Case Information
*1 [Cite as Lutsko v. Ohio Health Corp. , 2025-Ohio-974.]
IN THE COURT OF APPEALS OF OHIO TENTH APPELLATE DISTRICT Mechelle Lutsko, : Plaintiff-Appellant, : No. 24AP-399 v. : (C.P.C. No. 22CV-6870) OhioHealth Corporation, : (REGULAR CALENDAR)
Defendant-Appellee. : D E C I S I O N Rendered on March 20, 2025 On brief: Mishkind Kulwicki Law Co. , L.P.A. , and David A. Kulwicki , for appellant. Argued : David A. Kulwicki . On brief: Epstein Becker & Green , P.C. , Jonathan T. Brollier , and Chad J. Smith , for appellee. Argued : Jonathan T. Brollier .
APPEAL from the Franklin County Court of Common Pleas LELAND, J.
{¶ 1} Plaintiff-appellant, Mechelle Lutsko, appeals from a decision and entry of the Franklin County Court of Common Pleas granting the motion for summary judgment of defendant-appellee, OhioHealth Corporation. I. Facts and Procedural History
{¶ 2} On October 3, 2022, appellant filed a “Jane Doe” complaint against appellee, a medical provider, alleging that she was a patient of appellee ’s in 2022 and that, by letter dated August 31, 2022, appellee advised appellant that her confidential information had been accessed by one of appellee’s employee s without appellant’s autho rization to do so and without a legitimate business or medical reason. The complaint asserted causes of action *2 for breach of fiduciary duty, violation of the right to privacy, breach of implied contract, negligence, and punitive damages.
{¶ 3} On November 1, 2022, appellee filed an answer. On February 2, 2023, appellant filed a motion to omit personal identifiers and to “otherwise proceed using the pseudonym ‘Jane Doe.’ ” On February 16, 2023, appellee filed a memorandum contra appellant’s motion to omit personal identifiers. By entry filed March 6, 2023, the trial court denied appellant’s motion to omit per sonal identifiers and ordered appellant to file an amended brief to “properly state her legal name.” (Mar. 6, 2023 Entry at 3.) On March 13, 2023, appellant filed an amended complaint.
{¶ 4} On November 29, 2023, appellant filed a notice of partial voluntary dismissal of her claims for breach of fiduciary duty, breach of implied contract, and negligence. Appellant’s notice provided that her claims for violation of her right to privacy and punitive damages “ remain pending. ” (Emphasis omitted.)
{¶ 5} On April 30, 2024, appellee filed a motion for summary judgment. In the accompanying memorandum in support, appellee argued appellant could not maintain her claim under Count 2 for violation of the right to privacy based on the Supreme Court of Ohio’s decision in Biddle v. Warren Gen. Hosp. , 86 Ohio St.3d 395 (1999). In the alternative, appellee argued that Counts 2 and 5 of the complaint were subject to dismissal because the evidence indicated the actions of its former employee “were entirely intentional and self- serving and in no way facilitated or promoted [appellee’s] business , ” and therefore not committed within the scope of employment. (Appellee’s Mot . for Summ. Jgmt. at 3.)
{¶ 6} In support of its motion for summary judgment, appellee submitted the affidavit of Kelly Partin, appellee’s senior compliance director and chief privacy officer. In that affidavit, Partin averred in part:
2. Attached hereto as Exhibit 1 is a true and accurate copy of the August 31, 2022 letter sent to Plaintiff Mechelle Lutsko informing her that an OhioHealth associate impermissibly accessed some of Plaintiff’s protected health information (“PHI”) on July 4 , 2022 and August 1, 2022. 3. Before this unauthorized access occurred, the associate – Monica Ginther – completed HIPAA training as part of her employment with OhioHealth. As indicated in Exhibit 1, OhioHealth terminated Ms. Ginther’s employment as a result of her unauthorized access to Plaintiff’s PHI. *3 4. Ms. Ginther’s unauthorized access to Plaintiff’s PHI in no way facilitated or promoted OhioHealth’s business as a health system or provider of healthcare service.
(Partin Aff.) {¶ 7} Appellee also submitted several exhibits, including the above referenced letter from appellee to appellant, dated August 31, 2022, and the deposition testimony of appellant. In her deposition, appellant identified Monica Ginther as the individual who accessed her medical information. Appellant stated that she became friends with Ginther in 2004, when they both worked at Ross County Job and Family Services. Appellant related that, at one time, she thought Ginther “was one of my best friends.” (Appellant’ s Depo. at 30.) The friendship eventually ended because of a “jealousy thing” involving appellant’s friendship with another individual who Ginther had dated. (Appellant ’s Depo. at 41.) Appellant did not file a response to appellee’s motion for summary judgment.
