A Cautionary Tale Involving a Business, a Privacy Policy, and an Email
Privacy, Cyber & AI Decoded Alert | 2 min read
Aug 12, 2021
Accidents happen, but so can negligence. When you combine negligence with a violation of one or more statutes and a constitutionally guaranteed right to privacy, the consequences can and should be dire. That is what the unidentified plaintiff in Jane Doe v. Lane Fertility Institute for Education and Research Inc., et al. is claiming anyway.
In the case—which is currently pending in the Superior Court of California, Marin County—defendant is a business subject to the requirements outlined in the federal Fertility Clinic Success Rate Act of 1992 (FCSR). To keep its certification under the FCSR, defendant is required to report specific data, such as a patient's medical history, a description of the fertility treatments and procedures attempted, and any information about resulting pregnancies and births.
In 2018, plaintiff engaged defendant, seeking fertility-related medical services. The privacy policy provided to plaintiff stated that defendant would contact her only through the means she designated. Plaintiff provided a private email address as her preferred method of contact, but would later communicate with defendant via her personal work email.
In late 2019, defendant contacted plaintiff by way of her personal work email address and sought information from her so that it could comply with its reporting obligations. Plaintiff was on maternity leave, so defendant received an automated message, which included a general email address to contact for inquiries. Although the automated message alone should have been a red flag, defendant, nevertheless, sent an email containing plaintiff's personal health information to the general email address. Nine of plaintiff's co-workers—who had no knowledge of the procedures defendant had performed—received the email. Distressed by the disclosure of her private medical information, plaintiff filed a complaint against defendant.
While the outcome of this case remains to be seen, it is still instructive for businesses that communicate personal and private information. Some key takeaways we identified are:
- When communicating personal information electronically, know and understand who all the recipients are.
- Businesses should follow their privacy policies. Deviations from the policy may result in legal action and ultimately subject a business to both liability and reputational damages.
- Businesses should provide employees with training on both the handling of personal information and the terms of their own privacy policy.
Related People
Related Capabilities
Featured Insights
Webinar
May 19, 2026
Scott Seaman Speaks on Making Decisions in Difficult Risk Environments
Webinar
May 19, 2026
Scott Seaman Speaks on Making Decisions in Difficult Risk Environments
Event
May 7, 2026 - May 9, 2026
Anshuman Vaidya Presents on IRS Criminal Tax Enforcement Priorities at the ABA Tax Meeting
Webinar
Apr 29, 2026
When a Cyber Breach Hits: Cybersecurity, Privacy, and Compliance
In The News
Apr 24, 2026
Michael Dowell Reviews New PBM Reform Reshaping Pharmacy Reimbursement
Lawyers for the Profession® Alert
Apr 21, 2026
When Does a Client’s Duty to Investigate Begin? Lessons from a Time-Barred Malpractice Case
Press Release
Apr 20, 2026
Tom Kuzmanovic Selected for BizTimes Milwaukee 2026 Notable Leaders in Law
Press Release
Apr 17, 2026
André Sesler Elected to the Board of Trustees of the University of Florida Law Center Association
Hinshaw Alert
Apr 17, 2026
Q&A: How to Submit Your IEEPA Refund Claim as CAPE Portal Launches April 20, 2026
