Kirk J. Nahra

As privacy advocates, class action lawyers, interested consumers and others struggle to find means of enforcing privacy obligations in the courts, judges grapple with the question of whether entities that violate privacy laws properly face private damages liability. Because most national privacy rules (notably HIPAA and Gramm-Leach-Bliley) contain no private cause of action, plaintiffs struggle to find creative ways to sue over such privacy and security violations. For "injured" victims, finding an appropriate legal theory may be a critical threshold requirement to securing monetary damages. For companies facing privacy obligations, understanding these challenges is critical to appropriately assessing litigation risks.

This ongoing "debate, search and assess" effort is why the recent case of Sorensen v. Barbuto, No. 20050501-CA (UT Ct. App. Aug. 10, 2006, available at www.utcourts.gov/opinions/appopin/sorensen081006.pdf) is so interesting. In that case, a patient sued his former doctor for providing assistance to the defendant in a personal injury suit brought by the patient. The alleged facts are fairly egregious, but they highlight how a "HIPAA-like" claim can be maintained. The case also focuses attention on how - with the right facts - judges may seek out means of remedying HIPAA violations where a reasonably defined actual harm or particularly bad behavior is asserted.

Case Facts
The alleged facts are straightforward (if a bit bizarre). The plaintiff, Sorensen, suffered injuries in an automobile accident. The defendant, Dr. Barbuto, treated him for an extended period of time for these injuries. When Sorensen's medical insurer removed Barbuto from its preferred provider list, Sorensen terminated his treatment relationship with Barbuto and began to receive treatment from another physician.

Shortly thereafter (and apparently unrelated to this change in physicians), Sorensen filed a personal injury claim against the driver of the car that injured him. Barbuto was approached by the defense counsel in that case without Sorensen's knowledge or consent. Barbuto engaged in various communications with defense counsel, wrote a report for defense counsel's use and agreed to testify as an expert witness for the defense (against his former patient). Sorensen eventually prevailed in the personal injury case (and Barbuto's testimony was thrown out).

The Sorensen privacy law decision stems from Sorensen's subsequent suit against Barbuto, brought after Sorensen learned of Barbuto's involvement with opposing defense counsel. He asserted breach of contract and various tort claims against Barbuto, all of which were dismissed by the trial court. The recent decision of the Utah Court of Appeals reversed most of this dismissal.

The Court of Appeals Decision: Contract Claims
The court first addressed Sorensen's contract claims. While agreeing with Sorensen that his claim did not fail due to a lack of a written contract, it upheld the dismissal of this count on the ground that Sorensen had terminated his relationship with Barbuto prior to Barbuto's involvement with the defense counsel. The court explicitly indicated that the claim sounded in tort, rather than contract.

Tort Claims
The court next considered Sorensen's breach of professional duty claim (which included a breach of fiduciary duty claim). The court rejected Barbuto's claim that he violated no duty because Sorensen had placed his physical condition at issue in the case, finding that this "exception" to the physician-patient privilege doctrine could not be the basis for Barbuto to act against the patient in a suit where Barbuto was a third party. The court then held that "ex parte communication between a physician and opposing counsel constitutes a breach of the physician's fiduciary duty of confidentiality." The court also held that the trial court's dismissal of Sorensen's negligence claim was in error, as the fiduciary duty that existed in this situation could support a negligence claim.

The court also found that Sorensen could pursue a claim for intentional infliction of emotional distress. Because Barbuto not only communicated ex parte with defense counsel, but also became a paid advocate for Sorensen's adversary, the conduct by Barbuto met the standard of "extreme and outrageous" conduct necessary to sustain a claim for intentional infliction of emotional distress.

Finally, the court addressed the common law invasion of privacy claim, which focused on whether there was a "public disclosure of private information."The court found that Sorensen's private information was provided only to defense counsel and "a few incidental people," and therefore was insufficient to constitute a public disclosure of this information. Dismissal of this claim was upheld.

