associates, and subcontractors should pay careful attention to the circumstances in this case because this can very easily be them. Here is a company that, arguably, has a strong HIPAA training program, where employees are educated on how they can and cannot access and use protected health information. Yet, a jury still found Walgreen liable under respondeat superior. That is, the jury determined that the pharmacist's actions were within the scope of employment because they were of the same general nature as those authorized, or incidental to the actions that were authorized, by Walgreen. Importantly, the jury found Walgreen's failure to terminate the pharmacist after it learned of the actions as problematic and, as counsel for Walgreen stated during the oral arguments, one juror specifically noted that Walgreen should have fired the pharmacist.
As Mr. Eggeson succinctly explained it to me, "From a plaintiff's perspective, the 'good' privacy case is the one where a compliance officer or defense attorney mistakenly believes that corporate policies will be more persuasive to a jury than a tearful privacy victim."

All companies that handle protected health information (or any sensitive information, including credit card numbers, social security numbers, and driver's licenses) should take the time to review their data breach insurance coverage. Healthcare providers in particular should work with counsel to review the extent of their coverage. Many malpractice carriers now include at least some basic coverage for data breach liability in malpractice policies. But, generally, this coverage is insufficient. You may learn more about cyberliability coverage in a three part series that I wrote for the Mature Market Experts blog: Part One (A Few Things to Consider When Purchasing Cyberliability Insurance), Part Two (How Much Coverage Do Organizations Need?) and Part Three (How Much Do Policies Cost?).

The oral argument before the
Court of Appeals of Indiana is available online - https://mycourts.in.gov/arguments/default.aspx?&id=1724&view=detail. The argument is about an hour and is worth watching to see the issues that the judges picked out and found important as well as the facts the attorneys cited in defense of their specific position(s). There was a rather lengthy discussion regarding the respondeat superior issue as well as the need to track employee access.

How this Case Arose

This privacy breach case arose as these cases typically arise - there was a love triangle of sorts and someone disclosed information they should not have. Sometime between fall 2006 and spring 2010, Ms. Hinchy was involved in a relationship with Mr. David Peterson.[3] As the Appellate Court recited:
During this [2006 - 2010] period, Hinchy filled all of her prescriptions, including oral birth control pills, at a Walgreen pharmacy. At some point in 2009, Peterson began dating Walgreen pharmacist Audra Withers. In August 2009, Hinchy became pregnant with Peterson's child. On an unknown date, Peterson learned that he had contracted genital herpes. Hinchy gave birth to a son on May 22, 2010.

At some point during the week of May 26, 2010, Peterson mailed a letter to Withers informing her about the baby and about the possibility that he may have exposed her to genital herpes. Withers became terrified about the possibility of contracting a sexually transmitted disease. Consequently, during her shift and while at work, Withers looked up Hinchy's prescription profile in the Walgreen computer system to see if she could find any information about Hinchy's sexually transmitted disease. The next day, Withers again looked up Hinchy's profile to confirm that she had spelled it correctly the day before.[4]
Subsequently on May 29, 2010, Mr. Peterson sent Ms. Hinchy a number of accusatory text messages and disclosed to her that he had a copy of her prescription records. Ms. Hinchy tried to determine how Mr. Peterson obtained a copy of her records and was told by an employee at Walgreens "that there was no way to track whether her records had been accessed."[5] Ms. Hinchy let the matter go at that time because she did not know how to proceed. But, in March 2011, Ms. Hinchy learned that Mr. Peterson was married to Ms. Withers and that Ms. Withers was a pharmacist at the local Walgreens where Ms. Withers fills her prescriptions. Ms. Hinchy reported the matter to the local Walgreens, which investigated the matter:
When Withers was confronted about the situation, she admitted that she had accessed Hinchy's prescription profile for personal reasons. On April 15, 2011, Loss Prevention Detective Michael Bryant confirmed to Hinchy that (1) a HIPAA/privacy violation had occurred, (2) Withers had viewed Hinchy's prescription information without consent and for personal purposes, and (3) Walgreen could not confirm that Withers had revealed that information to a third party. As a result of Walgreen's investigation, Withers received a written warning and was required to retake a computer training program regarding HIPAA.[6]
Ms. Hinchy filed suit against both Walgreens and Ms. Withers on August 1, 2011. Against Ms. Withers, Ms. Hinchy filed claims of:
(1) negligence/professional malpractice,
(2) invasion of privacy/public disclosure of private facts, and
(3) invasion of privacy/intrusion.
Against Walgreens, Ms. Hinchy filed claims:
(1) seeking liability for the counts she filed against Withers by way of respondeat superior,
(2) direct claims for:
(a) negligent training,
(b) negligent supervision,
(c) negligent retention, and
(d) negligence/professional malpractice.
Walgreens appealed the jury verdict on a number of grounds, but this discussion will only focus on the Appellate Court's discussion of the underlying liability, the respondeat superior claim, and the amount of damages.

