Health care technology company Becton Dickinson has sidestepped, for now, a class action lawsuit under an Illinois biometrics privacy law, which demanded potentially millions of dollars in damages for hospital workers who needed to scan their fingerprints to access BD’s medication dispensing systems.
Last May, attorneys from the firm of Stephan Zouras LLP, of Chicago, on behalf of named plaintiff Corey Heard, sued Becton Dickinson & Co. for alleged violations of the Illinois Biometric Information Privacy Act.
In the complaint, initially filed in Cook County Circuit Court, Heard said BD’s Pyxis Medication system allows hospitals to require workers to scan fingerprints to access automated medicine dispensaries.
U.S. District Court Judge Rebecca R. Pallmeyer
However, the complaint said that requirement ran afoul of the BIPA law because workers weren’t told how their fingerprint data was stored or how and when vendors would dispose of that information. The lawsuit said BD also did not obtain written authorization from the workers before scanning their prints.
In an opinion issued Feb. 24, U.S. District Judge Rebecca Pallmeyer granted BD’s motion to dismiss the class action complaint.
In moving for dismissal, BD had argued the fingerprint data in Heard’s complaint falls under BIPA’s exemption for data used for health care treatment, payment or other operations under the 1996 Health Insurance Portability and Accountability Act.
Pallmeyer, however, rejected that argument, noting HIPAA is intended to protect the personal information of medical patients, not people who work in health care.
“It seems unlikely that the legislature intended to deprive health care workers of that privacy and control merely because they are using their biometric information for the purpose of patient treatment,” she wrote.
However, that failed reasoning proved unimportant for this case, Pallmeyer said, because Becton Dickinson successfully argued that, as the vendor, its equipment only possessed the contested data and the company can’t be held liable for the collection process at the multiple hospitals where Heard said he worked since 2015.
Heard pointed to BIPA’s origins in 2008 in response to the bankruptcy of Pay By Touch, a vendor of fingerprint scanner payment systems. Pallmeyer didn’t dispute how that bankruptcy, and the potential for a massive data breach as a result, may have influenced state lawmakers. But she said that “does not mean that the (Illinois state) Legislature drafted every provision (of BIPA) with Pay By Touch in mind, or that it intended for every provision to cover entities that operate exactly as Pay By Touch did. Moreover, it is not clear from Heard's own allegations that Pay By Touch did not engage in an affirmative act of collection.”
Although Heard’s complaint repeatedly states Becton Dickinson collected his data, Pallmeyer said, he did so “without alleging how, when or any other factual detail.” He said he had to provide a fingerprint to use Pyxis as a condition of employment, but didn’t allege how that fingerprint got into a Becton Dickinson system or stipulate a difference between storage of data and mere possession.
In addition to failing to provide details that Becton Dickinson was responsible for collecting fingerprints, Pallmeyer continued, Heard also failed to show the company had any control over the data the hospitals used, or that the company improperly disclosed the data. She said the bulk of Heard’s allegations “merely parrot the statutory language” of BIPA instead of offering details specifying how the company allegedly violated the law.
“If Heard has a legitimate reason to suspect that BD disclosed his biometric data or that of the putative class members, he surely possesses information of some kind that triggered his suspicion — such as reports that BD has unlawfully disseminated biometric data in the past, or indications that Heard or the putative class members experienced identify theft after they used their employers’ Pyxis systems,” Pallmeyer wrote. “Such information would not be within BD’s exclusive possession.”
Pallmeyer dismissed the complaint without prejudice, giving Heard until March 31 to amend his complaint.
BD is represented in the case by attorneys Gary M. Miller, Matthew C. Wolfe and Benjamin E. Sedrish, of the firm of Shook Hardy & Bacon LLP, of Chicago.