In Smallwood v. State, A21-0001 (Minn. Ct. App. Aug. 23, 2021), the court of appeals decided several issues effecting privacy claims. The case concerned a hacker accessing a Minnesota Department of Human Services e-mail account. Smallwood, who was civilly committed to the state sex-offender program as a sexually dangerous person, was informed that his private information may have been accessed. He sued the state arguing that this caused him emotional and economic harm.
Smallwood’s first claim against the state was for violation of the Minnesota Government Data Practices Act. The district court dismissed this claim at the outset for failing to state a claim for damages. The court of appeals reversed by finding that the complaint sufficiently alleged, for the purposes of moving forward into discovery, that the state failed to implement appropriate security safeguards. Concerning damages, the court held that a complaint need only state a general claim for emotional distress damages and does not require detailed pleading to substantiate the claim prior to discovery. The court, however, noted that the economic damages claim did not appear plausible because the information alleged to have been disclosed (medical information, name, date of birth, and contact information) were not prone to expose him to economic harm and/or were already a matter of public record.
Smallwood’s second claim alleged a violation of the Minnesota Health Records Act. The court held that the statutory framework of the MHRA, in particular its definition of “person,” “did not intend to waive sovereign immunity to allow state liability for HRA claims.”