{¶ 8} By decision and entry filed June 4, 2024, the trial court granted appellee’s motion for summary judgment. In its decision, the court noted the case “concerns the unauthorized access of [appellant' ’s ] . . . medical information by Ms. Ginther, a former employee of [appellee] .” ( June 4, 2024 Decision at 1.) In its factual findings, the court noted “Ms. Ginther was a former coworker and friend of [app ellant], and [appellant] believes Ms. Ginther acted out of jealousy.” ( June 4, 2024 Decision at 1.) The court further noted appellee “fired Ms. Ginther after it learned of Ms. Ginter’s access of [appellant’s] medical records.” ( June 4, 2024 Decision at 1.)
{¶ 9} In granting summary judgment in favor of appellee, the court agreed with appellee’s contention that appellant “did not properly plead a claim against [appellee] as required under Biddle .” (June 4, 2024 Decision at 4.) In the alternative, the court found that even if appellant “had properly pled her claim” against appellee, summary judgment was still warranted “as Ms. Ginther acted outside the scope of her employment with [appellee] whe n she accessed [appellant’s] information, [appellee] did not ratify Ms. Ginther’s conduct, and Ms. Ginther’s conduct did not promote or facilitate [appellee’s] business.” (June 4, 2024 Decision at 4.) II. Assignment of Error
{¶ 10} Appellant appeals and assigns the following sole assignment of error for our review: *4 THE TRIAL COURT ERRED AS A MATTER OF LAW BY GRANTING SUMMARY JUDGEMENT UPON PLAINTIFF- APPELLANT’S PRIVACY CLAIM.
III. Analysis {¶ 11} Under her sole assignment of error, appellant asserts the trial court erred in granting summary judgment in favor of appellee on her privacy claim. Appellant argues the record indicates a complete failure by appellee to protect her records from impermissible access by its employees. Appellant maintains “[n]othing more should be necessary to justify a denial of summary judgment and a reversal of the trial court’s judgm ent.” (Appellant’s Brief at 17.)
{¶ 12} In order to “prevail on a motion for summary judgment, the moving party must demonstrate that when the evidence is considered most strongly in favor of the nonmoving party, no genuine issue of material fact remains to be litigated and that the moving party is entitled to judgment as a matter of law.” Love. v. Columbus , 2019-Ohio- 620, ¶ 14. This court's review of a trial court's decisio n granting summary judgment “ is de novo.” Bonacorsi v. Wheeling & Lake Erie Ry. Co ., 2002-Ohio-2220, ¶ 24.
{¶ 13} Under Ohio law , “[a] party seeking summary judgment for the reason that a nonmoving party cannot prove its case bears the initial burden of informing the trial court of the basis for the motion and it must identify those parts of the record that demonstrate the absence of a genuine issue of material fact on the elements of the nonmoving party’s claims.” Love at ¶ 15, citing Dresher v. Burt , 75 Ohio St.3d 280, 292-93 (1996). If a moving party “satisfies its initial burden, then the burden shifts to the non moving party to set forth specific facts showing there is a genuine issue for trial.” Love at ¶ 15, citing Civ.R. 56(E); Dresher at 293. In this respect, “[t]he nonmoving party may not rest on the mere allegations or denials of its pleadings, but must respond with specific facts showing there is a genuine issue for trial,” and “[i]f the nonmoving party does not so respond, summary judgment, if appropriate, shall be entered against the nonmoving party.” Love at ¶ 15, citing Civ.R. 56(E); Dresher at 293.
{¶ 14} As indicated above, the trial court in the instant action determined appellant failed to properly plead a claim under the Supreme Court’s decision in Biddle . We begin, therefore, with a consideration of Biddle .
*5 {¶ 15} In that decision, the Supreme Court initially observed that “ ‘a physician can be held liable for unauthorized disclosures of medical information.’ ” Biddle , 86 Ohio St.3d at 399, quoting Littleton v. Good Samaritan Hosp. & Health Ctr. , 39 Ohio St.3d 86, 97, fn. 19 (1988). The court noted, however, the difficulty faced by Ohio courts and those in other jurisdictions in “attempting to provide a legal identity for an actionable br each of patient confidentiality, ” and that “many of these courts have endeavo red to fit a breach of confidence into a number of traditional or accepted legal theories,” including “invasion of privacy.” Id. at 400. The Supreme Court observed that courts “[s] lowly and unevenly . . . have moved toward the inevitable realization that an action for breach of confidence should stand in its own right and increasingly courts have begun to adopt it as an independent tort in their respective jurisdictions.” Id . The Supreme Court thus concluded that, “in Ohio, an independent tort exists for the unauthorized, unprivileged disclosure to a third party of nonpublic medical information that a physician or hospital has learned within a physician- patient relationship.” Id. at 401.
