Almost exactly a year ago, the first COVID-19 tuition reimbursement lawsuits were filed against higher education institutions across the United States and we warned of the continued onslaught of such litigation. With the filing of those reimbursement class actions decreasing, higher education institutions should be cognizant of a potential new wave of COVID-19 class actions: privacy class action lawsuits related to the COVID-19 vaccine.
In Doe v. University of Cincinnati, plaintiffs allege that the defendants provided UC Health, LLC, “a private third-party entity” with personal information of each of its students in order to assist with the ability to provide vaccinations.
By providing this information, plaintiffs allege defendants violated Ohio Privacy Act, R.C. 1347 because such transfer occurred “without each individual student knowingly, voluntarily, and intelligently consenting.”
Plaintiffs also allege the transfer of personal information violated “their federal constitutional rights” pursuant to 42 U.S.C. § 1983. According to the complaint, the Ohio courts have ruled that Social Security numbers are subject to federal constitutional right to privacy.
Notably, plaintiffs allege, “[t]here is no pandemic exception to the Constitution and state privacy laws.”
These COVID-19 vaccine lawsuits raise interesting questions about balancing the competing interests of preventing the spread of COVID-19 and ensuring the safety of students, faculty, and staff against the need to protect the security and confidentiality of personal information. At minimum, this class action, and others like it, should remind all higher education institutions of the importance of implementing and maintaining an effective cybersecurity and data privacy program.
The programs should robustly protect the security, confidentiality, and unauthorized access of personal information taking into account the size and resources of the institution, the nature, sensitivity, and circumstances surrounding the collection of personal information, and the costs and tailored approach of collecting and protecting the personal information. There should be clear policies explaining when data is collected, how it is used, if and to what extent it is shared, and if possible, whether informed consent has been given. As with other privacy issues, higher education institutions should also be mindful of how they utilize third-party vendors or contractors to assist with their vaccination roll-outs. Giving thoughtful consideration to these factors will mitigate risks associated with privacy claims based upon negligence theories, and bolster potential defenses surrounding safe harbor provisions.