Month: December 2023

Posted on by Gerald L. Maatman, Jr.

Illinois Supreme Court Endorses Broad Interpretation Of The BIPA’s “Health Care Exception”

By Gerald L. Maatman, Jr. and Tyler Zmick

Duane Morris Takeaways:  In the latest ruling in the biometric privacy class action space, the Illinois Supreme Court embraced a broad reading of the “health care exception” in the Illinois Biometric Information Privacy Act (“BIPA”) in Mosby v. Ingalls Memorial Hospital, 2023 IL 129081 (Ill. Nov. 30, 2023).  The Illinois Supreme Court held that the statute excludes from its scope data collected in two separate and distinct scenarios: (1) “information captured from a patient in a health care setting”; and (2) information collected “for health care treatment, payment, or operations under the federal Health Insurance Portability and Accountability Act of 1996 (HIPAA).”  Unlike clause (1), the Supreme Court held that the exception in clause (2) is not limited to data obtained from patients and serves to exclude information that originates from any source.

The Mosby ruling is welcome news to BIPA defendants and companies operating in the health care space.  In the wake of the decision, courts likely will be asked to define the exact contours of the BIPA’s broadened “health care exception” in cases presenting facts that are less obviously tied to health care treatment, payment, or operations compared to the facts at issue in Mosby.

Case Background

The Plaintiffs in Mosby were nurses who claimed that their hospital-employers required them to use a fingerprint-based medication-dispensing system to verify their identities.  Plaintiffs sued their employers and the company that distributed the medication-dispensing system, alleging that Defendants violated §§ 15(a), 15(b), and 15(d) of the BIPA by using the medical-station scanning device to collect, use, and/or store their “finger-scan data” without complying with the BIPA’s notice-and-consent requirements and by disclosing their purported biometric data to third parties without first obtaining their consent.

Defendants moved to dismiss in the trial court, arguing that the claims failed because Plaintiffs’ data was specifically excluded from the BIPA’s scope under § 10 of the statute, which states that “[b]iometric identifiers do not include information captured from a patient in a health care setting or information collected, used, or stored for health care treatment, payment, or operations under [the HIPAA].”  740 ILCS 14/10.  Defendants argued that the latter clause applied in that Plaintiffs’ fingerprints had been used in connection with Plaintiffs providing medicine to patients, meaning their fingerprints were “collected, used, or stored for health care treatment, payment, or operations under [the HIPAA].”  Id.

The trial court denied Defendants’ motions. It ruled that § 10’s “health care exception” was limited to patient information protected under the HIPAA and that the exclusion does not extend to information collected from health care workers.

On appeal, the First District of the Illinois Appellate Court affirmed the denial of Defendants’ motions to dismiss.  Echoing the trial court, the Appellate Court determined that the biometric data of health care workers is not excluded from the BIPA’s scope and that the relevant provision of § 10 excluded from the BIPA’s protections “only patient biometric information.”  Mosby, 2023 IL 129081, ¶ 16; see id. ¶ 17 (“[T]he appellate court held that ‘the plain language of the statute does not exclude employee information from the [BIPA’s] protections because they are neither (1) patients nor (2) protected under HIPAA.’”) (citation omitted).

Appellate Court Judge Mikva dissented from the majority’s opinion.  Judge Mikva opined that the legislature meant to exclude from the BIPA’s scope the biometric data of health care workers “where that information is collected, used, or stored for health care treatment, payment, or operations, as those functions are defined by the HIPAA.”  Id. ¶ 19 (citation omitted).  Judge Mikva expressed the view that the first part of § 10’s “health care exception” excludes from the BIPA’s coverage information from a particular source (i.e., patients in a health care setting) and that the second part excludes information used for particular purposes (i.e., health care treatment, payment, or operations), regardless of the source of that information.

The Illinois Supreme Court’s Decision

On further appeal, the Illinois Supreme Court agreed with Appellate Court Judge Mikva’s dissent, unanimously holding that the BIPA’s exclusion for “information collected, used, or stored for health care treatment, payment, or operations under [the HIPAA]” can apply to the biometric data of health care workers (not only patients).

The Supreme Court determined that the relevant sentence of § 10 excludes from the definition of “biometric identifier” data that may be collected in two distinct (rather than overlapping) scenarios – namely, biometric identifiers do not include (i) information captured from a patient in a health care setting or (ii) information collected, used, or stored for health care treatment, payment, or operations under HIPAA.  Id. ¶ 37 (“[T]he phrase prior to the ‘or’ and the phrase following the ‘or’ connotes two different alternatives.  The Illinois legislature used the disjunctive ‘or’ to separate the [BIPA’s] reference to ‘information captured from a patient in a health care setting’ from ‘information collected, used, or stored for health care treatment, payment, or operations under [the HIPAA].’  Pursuant to its plain language, information is exempt from the [BIPA] if it satisfies either statutory criterion.”) (internal citations omitted).