{¶ 16} As recognized by one federal court, “the Ohio Supreme Court made clear that other common law claims are not available where a Biddle claim exists.” Tucker v. Marietta Area Health Care , Inc. , No. 2:22-cv-184 (S.D.Ohio Jan. 26, 2023), citing Biddle at 408-09. Rather, the Supreme Court held, such “other theories are either unavailable, inapplicable because of their respective doctrinal limitations, or subsumed by the tort of breach of confidence.” Biddle at 409.
{¶ 17} The Supreme Court has “reiterated and extended” its holding in Biddle in subsequent decisions. Menorah Park Ctr. for Senior Living v. Rolston , 2020-Ohio-6658, ¶ 43, citing Hageman v. Southwest Gen. Health Ctr. , 2008-Ohio-3343. In Hageman , the Supreme Court applied Biddle to hold that an attorney may be liable to an opposing party for the “unauthorized disclosure of that party’s medical information that was obtained through litigation,” reaffirming therefore, “as in our decision in Biddle . . . an independent tort exits to provide an injured individual with a remedy for such an action.” Id. at ¶ 17.
{¶ 18} Further, in Menorah Park , the Supreme Court had occasion to address “the interplay” between the Health Insurance Portability and Accountability Act of 1996 (“HIP A A”), the “subsequent HIP A A Privacy Rule . . . and Ohio’s common -law cause of action for the unauthorized, unprivileged disclosure by a medical provider to a third party of nonpublic medical information recognized by this court in Biddle .” Menorah Park at ¶ 1. *6 In Menorah Park , the Supreme Court held “HIP AA does not preclude a claim under our decision in Biddle when the limited disclosure of medical information was part of a court filing for the purpose of obtaining a past- due payment on an account for medical services.” Id.
{¶ 19} As noted, in the instant case, Count 2 of appellant’s complaint alleged a violation of the right to privacy, and the trial court concluded appellant failed to properly plead a Biddle claim. Specifically, the court agreed with appellee’s contention that Biddle “rejected the practice of using existing legal theories, including invasion of privacy, as the mechanism for imposing liability upon a hospital for the unauthorized breach of patient confidentiality.” (June 4, 2024 Decision at 3.) While Count 2 alle ged appellant’s right to privacy was violated by appellee’s “unauthorized, unprivileged disclosure of nonpublic information obtained in the course of their patient-healthcare provider relationship to an employee who had no authorization or any legitimate business or medical purpose to have access to the information,” appellant’s complaint did not , as noted by the trial court, specifically allege a cause of action for breach of confidence as recognized by Biddle . (Compl. at 3.)
{¶ 20} Even assuming, however, that appellant adequately alleged a Biddle claim, we conclude the trial court properly granted summary judgment in favor of appellee based on the record before it. Specifically , we agree with appellee that appellant’ s claim fails as a matter of law as the evidence, construed most strongly in favor of the non-moving party, shows no disclosure on the part of appellee that would sustain a claim under Biddle .
{¶ 21} In addition to the Supreme Court ’s own pronouncements on Biddle , other Ohio and federal courts have addressed Biddle claims, and several of those cases have included circumstances, similar to the instant case, in which an employee of a health provider (and/or a third party) accessed confidential patient information. In Keyse v. Cleveland Clinic Found ., 2024-Ohio-2806, ¶ 2 (8th Dist.), the plaintiff sued the defendant, Cleveland Clinic Foundation (“Cleveland Clinic”), alleging that the plaintiff’s sister, Diane Shepherd, an employee of Cleveland Clinic, “ ‘snooped’ into [ the plaintiff’s] medical records for her own personal reasons.” Shepherd admitted that she improperly accessed the plaintiff’s medical re cords, and acknowledged the Cleveland Clinic sanctioned her for improper conduct by issuing a written warning and placing her on probation for two years.
