Employer Liability for Privacy Breach?

Professionals are often entrusted with confidential information.  Ethical rules as well as federal and state laws limit when such information may be accessed by professionals and under what circumstances it may be disseminated.  Sure, professionals may be held accountable for errors that result in the unintended disclosure of confidential or sensitive data. However, liability is not limited to the professional directly responsible for the breach; rather, employers may be on the hook too. In fact, the employer may be responsible even if the employee’s conduct was illegal or in violation of company policy.

Last week, the Indiana Court of Appeals upheld a $1.4 million jury verdict against Walgreen’s pharmacy arising from a privacy breach by a former pharmacist.  According to the lawsuit, the pharmacist allegedly looked up the prescription history of her husband’s ex-girlfriend in Walgreen’s records.  The ex-girlfriend eventually learned of the violation and filed suit against the pharmacist and Walgreens on a vicarious liability theory, asserting statutory and common law invasion of privacy claims.


After a four-day trial, the jury found the pharmacist and Walgreens jointly liable for $1.4 million in damages.  Walgreens appealed the verdict, contending that it could not be vicariously liable because the employee’s illegal data breach was outside of the scope of her employment as it was in violation of company policy.  The appellate court disagreed, holding that the pharmacist engaged in the same type of general conduct in improperly accessing the prescription records as she would have for properly accessing other patients’ records.  Thus, the court concluded that at least some of her actions were within the scope of employment to support a vicarious liability theory, despite violating Walgreen’s policy.


The Indiana appellate court’s decision has potentially broad consequences for professional employers.  The appellate court’s analysis establishes that where employees owe a duty of confidentiality, the employer may be held liable for the breach, even if it was an intentional act in violation of company policy.  Employers can help to limit the potential damages of such claims by implementing training for employees regarding confidentiality and privacy concerns.  In addition, companies should consider implementing separate access rights to client information depending on the employee’s particular need to access information.  Failure to take adequate precautions to protect confidential information can violate privacy rights and expose employers to costly litigation.