The Supreme Court agreed with Defendants that the two categories of information are different because information excluded under the first clause originates from the patient, whereas information excluded under the second clause may originate from any source.  Regarding the second clause, the Supreme Court observed that the Illinois legislature borrowed the phrase “health care treatment, payment, and operations” from the federal HIPAA regulations.  Accordingly, the Supreme Court determined that “the legislature was directing readers to the HIPAA to discern the meaning of those terms,” which meanings “relate to activities performed by the health care provider – not by the patient.”  Id. ¶ 52.

Thus, the Supreme Court held that a health care worker’s data used to permit access to medication-dispensing stations for patient care qualifies as “information collected, used, or stored for health care treatment, payment, or operations under [the HIPAA]” and is exempt from the statute’s scope.

Implications Of The Decision

After the recent slew of plaintiff-friendly BIPA decisions issued by both state and federal courts, the Illinois Supreme Court’s decision in Mosby comes as welcome news for companies facing privacy-related class actions – particularly those operating in the health care space.

Relying on Mosby, defendants will likely add the BIPA’s “health care exception” to their arsenal of defenses in a wider array of cases moving forward.  Importantly, for purposes of the second “HIPAA prong” of the statute’s “health care exception,” federal HIPAA regulations govern the definitions of the terms “health care treatment,” “payment,” and “operations.”  Given that the regulatory definitions of those terms are broad, see 45 C.F.R. § 160.103; id. § 164.501, defendants will likely test the breadth of the exception in future cases presenting facts that may be less obviously tied to health care treatment, health care payment, and/or health care operations compared to the facts at issue in Mosby.

Posted on by Gerald L. Maatman, Jr.

The Duane Morris Class Action Review – 2024 Is Coming Soon!

By Gerald L. Maatman, Jr. and Jennifer A. Riley

Duane Morris Takeaway: Happy Holidays to our loyal readers of the Duane Morris Class Action Defense Blog! Our elves are busy at work this holiday season in wrapping up our start-of-the-year kick-off publication – the Duane Morris Class Action Review – 2024. We will go to press in early January, and launch the 2024 Review from our blog and our book launch website.

The 2024 Review builds on the success of last year’s edition. At over 500 pages, the 2024 Review has more analysis than ever before, with an analysis of over 1,100 class certification rulings from federal and state courts over this past year. The Review will be available for download as an E-Book too.

The Review is a one-of-its-kind publication analyzing class action trends, decisions, and settlements in all areas impacting Corporate America, including the substantive areas of antitrust, appeals, the Class Action Fairness Act, civil rights, consumer fraud, data breach, EEOC-Initiated and government enforcement litigation, employment discrimination, the Employee Retirement Income Security Act of 1974, the Fair Credit Reporting Act, wage & hour class and collective actions, labor, privacy, procedural issues, product liability and mass torts, the Racketeer Influenced and Corrupt Organizations Act, securities fraud, state court class actions, the Telephone Consumer Protection Act, and the Worker Adjustment and Retraining Notification Act. The Review also highlights key rulings on attorneys’ fee awards in class actions, motions granting and denying sanctions in class actions, and the top class action settlement in each area. Finally, the Review provides insight as to what companies and corporate counsel can expect to see in 2024.

We are humbled and honored by the recent review of the Duane Morris Class Action Review – 2023 by Employment Practices Liability Consultant Magazine (“EPLiC”) – the review is here. EPLiC said that “The Review must-have resource for in-depth analysis of class actions in general and workplace litigation in particular.” EPLiC continued that “The Duane Morris Class Action Review analyzes class action trends, decisions, and settlements in all areas impacting Corporate America. The Review also highlights key rulings on attorneys’ fee awards in class actions, motions granting and denying sanctions in class actions, and the top class action settlement in a myriad of substantive areas. Finally, the Review provides insight as to what companies and corporate counsel can expect to see in 2023 in terms of filings by the plaintiffs’ class action bar.”

We look forward to providing this year’s edition of the Review to all of our loyal readers in early January. Stay tuned and Happy Holidays!

Posted on by Class Action Defense

Judge Recommends Scam Class Action Settlement Site Be Shut Down

By Gerald L. Maatman, Jr. and Christian J. Palacios

Duane Morris Takeaways:  U.S. Magistrate Judge Joseph Marutollo’s recent report and recommendation – a novel order in the context of class action settlements – in the proceeding captioned In Re Payment Card Interchange Fee and Merchant Discount Antitrust Litigation, Case No. 1:05-MD-01720, Doc. No. 9009 (E.D.N.Y. Nov. 28, 2023), highlights the risks associated with class action claims websites and the potential for bad actors to create fraudulent web pages to mislead claimants. Corporate defendants should take care to monitor online activity following the creation of a court-authorized settlement website in order to protect any class-wide settlement and claimants against potential fraudsters. Indeed, in a world where scammers are becoming increasingly more sophisticated through the use of technology, class action settlement websites may be the next frontier in the battle against cybercrime.

Background

After 15 years of contentious litigation, Visa and MasterCard settled a putative class action for $5.6 billion to resolve allegations that the credit card companies violated federal and state antitrust laws resulting in over 12 million merchants allegedly paying excessive fees to Visa and MasterCard. As is typical in class actions of this size, a court-authorized settlement website was created to accept claim submissions and provide claimants with details regarding the settlement agreement.