Impact of the Decision
Common law torts do not fit very well: As we have seen in other situations, the traditional common law tort of invasion of privacy does not accommodate many of the privacy and security breach situations that are generating attention today. Wrongful use of personal information, sloppy security practices, misuse of information for marketing purposes, etc.- all are "harms" envisioned by current privacy laws, and none fit well into the common law elements. As many court cases indicate, the common law of invasion of privacy does not provide much support for plaintiffs asserting injury from contemporary categories of privacy and security breaches.

Bad facts make for creative remedies: Bad facts - or particularly egregious behavior - do create incentives for courts to fashion a creative remedy. Here, Barbuto's behavior rose to the level of "extreme and outrageous" conduct - a very high threshold. Because such behavior also seems to turn the traditional doctor-patient role on its head, the court went out of its way to find a remedy. Few people will defend Barbuto's behavior in this case; whether the remedy is appropriate is a different question.

The case presents some similarities to an earlier federal trial court decision, where the court seemingly regarded the claimed behavior as unfair, even though it did not violate any specific law. In Ingram v. Mutual of Omaha Insurance Company, 170 F.Supp.2d 907 (W.D.MO. 2001), an insured sued her health insurer for breach of fiduciary duty in connection with the disclosure of medical records in response to a third-party subpoena. The facts in the case were essentially uncontested. The insured, Ingram, had been identified as a potential witness in an unrelated case. The defense attorney in that case subpoenaed Ingram's medical records from her health insurer. The insurer produced the records responsive to the subpoena, without seeking to quash the subpoena. Ingram's consent to produce the medical records was not obtained, nor was the insured informed that her records were being disclosed. Other parties challenged subpoenas seeking information about Ingram, and these motions were overruled, with the court holding that the information requested through the subpoenas was reasonably calculated to lead to the discovery of admissible evidence.

Following disclosure of her records, Ingram sued her insurer, alleging that the insurer had breached its fiduciary duty and physician-patient privilege when it disclosed her medical records in response to the subpoena. According to the court, the "central issue" in the case was whether the insurer's failure to object or file a motion to quash was a breach of the insurer's fiduciary duty. The court ultimately ruled in favor of the plaintiff. While Mutual of Omaha's behavior was nowhere near the "extreme and outrageous" conduct of Barbuto, the court apparently sought a remedy for what it viewed as insufficient efforts by an insurer to stand up for its insured.

Damages are still an issue and claims face an uphill struggle: The Utah Sorensen decision also reminds us that damages remain a problematic element of any privacy-related litigation - and that privacy claims still face an uphill battle in many circumstances, even where improper behavior has occurred. Even given his doctor's "extreme and outrageous" behavior, Sorensen still lost - decisively - in the trial court, and needed an appellate decision to send him back to the start of his lawsuit. He remains some distance from actually recovering significant damages.

A key decision as to the role of damages allegations in privacy cases is Smith v. Chase Manhattan Bank, 741 N.Y.S.2d 100 (App. Div. 2002). In Smith, a bank promised its customers that it would not and did not sell their personal information to third parties. In fact, the suit alleged, the bank sold customer lists to third parties, including a telemarketing firm. Moreover, the bank allegedly received a percentage of the profits from products sold as a result of these telemarketing services. A class of bank customers sued, alleging that the bank violated its obligations to the plaintiff class.

Despite these egregious allegations, the court dismissed the complaint, finding no allegations of actual damages. The court said that "the 'harm' at the heart of this purported class action, is that class members were merely offered products and services which they were free to decline. This does not qualify as actual harm." Moreover, "[t]he complaint does not allege a single instance where a named plaintiff or any class member suffered any actual harm due to the receipt of an unwanted telephone solicitation or a piece of junk mail." Accordingly, the court found that the complaint was appropriately dismissed for failure to state a cause of action, i.e. no claim existed on the facts as they were alleged.

