Pharmacy Today logo

Massachusetts court allows lawsuit against pharmacy for breach of patient records system
Roger Selvage 884

Massachusetts court allows lawsuit against pharmacy for breach of patient records system

Previous Article Previous Article Ensure appropriate dosing instructions and devices are provided for injectable medications
Next Article Gastroenterology Gastroenterology

On The Docket

Cartoon image of a burglar breaking into a computer.

David B. Brushwood, BSPharm, JD

Patient confidentiality is a cornerstone of the professional duty owed by pharmacists to their patients.

In times past, pharmacies maintained minimal information about patients. Patient information was recorded on paper and was difficult to access. The medication record was often nonspecific, because the relatively few drugs available for therapy did not disclose the precise condition for which the patient was being treated. As long as caution was used in the language of both spoken and written communications, pharmacists could meet confidentiality responsibilities.

Pharmacists today dispense and monitor the use of many different medications with very specific indications that can reveal extremely private information about a patient’s health status. Pharmacy records also contain extensive data about a patient’s medical history. All of this confidential information is organized in a computerized database. The key confidentiality responsibility today is to prevent access to the pharmacy’s computer records by computer hackers.

A court in Massachusetts recently declined to dismiss a lawsuit brought by patients who alleged that their pharmacy should be held liable for a data breach that resulted in the release of patient information.


The plaintiffs alleged that as-yet unidentified hackers breached the defendant’s patient record system that contained a vast amount of patient information. They claimed that they suffered “anxiety, sleep disruption, stress, and fear” as a result of this information disclosure. Their lawsuit was based primarily on two legal theories: professional negligence and the breach of fiduciary duty.

The pharmacy moved for dismissal of the lawsuit, contending that neither of these legal theories could support the plaintiffs’ lawsuit.


The court first examined the pharmacy’s argument that contract law, and not professional liability, would be the appropriate legal theory on which to base a lawsuit of this kind.

The court acknowledged that in a case asserting professional negligence, the plaintiffs must allege the breach of a duty of care. A lawsuit based on poor business practices must be evaluated under contract law. Nevertheless, the court ruled that the plaintiffs had alleged a professional negligence claim, because they contended that the pharmacy’s “security procedures were deficient, permitting an inference that it breached its duty of care.”

The court then turned to the breach of fiduciary duty theory of liability. The court noted that such a claim must allege: “(1) the existence of a duty of a fiduciary nature, based on the relationship of the parties, (2) breach of that duty, and (3) a causal relationship between the breach and some resulting harm to the plaintiff.”

The court examined precedent from prior Massachusetts legal cases that had “twice considered whether the law imposes a fiduciary duty on a pharmacist to keep confidential a patient’s information and had both times concluded that such a fiduciary relationship exists.” The court concluded that the plaintiff’s lawsuit successfully alleged the breach of the pharmacy’s fiduciary duty to protect the confidentiality of patient information, and that the plaintiffs were harmed as a result.

The pharmacy’s motion to dismiss was denied. Although the outcome of this lawsuit has yet to be determined, the basic principles of legal liability for a breach of pharmacy records have been established.


The commitment to patient confidentiality serves two important purposes in pharmacy.

First, there is a practical purpose, because pharmacists must know sensitive information about patients to facilitate their provision of effective pharmaceutical case services. If patients withhold sensitive information from pharmacists, for fear of public disclosure, then the quality of pharmaceutical care will be diminished.

Second, there is a relational purpose, because confidentiality demonstrates how pharmacists differ from other providers of commercial products. The fiduciary relationship recognized by this legal case reflects the mutuality of trust between pharmacists and patients.

Pharmacies must establish and maintain effective cybersecurity systems to promote quality patient care and to respect the fiduciary nature of the pharmacist–patient relationship. ■



Documents to download