Underlying Liability

The Appellate Court first looked at "the tort of negligence by virtue of professional malpractice of a pharmacist. Negligence is comprised of three elements: (1) a duty on the part of the defendant to the plaintiff; (2) a breach of that duty; and (3) an injury to the plaintiff resulting from the breach."[7] The Court found that Ms. Withers had a duty under Indiana law to keep the medical information she learned confidential. Ms. Withers breached that duty when she disclosed the information to Mr. Peterson. Ms. Hinchy further testified that, among other things, she suffered a number of emotional damages which impacted her ability to care for her child, she was humiliated, that she had a general distrust of healthcare providers, and that she was now taking a stronger anti-depressant.[8] As such, the Appellate Court found that Ms. Withers was negligent by virtue of professional malpractice.

Respondeat Superior and Having the Ability to Track Access

The doctrine of respondeat superior allows for vicarious liability to be imposed on an employer "where the employee has inflicted harm while acting within the scope of employment."[9] As the Appellate Court explained:
To fall within the scope of employment, the injurious act must be incidental to the conduct authorized or it must, to an appreciable extent, further the employer's business. An act is incidental to authorized conduct when it is subordinate to or pertinent to an act which the servant is employed to perform, or when it is done to an appreciable extent, to further his employer's business. . . . An employer is not held liable under the doctrine of respondeat superior because it did anything wrong, but rather because of the employer's relationship to the wrongdoer. . . . Furthermore, conduct is within the scope of employment when it is of the same general nature as that authorized, or incidental to the conduct authorized.[10]
In this case, the jury determined that Ms. Wither's actions were within the scope of employment because they "were of the same general nature as those authorized, or incidental to the actions that were authorized, by Walgreen. Specifically, Withers was authorized to use the Walgreen computer system and printer, handle prescriptions for Walgreen customers, look up customer information on the Walgreen computer system, review patient prescription histories, and make prescription-related printouts. Withers was at work, on the job, and using Walgreen equipment when the actions at issue occurred."[11] This issue of whether the actions were within the scope of employment is for the jury to determine and the Appellate Court declined to disturb the jury's decision.

Another important issue in this case is Walgreen's ability to track who accessed a patient's record and the actions that Walgreen took after it learned from Ms. Hinchy that someone had improperly accessed her record. The issue was raised during oral arguments before the Indiana Court of Appeals when the Court and counsel were discussing the issue of respondeat superior, how it relates to other claims (e.g., negligent training) as well as the disciplinary actions Walgreen took after it found out what happened.[12]


Ms. Maggie Smith, counsel for Walgreen noted that prior to this issue, Ms. Wither's had not violated Walgreen's policies. But, the Court challenged this assertion because Walgreen had acknowledged that the Company did not have any way of knowing since the Company had no means to track access. Ms. Smith specifically asserted that other pharmacies did not have the means to track access and therefore Walgreen could not be negligent for failing to do something that is not done in the community. Ms. Smith noted that, "the jury found that the discipline imposed by Walgreen was inadequate. But, there is nothing in negligent retention or supervision jurisprudence that says that the action that you take after learning an employee has acted incorrectly is to fire that employee. Instead what happened here is [that Walgreen took certain disciplinary actions against Ms. Withers.] They took steps to make sure this didn't happen again. They didn't fire her and one of the jurors felt that that's what they should have done."[13]

Mr. Neal Eggeson, counsel for Ms. Hinchy, noted that whether access tracking systems were in place at pharmacies was a dispute between the experts. Mr. Eggeson specifically note that, Curtis Baldwin, the expert that he presented, "said not only is tracking systems something that he's been using at Kroger for 30 years, this is something that he does everyday. The expert that [Walgreen] hired from Perdue, on the other hand, suggests that, to his knowledge, even though he has not worked in any pharmacies, he does not know of any tracking system by any pharmacy. That was a disputed fact and the jury came down on [Ms. Hinchy's] side on that issue."[14]


Amount of Damages

The amount of damages has garnered a significant amount of attention. In its appeal, Walgreen argued "that the damages award was excessive and based on improper factors."[15] Appellate Courts do have the power to set aside jury verdicts if they are excessive. "Where a damage award is so outrageous as to indicate the jury was motivated by passion, prejudice, partiality, or the consideration of improper evidence, [Courts will] find the award excessive."[16] To support that the award was excessive, Walgreen argued that, "(1) Hinchy does not have a physical injury or condition resulting from the breach, (2) Hinchy has had no lost wages as a result of the breach, and (3) Hinchy did not offer any testimony from a medical professional or counselor supporting her claim of emotional distress."[17] Interestingly, some of these damages types have been cited by courts in other jurisdictions as grounds for dismissing data breach class actions, arguing that, because plaintiffs failed to demonstrate 'damages,' they lacked standing to bring their claim(s).

