Class Certification Improper in Data Breach Case, PA Appellate Court Finds

John Devine, Edward McAndrew, Daniel McKenna, Roshni Patel, Philip Yannella
Ballard Spahr LLP
Contact
LinkedIn
Facebook
X
Send
Embed

The Pennsylvania Superior Court has affirmed a trial court's decision denying class certification in a data breach case against two health plans, reversing its own earlier ruling in the same case that the plaintiff did not have to show justifiable reliance on the defendant's privacy promises to prove a claim for deceptive practices under Pennsylvania law.

Baum v. Keystone Mercy Health Plan arose after a portable USB flash drive with personal information belonging to more than 280,000 children insured by Keystone Mercy Health Plan (defendant) disappeared from the defendant's corporate offices on September 20, 2010. The drive contained names, addresses, phone numbers, policy identification numbers, full and partial Social Security numbers, and health screening information. The plaintiff, who claimed his daughter's personally identifiable information was on the drive, filed a class action complaint, alleging a violation of Pennsylvania’s Uniform Trade Practices and Consumer Protection Law (UTPCPL), as well as claims of negligence and negligence per se.

The UTPCPL seeks to protect the public from unfair competition and unfair or deceptive acts or practices and allows any person who suffers ascertainable monetary or property loss to bring a private action to recover actual damages. Under the "catchall" provision of UTPCPL, an action can be brought against an entity that "engag[es] in any . . . fraudulent or deceptive conduct which creates a likelihood of confusion or of misunderstanding." Historically, UTPCPL plaintiffs have been required to show justifiable reliance on a defendant's wrongful conduct and subsequent harm suffered as a result of that reliance.

In Baum, the plaintiff claimed that the defendant failed to adhere to its express guarantee in its privacy policy that it would "set up ways to make sure that all personal health information is used correctly." The trial court denied class certification, finding that the plaintiff had not shown justifiable reliance on the defendant’s privacy promises. The Superior Court, initially, reversed the trial court's decision, finding in a non-precedential decision that plaintiffs pursuing claims under the UTPCPL's catchall provision do not need to show reliance.

After the Baum case was remanded to the trial court for further consideration of class action certification, the Superior Court reaffirmed in Kern v. Lehigh Valley Hospital that justifiable reliance is required on claims of deceptive practices under the UTPCPL. The Kern case involved allegations that the defendant hospital's billing practices violated UTPCPL and was unrelated to privacy or data security.

On remand, the trial court denied class certification in Baum a second time, this time finding the plaintiff could not show his daughter's data that was lost included personally identifiable information and that he did not have standing to bring a private cause of action under the UTPCPL because his daughter's insurance policy was purchased by Medicaid.

The plaintiff once again appealed the decision to the Superior Court, which affirmed the trial court's denial of class certification based on the "trial court's additional findings of fact and conclusions of law on remand." In making such a determination, the Superior Court noted that “stressing [the plans] had pledged to protect any information it possessed that would allow someone to identify and learn about an insured’s health and the record herein revealed that any information contained on the flash drive would not identify [Baum’s] daughter, the trial court determined [Baum] could not claim to represent those class members who did lose such data, and therefore, may have been subjected to a deception.” In Baum’s case, his daughter’s member identification number and health screening information were on the flash drive that was lost.

The Superior Court also found that “[i]n light of Kern, . . . the trial court did not abuse its -discretion in denying [plaintiff's] motion to certify the class to the extent it alleged deceptive conduct under the UTPCPL's catchall provision." Thus, plaintiffs in data breach class actions alleging a violation of the catchall provision of UTPCPL must demonstrate that "all prospective class members justifiably had relied upon the ... [defendant's] alleged violations of the UTPCPL and suffered an ascertainable loss as a result of those alleged violations."

The opinion is designated as non-precedential and therefore, under the Pennsylvania Superior Court's operating procedures, cannot be cited or relied upon by a party in any other action or proceeding. Notwithstanding this limitation, the case continues a trend of Pennsylvania courts rejecting claims arising out of data breaches. Pennsylvania state courts have previously held that the Commonwealth does not recognize a common law negligence claim premised on the failure to provide adequate data security.

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Ballard Spahr LLP | Attorney Advertising

Written by:

Ballard Spahr LLP
Ballard Spahr LLP
Contact
more
less

PUBLISH YOUR CONTENT ON JD SUPRA NOW

  • Increased visibility
  • Actionable analytics
  • Ongoing guidance

Ballard Spahr LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide