This monthly column is written by Ellie F. Chapman of Morgan, Lewis & Bockius LLP in San Francisco. It is designed to provide RPP readers with a sampling of the types of patient privacy cases that courts are now hearing. It is not intended to be a comprehensive monthly survey of all patient privacy court actions. Contact Ellie at ellie.chapman@morganlewis.com.
Hospital Workers Allege Biometric Scans Violate Privacy Law. On March 19, a putative class action was filed in Cook County Circuit Court against Illinois’s NorthShore University HealthSystem (NorthShore) over claims that NorthShore’s practice of requiring employees to scan their retinas or hands to gain access to restricted hospital areas violates the state’s Biometric Information Privacy Act (BIPA), Charles Thurman et al. v. NorthShore Univ. HealthSystem, Case No. 2018CH03544. The named plaintiff, Charles Thurman, worked at NorthShore’s Evanston, Illinois, hospital as a full-time director of security and public safety. As part of his qualification as a restricted access worker, he was required to scan his fingerprint and retina so that NorthShore could use them as authorization methods to allow access to restricted areas at the hospital. In the complaint, Thurman alleged that NorthShore’s retention of his data put him and a putative class of restricted access workers at risk for identity theft. Workers may be exposed to “serious and irreversible privacy risks” if a biometric information database is hacked or breached due to the fact that biometric information is unique to the individual from whom it is collected. Thurman further alleged that NorthShore never properly informed him or the putative class in writing about the specific purpose for their fingerprint collection; the length of time that the workers’ biometric data would be collected, stored and used; and what might happen to their biometric data if NorthShore merged with another company. He also alleged that NorthShore violated BIPA by releasing the biometric information to vendors. This action is the latest in a string of BIPA suits filed in Illinois state court. Nearly 100 such lawsuits have been filed in Illinois trial courts alone since September 2017. Experts say that the litigation trend may be due in part to the fact that plaintiff attorneys view BIPA claims as “low hanging fruit” given the availability of liquidated damages under the statute. Texas and Washington have passed similar laws regulating businesses’ collection of biometric data, but unlike Illinois, Texas and Washington’s BIPA statutes do not include a private right of action permitting individual plaintiffs to sue for violations—only the state attorneys general can enforce the law’s requirements.