BSCR Firm News/Blogs Feed

All Claims Means ALL: The PREP Act Provides Immunity in COVID-19 Vaccination Case

15 Jun 2023

ABSTRACT: The Kansas Court of Appeals recently issued a decision in M.T. v. Walmart Stores, Inc., addressing the applicability of the PREP Act immunity for claims surrounding a failure to secure parental consent prior to administering a COVID-19 vaccine to a minor. In doing so, the Court touched on issues surrounding the language of the Act involving who is covered, what is covered, and preemption.

In M.T. and M.T., as next friend of her minor daughter, M.K. v. Walmart Stores, Inc. and Mark Schukar, a consolidated appeal from the District Court of Johnson County, Kansas, the Kansas Court of Appeals affirmed in part and reversed in part the District Court’s decision. Specifically, the Court of Appeals found that the District Court erred in not dismissing all of the Plaintiff Mother’s claims that she brought against Defendants Walmart and Schukar due to the immunity provided by the Public Readiness and Emergency Preparedness (PREP) Act.

Plaintiff Mother’s claims arose after Defendant Schukar, a pharmacist at Walmart, administered a Pfizer COVID-19 vaccine to the Plaintiff Mother’s minor child, M.K., without her parental consent, despite having the minor’s 21-year-old brother-in-law present. The Plaintiff Mother alleged that her minor child was told that she could receive the vaccine without parental consent because she was 15 years old. However, Kansas law actually requires parent consent for medical treatment if the minor is under the age of 16. See K.S.A. § 38-123b. The Plaintiff sought damages for alleged, but unspecified physical injuries to her daughter and for her own emotional injuries, asserting claims against defendants Walmart and Schukar for invasion of the right of privacy (and interfering with parental control), battery, negligence, consumer protection violations, and punitive damages.

The District Court originally dismissed most of her claims because they were barred by the PREP Act. See 42 U.S.C. § 247d-6d(a), (d). Both parties appealed – the Plaintiff Mother arguing that none of her claims should have been dismissed, while the Defendants argued that all of her claims should have been dismissed. The appeals were consolidated into the appeal at issue here.

Background on The PREP Act

The PREP Act, enacted on December 30, 2005, as Public Law 109-148, Division C, § 2, amended the Public Health Service (PHS) Act. Ultimately, the amendments to the PHS Act concerning liability immunity and a compensation program were codified within 42 U.S.C. § 247d-6d. The PREP Act essentially provides liability immunity to “covered persons” (individuals or entities) for any claim for loss that has a causal relationship with the administration of a “covered countermeasure,” except for claims involving “willful misconduct.” Id. A covered countermeasure includes, among other things, a qualified pandemic or epidemic product and a drug, biological product, or device that is authorized for emergency use (which includes vaccines). See Id.; 42 USC § 262(i)(l).

The immunity provided applies to “all claims for loss caused by, arising out of, relating to, or resulting from the administration to or the use by an individual of a covered countermeasure ….”, which includes “any claim for loss that has a causal relationship with the administration to or use by an individual of a covered countermeasure.” See 42 U.S.C.§ 247d-6d(a)(1), (2)(B) (emphasis added). There is also a preemption provision within the statute, preventing any State of political subdivision of State from establishing, enforcing, or continuing in effect as to a covered countermeasure any provision of law or legal requirement that conflicts with the requirements of the statute and essentially relates to any matter included in a requirement applicable to a covered countermeasure under the statute or under the Federal Food, Drug, and Cosmetic Act [21 U.S.C. 301 et seq.]. See 42 U.S.C.§ 247d-6d(b)(8).

Former Secretary Alex M. Azar II, issued a Declaration concerning medical countermeasures against COVID-19 that would be covered under the PREP Act and, subsequently, various amendments have been made to clarify and/or otherwise add categories of qualified countermeasures, qualified persons, and/or categories of disease, health conditions or threats. One such covered countermeasure for which liability immunity is in effect is as to “any antiviral, any other drug, any biologic, any diagnostic, any other device, or any vaccine, used to treat, diagnose, cure, prevent, or mitigate COVID-19.”