Smith is the clearest enunciation of the "no damages" theory - but not the only one. Clearly, with other fish to fry, the plaintiffs' bar has not been impressed by the potential "pot of gold" related to privacy litigation. Nor, despite the increase in privacy litigation in recent months, is there any particular evidence to indicate that courts are in any way more sympathetic to claims of damages in connection with potential privacy and security harms, outside of the limited range of cases where someone can be blamed for outrageous behavior.

We can continue to expect that plaintiffs (and their counsel) will invoke creative means of supporting privacy lawsuits. And, where the behavior is bad enough, or there is demonstrable harm, courts may be sympathetic, even if they have to fiddle with existing causes of action to make the punishment fit the crime.

Kirk J. Nahra is a partner with Wiley Rein & Fielding LLP in Washington, D.C., where he specializes in healthcare, privacy information security and counseling. He is chair of the firm's Privacy Practice and co-chair of its Healthcare Practice. He was elected to the Board of Directors of the International Association of Privacy Professionals, and serves as the Editor of The Privacy Advisor. He is a Certified Information Privacy Professional. He can be reached at +202.719.7335 or knahra@wrf.com

© 2006 Wiley Rein & Fielding LLP. Reprinted with permission, Privacy In Focus Sept. 2006. This is a publication of Wiley Rein & Fielding LLP providing general news about recent legal developments and should not be construed as providing legal advice or legal opinions. Consult an attorney for any specific legal questions.


If you want to comment on this post, you need to login.


Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Get more News »

IAPP Communities

Meet locally with privacy pros, dive deep into specialized topics or connect over common interests. Find your Community in KnowledgeNet Chapters, Sections and Affinity Groups.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find a KnowledgeNet Chapter Near You

Talk privacy and network with local members at IAPP KnowledgeNet Chapter meetings, taking place worldwide.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

The Privacy Core™ Library Has Evolved

Privacy Core™ e-learning essentials just expanded to include seven new units for marketers. Keep your data safe and your staff in the know!

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

Upcoming Web Conferences

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Team

Get your team up to speed on privacy by bringing IAPP training to your organization.

Let’s Get You DPO Ready

There’s no better time to train than right now! We have all the resources you need to meet the challenges of the GDPR.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

FIP Designation

Recognizing the advanced knowledge and issue-spotting skills a privacy pro must attain in today’s complex world of data privacy.

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.


The IAPP’S CIPP/E and CIPM are the ANSI/ISO-accredited, industry-recognized combination for DPO readiness. Learn more today.

Learn more about IAPP certification »

Are You Ready for the GDPR?

Check out the IAPP's EU Data Protection Reform page for all the tools and resources you need.

IAPP-OneTrust PIA Platform

New U.S. Government Agency privacy impact assessments - free to IAPP members!

IAPP Communities

Meet locally with privacy pros, dive deep into specialized topics or connect over common interests. Find your Community in KnowledgeNet Chapters, Sections and Affinity Groups.

Privacy Vendor List

Find a privacy vendor to meet your needs with our filterable list of global service providers.

More Resources »

Europe Data Protection Intensive 2017

The Intensive is sold out! But cancellations do happen—so hurry and get on the wait list in case more seats become available.

Global Privacy Summit 2017

The world’s premier privacy conference returns with the sharpest minds, unparalleled programs and preeminent networking opportunities.

Canada Privacy Symposium 2017

The Symposium returns to Toronto this spring and registration has opened! Take advantage of Early Bird rates and join your fellow privacy pros for another stellar program.

The Privacy Bar Section Forum 2017

The Privacy Bar Section Forum is sold out! But you can still add your name to the wait list, and we'll keep in touch about your status. Good luck!

Asia Privacy Forum 2017

Call for Speakers open! Join the Forum in Singapore for exclusive networking and intensive education on data protection trends and challenges in the Asia Pacific region.

Privacy. Security. Risk. 2017

We're bringing the best of the best in privacy and infosecurity to sunny San Diego. Early registration for P.S.R. opens May 1.

Europe Data Protection Congress 2017

Call for Speakers open! The Congress is your source for European policy debate, multi-level strategic thinking and thought-provoking discussion. Submit a proposal by March 19.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»