(Article from Insurance Law Alert, February 2018)
For more information, please visit the Insurance Law Alert Resource Center.
The Second Circuit vacated a district court decision rejecting a constitutional right to privacy claim based on the improper accessing of personal medical records. Hancock v. County of Rensselaer, 2018 WL 798471 (2d Cir. Feb. 9, 2018).
The complaint alleged that the personal medical records of county jail employees were secretly accessed without their consent by at least one co-worker in violation of the Due Process Clause of the Fourteenth Amendment and the Computer Fraud and Abuse Act (“CFAA”). A New York federal district court dismissed the CFAA claim on the pleadings, and later granted summary judgment to the defendants on the constitutional privacy claim. The district court concluded that the privacy claim failed because the plaintiffs did not have a “constitutionally protected interest in medical privacy because the medical conditions described in their records were insufficiently stigmatizing.” The Second Circuit affirmed the dismissal of the CFAA claim but vacated the ruling as to the constitutional privacy claim.
Clarifying precedent in this context, the Second Circuit ruled that the presence of a stigmatizing condition, while relevant to the analysis, is not a threshold prerequisite to a constitutional privacy claim. The court expressly rejected the notion that “only sufficiently serious medical conditions give rise to any interest in privacy at all.” Rather, the court explained, individuals have a fundamental interest in maintaining the confidentiality of medical information generally. Alleged privacy violations are evaluated by a case-specific balancing test that considers the strength of the privacy interest (based on the content of the personal information) as weighed against the government’s proffered justifications for accessing that material. “The stronger the individual interest, the more compelling the government actor’s reasons must be. But even the weakest privacy interests cannot be overridden by totally arbitrary or outright malicious government action.” Applying this framework, the Second Circuit concluded that issues of fact exist as to why the breaches of confidentiality occurred, and thus vacated the district court’s dismissal of the privacy claim. More specifically, the court noted that regardless of the content of the plaintiffs’ medical records, there was likely a violation if the records were accessed for improper or malicious purposes, as was alleged here.
The right to privacy as to personal medical information was also at issue in the recently-settled matter of Beckett v. Aetna, Inc., 2017 WL 3701844 (E.D. Pa. Compl. filed Aug. 28, 2017). That lawsuit alleged that Aetna “carelessly, recklessly, negligently, and impermissibly revealed HIV-related information of their current and former insureds” through postal mailings that revealed personal medical information in the envelope window. In the proposed class action settlement, Aetna agreed to pay more than $17 million and establish “best practices” to prevent future privacy violations.