The Question(s) and Answer(s) on Appeal

The District Court found that the Plaintiff Mother’s claims for battery, claims for losses or damages, and claims regarding deception as to the efficacy of the vaccine and its approval status were causally related to the covered countermeasure - e.g., providing the Pfizer COVID-19 vaccine - and dismissed those claims. However, the District Court would not dismiss the remaining claims concerning Plaintiff Mother’s allegations surrounding failure to obtain parental consent. Specifically, in refusing to dismiss those claims, the District Court focused on parenting being a “fundamental constitutional right and issues of consent and the age of majority are traditionally state law issues”; thus, the Act couldn’t interfere with or preempt those rights where the Act did not expressly intend to do so.

There were two questions certified for appeal:

(1) "Is the [PREP Act] and its immunity provision completely preemptive of all state law causes of action, regardless of the theory, so long as there is any connection or involvement whatsoever with a covered countermeasure?"; and

(2) "Does the [PREP Act] give covered persons absolute immunity to violate Kansas parental consent or age of medical consent for minors law?"

However, because it believed the questions certified by the District Court went beyond the actual controversy, the Court of Appeals limited its review to the question:

“Whether a claim based on the administration of a covered countermeasure without parental consent is causally related to the administration of a covered countermeasure.”

It ultimately answered that question in the affirmative – in that because the PREP Act applies to any claim for loss that has a causal relationship with the administration to an individual of a covered countermeasure, all of Plaintiff Mother’s claims should be dismissed – even those claims that were based on a failure to obtain parental consent.

In other words, the Court of Appeals agreed with the Defendants that the language of the PREP Act was unambiguous: all claims means all claims, not "all claims except for those based on a violation of a fundamental right."

To get there, the Court of Appeals first established that the injection of Pfizer COVID-19 vaccine was a covered countermeasure, as recognized by the Secretary and FDA declaring the vaccine “as a vaccination contemplated under” the PREP Act, which the Court was permitted to take judicial notice of, and based on the allegations in the Petition. Defendants were also “covered persons” for purposes of the PREP Act.

The Court of Appeals also rejected the argument that application of the PREP Act was improper at the motion to dismiss phase because nothing in her Petition permitted ascertainment as to whether Walmart obtained the vaccine through one of the two means of distribution specific by the Secretary of Health and Human Services – either by agreement with the federal government or in response to the COVID-19 pandemic. In so rejecting, the Court of Appeals recognized that there is no evidence that the vaccine was sold commercially before the pandemic, unlike, for example, a case involving hand sanitizer.

The Plaintiff Mother further argued that the application of the PREP Act was improper because her Petition focused on claims of inaction, which fall outside the scope of the PREP Act’s available immunity, and/or that the PREP Act does not cover failure to act and that obtaining parental consent is not a covered countermeasure. The Court of Appeals was not so persuaded – specifically pointing out that such “claims of inaction” are, for example, claims for a failure to administer or use a covered countermeasure, not for the improper administration of the covered countermeasure. In this case, there was, in fact, a successful administration of the covered countermeasure – the vaccine – by covered persons, even if it was arguably improper due to the minor’s age and lack of parental consent. As such, the exception the Plaintiff Mother was arguing for did not apply.

The Court further recognized that the Plaintiff Mother’s preemption argument – that her negligence claim was outside the scope of the PREP Act because willful misconduct claims have been found to not displace state law claims for negligence and recklessness – was misplaced. The Court found that even if the PREP Act does not completely preempt state-law intentional tort claims, the same “does not establish that its immunity protections do not apply to intentional tort claims causally related to the administration of a covered countermeasure.”

Ultimately, the Court held that the PREP Act applied to all of the Plaintiff Mother’s claims – even those based on the failure to secure parental consent and found that the District Court erred in denying Defendants’ motions to dismiss, in part, due to failing to dismiss all the claims. It reversed and remanded the cases so that the Plaintiff Mother’s claims would all be dismissed.

This decision should shine some light on and provide hope for Defendants in the future seeking to challenge Petitions on the basis of the PREP Act’s applicability and provide further support for dismissal of all claims causally related to the administration of a covered countermeasure by covered persons.

