A New Jersey hospital can now pursue a subpoena that would require an internet service provider (ISP) to hand over information potentially identifying at least one person accused of hacking into its email server.
The New Jersey Superior Court's Appellate Division overturned a judge's February 2012 decision, which will allow St. Luke's Warren Hospital to continue its legal quest for information from Verizon.
The appeals court published its opinion last Friday, the same day The Warren Reporter, a New Jersey publication, first reported the decision.
The case stems from two incidents. One occurred in 2008, when an anonymous person allegedly accessed the hospital's website to login to its secure mailbox to send offensive emails to hospital employees.
According to a published opinion by the court, “both the emailed message and the linked video compared one of the individual plaintiffs to Adolf Hitler and other dictators.”
Along with the hospital, individuals listed as plaintiffs are Thomas Litz, Robert Rumfield, Theodore Ruhf, Cassandra Gill, Gail Newton and Elizabeth Baron.
Newton is the vice president of patient care services at St. Luke's, and Rumfield serves on its board of trustees. Litz is a former president and CEO of the hospital. According to a 2010 article by Pennsylvania's The Express-Times, at the time Ruhf was an administrative director; Gill, an administrative assistant; and Baron, a fiscal services administrative assistant.On October 2009, another unnamed hacker accessed the hospital's site to access an employee's email account to send a different message, “accusing more than one of the individual plaintiffs of sexual misconduct and other wrongdoing,” the court document said.
Three separate IP addresses were used in the incidents.
In September 2010, plaintiffs filed a complaint claiming the incidents were "defamatory." They also sought subpoenas for four separate ISPs to provide information on who committed the alleged acts.
Last Friday, the appeals court ruled only on the matter of the Verizon subpoena, saying the plaintiffs were entitled to pursue the action in court.
“Plaintiffs have presented sufficient facts from which we may assume that what 'John Does One and Two' did electronically was no different than if they had broken into the hospital and spray painted their messages on the hospital's walls,” the court document said.
Alan Butler, appellate advocacy counsel at the Electronic Privacy Information Center (EPIC), a Washington, D.C.-based civil liberties nonprofit, said the case resembles court battles in which companies request ISPs for the names of individuals accused of copyright infringement.
“In this the case, the ISP, [like] in many other cases, pushed back to make sure this isn't some privacy invading or First Amendment inhibiting action on the part of the hospital,” Butler continued. “That's where the law is still really developing, and a judge really has to decide: Is it necessary to reveal the anonymous speaker in the case, [or] is there some other way the hospital can find out who the speaker was?"