Theft or accidental loss of a laptop, thumb drive or other device is “[t]he single most common way that protected health information is compromised.” And while violating the Health Insurance Portability and Accountability Act’s Privacy and Security Rules can result in million-dollar fines, HIPAA does not provide for a private right of action. So when an employee of Alere Home Monitoring Inc. had a company laptop containing patients’ medical information stolen out of her car in 2012, plaintiffs filed a class action claiming that Alere violated the Fair Credit Reporting Act, an increasingly common claim in unauthorized disclosures of electronic health information. Last week the district court dismissed the FCRA claim and all the other claims asserted against Alere in Falkenberg v. Alere Home Monitoring, Inc., No. 13-cv-00341-JST (N.D. Cal. Oct. 7, 2014).
The FCRA applies to credit reporting agencies, defined in the Act as “any person which . . . regularly engages in . . . the practice of assembling or evaluating consumer credit information or other information on consumers for the purpose of furnishing consumer reports to third parties.” 15 U.S.C. 1681a(f). So a credit reporting agency must furnish consumer reports, which are defined as the communication of any information “bearing on a consumer’s credit worthiness . . . character, general reputation, personal characteristics, or mode of living which is used or expected to be used . . . for the purpose of serving as a factor in establishing the consumer’s eligibility for—(A) credit or insurance,” among other things. 15 U.S.C. 1681a(d).
Alere provides anticoagulation home monitoring services and related products to heart transplant patients and others. Those services include collecting the patients’ medical information to help doctors track the medical care provided to those patients while they are living at home. The plaintiffs claimed that they also provided Alere with their names, addresses, dates of birth, Social Security numbers and medical conditions.
The court determined that Alere is not a credit reporting agency and therefore declined to apply the FCRA to Alere for two reasons:
- The court said “[i]t is doubtful” that the health-related information collected by Allere qualified as “consumer information or other information on consumers” under Section 1681a(f).
- Alere does not keep the information “for the purpose of furnishing consumer reports.” In reaching the second conclusion, the court noted that “Alere may perhaps verify the details of a patient’s existing [insurance] coverage, but it does not demonstrate that Alere provides the information to the insurer to establish a patient’s eligibility for insurance.”
TAKEAWAY: Alere may signal a trend against FCRA claims when electronic health information is compromised. Although not cited in Alere, the Northern District of Illinois recently dismissed FCRA claims against Advocate Health and Hospitals that followed the theft of four encrypted laptops, similarly holding that a healthcare provider such as Advocate was not a credit reporting agency under the Act. Tierney v. Advocate Health & Hosp. Corp., No. 13 CV 6237 (N.D. Ill. Sept. 4, 2014).