On November 28, 2023, Magistrate Judge Marutollo recommended that the Court order the website “settlement2023.org” (and any affiliate website) be taken down, as the operators of the Settlement2023.org entity, who remain unknown, were attempting to deceive putative class members into using the site through various schemes, including using fake voicemails from rap artist Snoop Dogg to convince users of its validity.   According to Magistrate Judge Marutollo’s report, although the scam website ceased operation on November 21, 2023, it was unclear if other webpages remained open under different domain names that were also operated by the Settlement2023.org entity.

The Magistrate Judge’s Recommendation And Report

In addition to recommending the Court issue an order to take down of any and all remaining webpages that attempt to mimic the court-authorized settlement website, Magistrate Judge Marutollo also recommended that the owners and operators of the Settlement2023.org entity be required to identify themselves, and provide a list of all class members that signed up for its services, as well as give notice to would-be customers that any contract they entered into with the entity was now void.  Finally, the Magistrate Judge requested that the Court be notified of any newly-detected websites and recommended that the court-authorized website be updated to alert those who may have been deceived by the settlement2023.org website.

Implications

Cybercriminals continue to capitalize on advances in technology to launch misinformation campaigns, and large class action settlements are in the cross-hairs of this emerging threat. Therefore, it is imperative that plaintiff and defendant-side representatives alike remain vigilant to protect class members from deception and safeguard the integrity of the class action settlement process.

Posted on by Class Action Defense

The Class Action Weekly Wire – Episode 40: Global Developments In Artificial Intelligence Regulations

U.S. And U.K. Cybersecurity Agencies Announce International Agreement Addressing AI Safety

Duane Morris Takeaway: This week’s episode of the Class Action Weekly Wire features Duane Morris partner Jerry Maatman and special counsel Brandon Spurlock with their discussion of the latest developments on the regulatory front of artificial intelligence.

Check out today’s episode and subscribe to our show from your preferred podcast platform: Spotify, Amazon Music, Apple Podcasts, Google Podcasts, the Samsung Podcasts app, Podcast Index, Tune In, Listen Notes, iHeartRadio, Deezer, YouTube or our RSS feed.

Episode Transcript

Jerry Maatman: Hello, loyal blog readers! Welcome to the Class Action Weekly Wire. Today our guest is my colleague, Brandon Spurlock.

Brandon Spurlock: Hey Jerry, it’s great to be here. Thanks.

Jerry: Today, we’re talking about the most recent developments on a global basis for regulatory endeavors insofar as artificial intelligence is concerned. I know that, Brandon, you’re a thought leader in that space, so wanted to get your feedback on what corporations should know about the global move towards regulation of artificial intelligence.

Brandon: Absolutely, Jerry. Well, this agreement was unveiled to the public just this past weekend – November 26 to be exact. It’s titled “Guidelines for Secure AI System Development.” This initiative was led by the U.K.’s National Cyber Security Centre, and it was developed in conjunction with the U.S.’ Cybersecurity and Infrastructure Security Agency. These guidelines focus on how to keep artificial intelligence safe from rogue actors. The U.S., Britain, Germany, are among 18 countries that signed on to the new guidelines laid out in this 20-page document. Now, this is a non-binding agreement that lays out general recommendations, such as monitoring AI systems for abuse, elevating data protection and vetting software suppliers. One thing to note is that the framework does not address the challenging questions around data sources for AI models or appropriate use of AI tools.

Jerry: Well it certainly seems to be a milestone on the road to regulation of AI from a comparative standpoint. Where is the United States when it comes to regulation of artificial intelligence, as compared to other countries or major jurisdictions?

Brandon: Really  good question, Jerry. Many countries are putting their resources together, as well as independently positioning themselves to demonstrate leadership when it comes to embracing AI – while also cautioning its security, privacy, and market risk. So countries like France, Germany, Italy – they recently reached an agreement on how artificial intelligence regulations should be structured around “mandatory self-regulation through codes of conduct.” So what does this mean? It’s focused on how these AI systems are designed to produce a broad range of outputs. The European Commission, the European Parliament, and the EU Council are negotiating how the bloc should position itself on this particular topic.

Even last month, when we examined President Biden’s executive order on artificial intelligence, that publication from the White House further provides businesses with the in-depth roadmap of how the U.S. federal government’s regulatory goals regarding AI are developing.

Jerry: The evolution of artificial intelligence is certainly uppermost in the mind of most corporate counsel, and its impact on litigation – and in particular, the class action world – is real and palpable and with us. So thank you for your thoughts and analysis, Brandon, and we’ll see you next week on the Class Action Weekly Wire.

Brandon: Thanks, Jerry.

© 2009-2025 Duane Morris LLP. Duane Morris is a registered service mark of Duane Morris LLP.

The opinions expressed on this blog are those of the author and are not to be construed as legal advice.

Proudly powered by WordPress