Lifting of Class Certification Order Associated With Data Breach Lawsuit Versus West Virginia University Health System

West Virginia University Health System is dealing with a class-action lawsuit because of a compromise of the protected health information (PHI) of 7,445 patients, however, the Supreme Court of Appeals of West Virginia has lifted the class certification order.

The lawsuit is in connection with an insider data breach that took place in 2016. From March 2016 to January 2017, Angela Roberts, a registration consultant employed formerly at Berkeley Medical Center and Jefferson Medical Center, which are connected with West Virginia University Health System, accessed the medical information of 7,445 individuals with the purpose of doing identity theft and fraud. Upon uncovering the unauthorized access, Roberts said she acquired access to the health information for work reasons as well as for stealing patient records to give to Ajarhi “Wayne” Roberts, her boyfriend and co-accused.

While looking at the medical documents for legit work requirements, Ms. Roberts confirmed if there was adequate data to enable her and her partner to take patients’ identities. In case there was enough information, the data was stolen and given to Mr. Roberts with the intent to carry out identity theft. Phony Social Security cards were then made to be able to do bank fraud.

Ms. Roberts was accused in a 36-count indictment and made a plea agreement to one count of identity theft last 2017. She confessed to dishonestly obtaining the names, birth dates, signatures, Driver’s License Numbers, and Social Security numbers of 10 patients, and that she handed those details to her boyfriend who employed the data to open accounts. Victims had lost a total of $20,757 and Roberts was instructed to pay for $5,189.25 in compensation.

Legal action was sent in on behalf of the victims Deborah Welch and Eugene Roman that wanted class-action status covering the patients who had their health data impermissibly accessed. Roman and Welch became successful in certifying a class of 7,445 patients; nonetheless, the defendants asserted that the class representatives didn’t have standing since they had encountered no injury-in-fact from the lawful access of their medical information by Ms. Roberts.

The Supreme Court of Appeals not too long ago decided Welch didn’t have sufficient standing to prosecute for a breach of confidentiality or a breach of privacy due to the fact she had sustained no injury-in-fact from the employee’s authorized accessing her health data, and other requirements to class certification were not satisfied. The Supreme Court of Appeals decided that Roman, representing a subclass of 109 people, likewise did not satisfy the conditions for class certification and that the circuit court didn’t deliver a detailed evaluation of the typicality requirement in light of Roman’s conditions and claims. The class certification order was removed for a class action lawsuit would move forward, at least one identified plaintiff need to have standing.

Twitter Facebook LinkedIn Reddit Copy link Link copied to clipboard
Photo of author

Posted by

Mark Wilson

Mark Wilson is a news reporter specializing in information technology cyber security. Mark has contributed to leading publications and spoken at international forums with a focus on cybersecurity threats and the importance of data privacy. Mark is a computer science graduate.