But, as the Court here explained, Walgreen's argument amounted to "a request that [the Court] reweigh the evidence, a practice in which we do not engage when evaluating a damages award. We find that the evidence in the record supporting the award is sufficient to affirm it."[18] The Appellate Court identified the following evidence in support of the damages award:
  • Withers gained information about Hinchy's private health information, including her social security number, and then shared that information with Peterson, who then shared the information with at least three other people
  • Hinchy's father learned about Hinchy's use of birth control, that Hinchy had herpes, and that Hinchy had stopped taking birth control shortly before becoming pregnant.
  • Hinchy testified that she experienced mental distress, humiliation, and anguish as a result of the breach. She stated that she was upset, crying, and feeling "completely freaked out . . . ." She felt "violated," "shocked," and "confused."
  • The disclosure led to Peterson berating Hinchy for "getting pregnant on purpose" and eventually extorting Hinchy by threatening to release the details of her prescription usage to her family unless she abandoned her paternity lawsuit.
  • Hinchy testified that she experienced uncontrollable crying that affected her ability to care for her child, going to a counselor to address the emotional toll of the privacy breach, experiencing a general distrust of all healthcare providers, and feeling a persistent and continuous loss of "peace of mind."
  • Hinchy also testified that she now takes Celexa, an anti-depressant, which costs $75 per month. Before the breach, she had taken a weaker anti-depressant intermittently, and had not taken it for more than one year before the breach.[19]
The Appellate Court declined to disturb the awarded damages.

Walgreen's Petition for Rehearing

Subsequent to the first decision from the Appellate Court, Walgreen petitioned for a rehearing from the Court of Appeals of Indiana. On January 15, 2015, the Court denied the petition. As a result, the jury's decision and that of the Appellate Court upholding the decision stands.


-------------------------------------
[1] Hinchy v. Walgreen Co., Case. No. 49A02-1311-CT-950, *2 (App. Ct. Ind., Nov. 14, 2014), available at https://www.in.gov/judiciary/opinions/pdf/11141404jgb.pdf [hereinafter the "First Appellate Decision"].

[2] Hinchy v. Walgreen Co., Case. No. 49A02-1311-CT-950, (App. Ct. Ind., Jan. 15, 2015), available at https://www.in.gov/judiciary/opinions/pdf/01151503jgb.pdf.

[3] First Appellate Decision at *2-3.

[4] Id. at *3.

[5] Id. at *4.

[6] Id. at *5.

[7] Id. at *14.

[8] Id. at *22.

[9] Id. at *8 (internal quotations and citations omitted).

[10] Id. at *8-10 (internal quotations and citations omitted).

[11] Id. at *11.

[12] Hinchy v. Walgreen Co., Case. No. 49A02-1311-CT-950, Oral Arguments, Oct. 14, 2014, available at https://mycourts.in.gov/arguments/default.aspx?&id=1724&view=detail.

[13] Id. at 14:57 - 15:49 (argument of Maggie Smith).

[14] Id. at 28:26 - 28:51 (argument of Neal Eggeson).

[15] First Appellate Decision at *21.

[16] Id. (internal quotations omitted).

[17] Id. at *22.

[18] Id. at *22-23.

[19] Id.

-------------------------------------

Posted by Tatiana Melnik on January 25, 2015

December 2020
SuMoTuWeThFrSa
12345
6789101112
13141516171819
20212223242526
2728293031

Blog Home  

Newest Blog Entries
7/23/15 Hospital Settles with OCR for $ 218,400 Over Cloud-Based File Sharing

6/8/15 Two California Privacy Bills to Watch in 2015

3/28/15 When Looking at Security, Consider Every Device

3/9/15 Alabama Board of Optometry Makes Final a Rule on Telemedicine

1/25/15 Indiana Court of Appeals Upholds $1.44 Million Jury Verdict Against Walgreen Co. in a Privacy Breach Case; Denies Rehearing

12/9/14 Malware Leads to a $150,000 OCR Settlement with a Behavioral Health Provider

11/30/14 Can a Board of Medicine Use the State’s Prescription Drug Database in Investigating Physician Actions?

11/29/14 Under the Florida Telemedicine Rule, Can a Physical be Conducted by Telemedicine?

11/19/14 Wearables and the Challenge for Consumer Device Makers

10/28/14 A Few Telemedicine Resources

10/27/14 FCC: The Newest Regulator to Throw its Hat into the Data Privacy and Security Ring

Blog Archives
April 2014 (6)
February 2014 (4)
May 2014 (6)
November 2014 (3)
July 2014 (1)
June 2015 (1)
November 2013 (3)
September 2014 (1)
December 2014 (1)
January 2015 (1)
June 2014 (3)
December 2013 (5)
March 2015 (2)
October 2013 (9)
July 2015 (1)
October 2014 (2)
March 2014 (3)
August 2014 (4)
January 2014 (4)

Blog Labels
Dental (1)
FCC (1)
Financial Services (1)
Mobile Apps (2)
Medical Marijuana (1)
Employment (1)
FAQ (6)
Meaningful Use (4)
EHR (2)
Privacy Litigation (3)
Identity Theft (1)
Security (1)
HIPAA (3)
Healthcare Fraud (1)
Marketing (1)
BYOD (2)
Social Media (2)
Mobile Apps FDA (2)
Data Breach (10)
Big Data (3)
Healthcare Competition (1)
Privacy (4)
Telemedicine (7)