*7 {¶ 22} The plaintiff in Keyse asserted causes of action for breach of fiduciary duty, violation of right to privacy, fraud, and punitive damages. On the eve of trial, the plaintiff “withdrew her claims for breach of fiduciary duty and fraud, leaving only her medical- privacy claim, which [the plaintiff’s] counsel acknowledged in an email to Cleveland Clinic counsel was a Biddle claim.” Id. at ¶ 4. The Cleveland Clinic subsequently moved for summary judgment on the Biddle claim, and the trial court granted the motion.
{¶ 23} On appeal, the Eighth District held that the plaintiff’s Biddle claim “fails as a matter of law, ” as the record “demonstrates that Cleveland Clinic made no disclosure whatsoever of [the plaintiff’s] confidential medical information.” Id. at ¶ 16. Specifically, the court held in part:
The breach of confidence tort recognized in Biddle requires “the unauthorized, unprivileged disclosure to a third party of nonpublic medical information that a physician or hospital has learned within a physician- patient relationship.” A Biddle claim therefore requires a disclosure. According to Black’s Law Dictionary, “disclosure” is “[t]he act or process of making known something that was previously unknown.” But Cleveland Clinic did not do any act, either intentionally or unintentionally, that made [the plaintiff’s] medical information known to anyone. Rather, as Shepherd admitted in her deposition, she improperly accessed her sister’s confidential medical information entirely on her own without authorization to do so.
(Citations omitted.) Id. at ¶ 17. {¶ 24} In Scott v. Ohio Dept. of Rehab. & Corr. , 2013-Ohio-4383 (10th Dist.), this court addressed a Biddle claim in which ten individual plaintiffs, all inmates at Mansfield Correctional Institution, brought an action alleging their confidential medical records were negligently released to the general prison population. Under the facts of that case, the prison medical staff would generate HIV-positive and chronic care lists for inmates receiving ongoing treatment, and outdated lists “were customarily placed in the pharmacy trash without being shredded,” which ultimately resulted in unauthorized access to the records by other inmates. Id. at ¶ 13. In considering the inmates’ claim under Biddle , this court held that “supervised inmate access to trash containing unshredded medical documents does not constitute ‘disclosure’ for purposes of the tort of unauthorized disclosure of medical information as defined by Biddle .” Id. at ¶ 29.
*8 {¶ 25} In Sheldon v. Kettering Health Network , 2015-Ohio-3268, ¶ 1 (2d Dist.), the plaintiffs alleged various common-law tort claims, including invasion of privacy and negligent training, stemming from the defendant’s “alleged failure to protect the privacy of the plaintiffs’ electronic medical information and the improper accessin g and disclosure of that information” by defendant’s administrator, the former spouse of one of the plaintiffs. Id. The trial court granted the defendant’s motion to dismiss, and plain tiffs appealed. On appeal, the Second District initially observed that plaintiffs “have not alleged a set of facts that would entitle them to relief under Biddle ,” noting that “none of the titles for the causes of action in the complaint refer to a Biddle - type independent cause of action.” Id. at ¶ 26. The court further determined that, “at best, the plaintiffs’ claim against [ the defendant] is predicated upon [the defendant’s] alleged failure to earlier detect [the employee’s] intentional, unauthorized access through procedures required by HIPA A.” Id. at ¶ 33. Relying on this court’s decision in Scott , the Second District held “the facts alleged do not constitute ‘disclosure’ for purposes of a Biddle breach-of- confidentiality claim.” Id.
{¶ 26} In Foster v. Health Recovery Servs. , 493 F.Supp.3d 622 (S.D.Ohio 2020), the federal district court for the Southern District of Ohio had occasion to survey Ohio law in addressing a Biddle claim. Under the facts in Foster , the defendant, Health Recovery Services, “learned that its network had been breached . . . when an unauthorized IP address remotely accessed its computer network containing the personal informatio n of clients.” Id. at 628. The plaintiff, who received services from the defendant, brought an action for breach of confidence under Biddle , alleging that the defendant “was aware of security vulnerabilities but did nothing to remedy those vulnerabilities before an unauthorized third party breached the network and potentially accessed his vulnerable medical information.” Id. at 636. Based on a review of Ohio law, including the decisions in Scott and Sheldon , the court in Foster held that plaintiff’s “allegations are not sufficient to state a claim for breach of confidence because Defendant did not commit an intentional or unintentional act of disclosure. Instead, what is alleged is that a third party has exploited Defendant’s security weakness to access the information without Defendant’s authorization.” Id. Similarly, the federal court in Tucker , 2:22-cv-184 observed “several courts . . . have held that Biddle claims do ‘not allow plaintiffs to pursue claims for breach of confidence where third parties intercepted or accessed plaintiffs’ privileged information’ rather than the information being ‘disclosed’ by the defendant.” Tucker , quoting Foster at 636, citing Scott and Sheldon .