Jackson County, Missouri Jury Rejects 3M Surgical Blanket Infection Claims

04 Nov 2022

On October 13, 2022, a Jackson County (Independence), Missouri jury rejected personal injury claims by the Plaintiff in Katherine O'Haver v. Anesthesia Associates of Kansas City PC et al., Case No. 1816-CV30710. Plaintiff claimed that 3M Co.’s Bair Hugger Forced Air Warming System blanket caused her to develop a joint infection after the product was used on her at a Missouri hospital during a November 2016 left total knee arthroplasty surgery.

Plaintiff filed suit in November of 2018, but 3M was not named until an Amended Petition was filed in December of 2018, adding 3M and its alleged wholly owned subsidiary Arizant, previously known by Augustine BioMedical, Inc. The Plaintiff claimed that contaminants entered her wound during a surgery and caused a deep joint infection, which required her to have additional operations and risks of additional complications.

The product, Bair Hugger Forced Air Warming System, is an FDA approved medical device that is designed to prevent and treat unintended hypothermia in individuals undergoing surgery. The device is placed over the patient during a surgery and its central heating unit draws in air through a filter that warms the air and blows the newly warmed air out through the devices’ hose into the perforated blanket that is over the patient.

Specifically, in the Amended Petition, Plaintiff claimed that “[s]cientific studies have shown that as this warmed air rises against the downward airflow in the operating room, it deposits bacteria carried on particles from the non-sterile portions of the operating theater to the sterile surgical field and the surgical site.” As a result, as against 3M and Arizant, Plaintiff made claims for Strict Liability: Defective Design and Failure to Warn, Negligence, Breach of Express and Implied, Violation of the Missouri Merchandising Practices Act, Negligent and Fraudulent Misrepresentation, and Fraudulent Concealment.

3M is not a stranger to claims against it concerning this device. It has, in fact, faced claims concerning this device’s safety and efficacy in recent years, including multidistrict litigation (MDL) where those plaintiffs also alleged they developed infections as a result of the product’s use during their surgeries. We previously reported on the MDL litigation here and here.

In August of 2021, the Eighth Circuit reached two decisions, both for and against 3M. In sum, one decision revived thousands of claims in a separate MDL against 3M concerning this device where the Court actually reversed the MDL Court’s decision to exclude three of plaintiffs’ medical experts’ opinion testimony that the device caused bacterial infections, along with the grant of summary judgment to 3M. While 3M petitioned the U.S. Supreme Court for further review of the decision, the Court declined to hear the appeal. The other decision, issued the next day, affirmed 3M’s win against claims for Strict Liability: Design Defect and Failure to Warn, finding that the Court was right to exclude certain evidence that did not show causation as to the joint infection alleged and allow one of 3M’s expert’s to testify about operating room airflow.

While 3M came out victorious in the O’Haver matter, it was not without intensive motion practice during trial, including 3M’s Motion for Mistrial and Directed Verdict (both Motions were overruled). We can, however, anticipate that there will be an appeal made by the Plaintiff. As a result, this battle may not be over for 3M in Missouri state court.

Can't satisfy both the FDA and the State? The judge will be the judge of that.

20 Jun 2019

ABSTRACT: With great power comes great responsibility; how the recent SCOTUS decision requiring prescription-drug manufacturers to prove the FDA rejected sufficient additional warnings will affect your impossibility preemption defense.

In May 2019, in a move rejecting the reasoning of the Third Circuit, the U.S. Supreme Court dove into two critical aspects of preemption analysis in Merck Sharp & Dohme Corp. v. Albrecht et al., No. 17-290, slip op. (U.S. May 20, 2019). The Court addressed who will decide whether preemption exists (a judge), and how to decide whether preemption exists where FDA action and state law conflict thereby destroying a plaintiff’s related state claims.

Specifically, the Court held a plaintiff’s claim that a drug manufacturer failed to warn pursuant to state law will fail when a judge applies a “clear evidence” standard and finds that the relevant federal and state laws “irreconcilably conflict.”

