The Pennsylvania Superior Court has affirmed a trial court's decision denying class certification in a data breach case against two health plans, reversing its own earlier ruling in the same case that the plaintiff did not have to show justifiable reliance on the defendant's privacy promises to prove a claim for deceptive practices under Pennsylvania law.

Baum v. Keystone Mercy Health Plan arose after a portable USB flash drive with personal information belonging to more than 280,000 children insured by Keystone Mercy Health Plan (defendant) disappeared from the defendant's corporate offices on September 20, 2010. The drive contained names, addresses, phone numbers, policy identification numbers, full and partial Social Security numbers, and health screening information. The plaintiff, who claimed his daughter's personally identifiable information was on the drive, filed a class action complaint, alleging a violation of Pennsylvania’s Uniform Trade Practices and Consumer Protection Law (UTPCPL), as well as claims of negligence and negligence per se.

The UTPCPL seeks to protect the public from unfair competition and unfair or deceptive acts or practices and allows any person who suffers ascertainable monetary or property loss to bring a private action to recover actual damages. Under the "catchall" provision of UTPCPL, an action can be brought against an entity that "engag[es] in any . . . fraudulent or deceptive conduct which creates a likelihood of confusion or of misunderstanding." Historically, UTPCPL plaintiffs have been required to show justifiable reliance on a defendant's wrongful conduct and subsequent harm suffered as a result of that reliance.

In Baum, the plaintiff claimed that the defendant failed to adhere to its express guarantee in its privacy policy that it would "set up ways to make sure that all personal health information is used correctly." The trial court denied class certification, finding that the plaintiff had not shown justifiable reliance on the defendant’s privacy promises. The Superior Court, initially, reversed the trial court's decision, finding in a non-precedential decision that plaintiffs pursuing claims under the UTPCPL's catchall provision do not need to show reliance.

After the Baum case was remanded to the trial court for further consideration of class action certification, the Superior Court reaffirmed in Kern v. Lehigh Valley Hospital that justifiable reliance is required on claims of deceptive practices under the UTPCPL. The Kern case involved allegations that the defendant hospital's billing practices violated UTPCPL and was unrelated to privacy or data security.

On remand, the trial court denied class certification in Baum a second time, this time finding the plaintiff could not show his daughter's data that was lost included personally identifiable information and that he did not have standing to bring a private cause of action under the UTPCPL because his daughter's insurance policy was purchased by Medicaid.

The plaintiff once again appealed the decision to the Superior Court, which affirmed the trial court's denial of class certification based on the "trial court's additional findings of fact and conclusions of law on remand." In making such a determination, the Superior Court noted that “stressing [the plans] had pledged to protect any information it possessed that would allow someone to identify and learn about an insured’s health and the record herein revealed that any information contained on the flash drive would not identify [Baum’s] daughter, the trial court determined [Baum] could not claim to represent those class members who did lose such data, and therefore, may have been subjected to a deception.” In Baum’s case, his daughter’s member identification number and health screening information were on the flash drive that was lost.

The Superior Court also found that “[i]n light of Kern, . . . the trial court did not abuse its -discretion in denying [plaintiff's] motion to certify the class to the extent it alleged deceptive conduct under the UTPCPL's catchall provision." Thus, plaintiffs in data breach class actions alleging a violation of the catchall provision of UTPCPL must demonstrate that "all prospective class members justifiably had relied upon the ... [defendant's] alleged violations of the UTPCPL and suffered an ascertainable loss as a result of those alleged violations."

The opinion is designated as non-precedential and therefore, under the Pennsylvania Superior Court's operating procedures, cannot be cited or relied upon by a party in any other action or proceeding. Notwithstanding this limitation, the case continues a trend of Pennsylvania courts rejecting claims arising out of data breaches. Pennsylvania state courts have previously held that the Commonwealth does not recognize a common law negligence claim premised on the failure to provide adequate data security.

Ballard Spahr's Privacy and Data Security Group provides a full range of counseling, transactional, regulatory, investigative, and litigation services across industry sectors. Our cross-disciplinary team of attorneys helps clients around the world mitigate cyber risk, investigate, and respond to cyber incidents, and navigate post-incident enforcement, compliance, and litigation risk.

Copyright © 2016 by Ballard Spahr LLP.
(No claim to original U.S. government material.)

All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, including electronic, mechanical, photocopying, recording, or otherwise, without prior written permission of the author and publisher.

This alert is a periodic publication of Ballard Spahr LLP and is intended to notify recipients of new developments in the law. It should not be construed as legal advice or legal opinion on any specific facts or circumstances. The contents are intended for general informational purposes only, and you are urged to consult your own attorney concerning your situation and specific legal questions you have.