*9 {¶ 27} The facts in the present case are analogous to those in Keyse , involving the “deliberate unauthorized access of the plaintiff’s medical information by a third party.” Keyse , 2024-Ohio-2806, at ¶ 23. Further, as found in Keyse , in this case, the re are “no facts suggesting” that appellee “either intentionally or unintentionally disclosed [appellant’s ] c onfidential medical information.” Id. Rather, the evidence indicates Ginther “ acted willfully, improperly, and entirely on her own ” in gaining access to appellant’s medical information. Id.
{¶ 28} A ppellant’s contention that Ginther became “the third -party who was allowed to leaf through her former friend’s confidential information because of the absence of proper security protection mandated by law” is not persuasive. (Appellant’s Brief at 28.) See Foster at 636 (noting, under both Scott and Sheldon , Ohio courts do “not allow plaintiffs to pursue claims for breach of confidence where third parties intercepted or accessed plaintiffs’ privileged information, and defendants did not disseminate or disc lose this information either intentionally or unintentionally”). Similarly, allegations seeking to hold a health-care provider liable for alleged “security vulnerabilities . . . are not sufficient to state a claim for breach of confidence” where a defendant “did not commit an intentional or unintentional act of disclosure.” Id. See also Sheldon , 2015-Ohio-3268, at ¶ 33 (facts of plaintiff’s claim , “predicated upon [ the defendant’s] alleged failure to earlier detect [third party’s] intentional, unauthorized access” of the plaintiff’s information “do not constitute ‘disclosure’ for purposes of a Biddle breach-of- confidentiality claim”).
{¶ 29} Further, a ppellant’s reliance on HIP AA regulations [1] to create liability under Biddle is unavailing. As noted by the court in Keyse , “[a]lthough HIP AA may provide guidance for establishing Biddle liability, ‘it is well -settled that a HIPAA violation does not create a private cause of action for the party whose information has been rel eased.’ ” Id. at ¶ 24, quoting Menorah Park , 2020-Ohio-6658, at ¶ 36. See also Sheldon at ¶ 18 (observing “it is beyond dispute that HIP AA itself does not create an express or implied private right of action for violations of its provisions”).
{¶ 30} Thus, the court in Keyse rejected as “wholly without merit” the plaintiff’s argument that the trial court should have denied summary judgment because the defendant *10 hospital “should have done more under HIP A A to protect the release of her information,” and concluded that “allowing the jury to consider Cleveland Clinic’s compliance with HIPAA despite the failure of [the plaintiff’s] Biddle claim would in effect create a private cause of action for [the plaintiff] under HIPA A, something the law clearly does not allow.” Id. at ¶ 24. Similarly, the court in Sheldon , while noting that “HIP AA does not preempt the Ohio independent tort recognized by the Ohio Supreme Court in Biddle , ” further observed that “federal regulations . . . cannot be used as a basis for negligence per se under Ohio law , ” and that the “utilization of HIP A A as an ordinary negligence ‘standard of care’ ” would be “tantamount to authorizing a prohibited private right of action for violation of HIPAA itself.” Id. at ¶ 24.
{¶ 31} Upon review of the record on summary judgment, and having construed the evidence most strongly in favor of the non-moving party, the record fails to provide factual support to show a disclosure by appellee , “either intentionally or unintentionally,” of appellant’s confidential medical information, and therefore appellant “cannot prove an essential element” of a Biddle claim. Keyse at ¶ 23. In the absence of evidence to demonstrate a genuine issue of material fact as to whether appellee improperly disclosed appellant’s medical information to a third party, the trial court did not err in granting summary judgment in favor of appellee.
{¶ 32} Based upon the foregoing, appellant’s sole assignment of error is not well - taken and is overruled. IV. Conclusion
{¶ 33} Having overruled appellant’s sole assignment of error, the judgment of the Franklin County Court of Common Pleas is affirmed. Judgment affirmed . DORRIAN and EDELSTEIN, JJ., concur.
NOTES
[1] As previously indicated , appellant did not oppose appellee’s motion for summary judgment, and we note appellant’s reliance on HIPAA regulations is not an issue that was presented to the trial court for its consideration, i.e., this argument is raised for the first time on appeal.