Avrum M. Baum v. Keystone Mercy Health Plan and AmeriHealth Mercy Health Plan, Superior Court of Pennsylvania, No. 1250 EDA 2015. Appeal from the Order March 27, 2015 in the Court of Common Pleas of Philadelphia County Civil Division at No(s): January Term, 2011, 3876
On April 26, 2016, the Pennsylvania Superior Court affirmed the decision of the Philadelphia Common Pleas Court to deny class action status in the case of Baum v. AmeriHealth Caritas. Rawle & Henderson attorney Charles Fitzpatrick acted as local counsel on the case along with the Washington, D.C. firm of Epstein, Becker & Green.
The case involved a missing flash drive at the offices of AmeriHealth Caritas, a Medicaid health insurance provider, in October 2010. The flash drive was believed to have personal health and other information on approximately 250,000 subscribers. When the flash drive could not be found, AmeriHealth Caritas notified all subscribers in accordance with state and federal law. There has never been any indication that the information on the missing drive was improperly accessed or misused in any way in the six years since it went missing.
In January 2011, plaintiff, Avrum Baum, initiated suit seeking class action status on behalf of his daughter and all other persons whose information may have been on the missing flash drive. It was alleged that the drive went missing through the negligence of the defendant and that the purported class was at risk of misuse of the information on the drive.
Plaintiffs also made a claim under the Pennsylvania Unfair Trade Practices and Consumer Protection Law (UTPCPL) 73 P.S. 201-9.2a, which permits private actions by individuals who have purchased goods or services and suffered loss of money or property due to deceptive practices by the seller. Plaintiff Baum was not a subscriber and had no information on the flash drive but claimed his minor-daughter did.
After extensive discovery on the class action issues, including the depositions of the plaintiff and representatives of the defendant company, a hearing was held before the Honorable Mary D. Colins of the Philadelphia Court of Common Pleas on April 29, 2013, on the issue of class certification.
Plaintiff’s expert testified that he was able to access the information on a duplicate flash drive about the plaintiff’s daughter but only because he knew her individual subscriber identification number. There was no evidence presented that any potential hackers could use the information on the drive to link subscriber numbers to any particular individual.
On July 25, 2013, Judge Colins entered an order denying plaintiff’s motion for class certification. In examining plaintiffs’ claim for negligence, Judge Colins ruled that the plaintiff had failed to establish the typicality requirements of the purported class action under Pa.R.Civ.P. 1702 (3). Plaintiffs could not show that their claim was typical of the proposed class as they had not shown any loss.
Judge Colins also denied the class action certification under the UTPCPL as plaintiffs could not satisfy the commonality requirement under Rule 1702 (2) as they had not shown reliance on any promises of cyber security. Plaintiff appealed to the Pennsylvania Superior Court.
The case was argued before the Pennsylvania Superior Court on October 28, 2014. On December 9, 2014, the Superior Court affirmed the lower court’s decision in part and remanded the case to the lower court for additional findings on one issue. The Superior Court affirmed the lower court’s findings that plaintiffs’ negligence claim could not satisfy the class action typicality requirement. The issue that was remanded was whether plaintiff’s claims under the Pennsylvania Unfair Trade Practices and Consumer Protection Law was barred by the plaintiff’s failure to allege reliance on any alleged representations of the security of its computer records by the defendant.
Judge Colins conducted an additional hearing on February 18, 2015, and affirmed her original decision to deny class action status. Judge Colins, in analyzing the plaintiffs’ UTPCPL claim, noted that the health care insurance for the minor plaintiff was actually provided by Medicaid. She reasoned that since the plaintiff or his daughter had not paid anything for the coverage provided by the defendant, neither plaintiff had suffered any ascertainable loss of money or property as required by the UTPCPL.
Plaintiff again appealed. The Superior Court of Pennsylvania again heard argument on March 9, 2016, and decided in favor of the defendant once again. The Court decided that the plaintiff in a private action under the UTPCPL must show justified reliance on some promise of a defendant and some ascertainable loss of money or property. The Court affirmed the dismissal of the plaintiffs’ request for certification of a class action. The plaintiffs have not sought any further appeals.
This decision finally put an end to the long administrative and litigation expense for Rawle & Henderson LLP’s client arising from an unfortunate oversight which in the end caused no known harm to any of the persons whose information may have been on the missing flash drive. It demonstrates the Pennsylvania courts’ reluctance to grant relief in data breach cases where no harm has been shown.
Charles A. Fitzpatrick, III, has extensive experience defending medical malpractice, nursing home liability, pharmaceutical and catastrophic injury cases. He has tried over 125 cases to verdict. Charles is a member of the bar of Pennsylvania and is admitted to practice in the United States District Court for the Eastern District of Pennsylvania, the Third Circuit Court of Appeals and the United States Supreme Court. He is a graduate of St. Joseph’s University and the Law School of the University of Pennsylvania. He served in the United States Navy, achieving the rank of Lieutenant. Charles has lectured extensively to attorneys and physicians on the law of medical malpractice. He has been rated AV Preeminent by Martindale-Hubbell for 33 consecutive years. He was chosen as a Pennsylvania Super Lawyer in 2016 for the 13th consecutive year.