Petitioner drug manufacturer, Merck Sharp & Dohme Corporation, sought Supreme Court review of the Third Circuit’s decision to vacate and remand the lower court’s Order granting Merck’s Motion for Summary Judgment. The Respondents, more than 500 individuals who filed individual suits which were consolidated into a multi-district litigation (MDL), were prescribed an osteoporosis drug manufactured by Merck (Fosamax) and subsequently suffered rare thigh bone breaks (referred to in litigation as “atypical femoral fractures”). The Respondents alleged Merck breached a legal duty imposed by the state to warn of the risk of atypical femoral fractures associated with using Fosamax. Merck countered these claims with an “impossibility preemption” defense, arguing the Respondents’ state law claims should be dismissed because conflicting federal law displaces, or preempts, the state requirement. The Court fleshed out preemption standards set forth in an earlier Supreme Court case (Wyeth v. Levine) in an explicit attempt to aid lower courts when conducting preemption analyses, and remanded the case with these new understandings. While the Court remanded the case, it did opine that “there is sufficient evidence to find that Merck violated state law by failing to add a warning about atypical femoral fractures to the Fosamax label.”

Under Wyeth v. Levine, 555 U.S. 555 (2009), a state-law failure-to-warn claim is preempted where there is “clear evidence” that the FDA would not have approved a change to the label. Since Wyeth, courts have struggled to both define and apply this “clear evidence” standard. In Merck, the Court elaborated on the clear evidence standard set out in Wyeth and held that Merck would have to show two things to trigger state law preemption: (1) Merck gave the FDA an evaluation or analysis concerning the specific dangers that would have merited the additional warning, and (2) Merck presented the would-be-state-compliant warning but was prohibited from adding said warning by the FDA.

The original Fosamax label was approved by the FDA in 1995. The original label did not warn of the risk of atypical femoral fractures. While the Court points to the fact that Merck scientists knew of at least a “theoretical risk” of these fractures, Merck brought the theoretical considerations to the FDA’s attention and the FDA approved a Fosamax label without requiring mention of the risk. In 2008, Merck applied to change the Fosamax label in two ways: (1) add reference to “low-energy femoral shaft fracture” in the Adverse Reactions section of the label, and (2) provide longer discussion focused on the risk of stress fractures in the Precautions section. The FDA approved the first addition, but rejected the second on the basis that the discussion of “stress fractures” was not sufficiently related to the risk of the specific atypical femoral fracture. This is because atypical femoral fractures are low energy fractures that are the result of stress fractures, and have different pain symptoms and more severe repair remedies. At that time, the FDA did however invite Merck to resubmit its application to address label change deficiencies. Instead, Merck withdrew its application and changed the Adverse Reactions section through the “changes being effected” (CBE) process. The CBE process is provided within the FDA regulations and permits drug manufacturers to change labels without prior FDA approval where “newly acquired information … based on reasonable evidence” warrants a new or stronger warning. A warning about “atypical femoral fractures” appeared on the Fosamax label in 2011, after the FDA ordered a label change based on its own analysis.

Finally, the Court reiterates the long-standing principle that the only FDA agency actions capable of answering whether preemption exists are those taken pursuant to the FDA’s congressionally delegated authority. Where, as in Merck, the answer to preemption revolves around a question of agency disapproval, the Court unambiguously held the question of agency disapproval is a question of law for a judge to decide, not a jury. Chatter of the role of a jury, specifically regarding factual questions about the meaning and effect of an agency decision in preemption cases, was silenced by the Court’s Opinion. The Court unabashedly admits there are such factual questions within a preemption analysis, but held that those questions are “subsumed within an already tightly circumscribed legal analysis and do not warrant submission alone or together with the larger pre-emption question to a jury.” Ultimately, the Supreme Court remanded the case because the Third Circuit improperly analyzed the question of preemption as one of fact for a jury, rather than a question of law, and because the Court has now clarified how to properly apply the clear evidence standard.

What does this mean for your company?

If you, like Merck, are in the business of manufacturing drugs, you can take solace in the fact that an FDA preemption argument is in the hands of a judge. Because the Supreme Court has now held this issue is one exclusively for the Court, it may be ruled upon during motion practice with less strife related to facts “subsumed” in this kind of complex legal analysis. But this strategic advantage cuts both ways. Drug-manufacturers will now have to show that the company submitted a state law required warning to the FDA. Litigation of these issues to date has largely involved questions about what exactly the FDA rejected when disapproving label changes. The Court makes clear that the manufacturer’s proposed label change cannot be of some broader, less threatening risk – like stress fractures – when the company has knowledge of a specific, less appeasing risk – like atypical femoral fractures. This is to say, while the power that comes with an impossibility preemption defense can be a great litigation tool, the responsibility to fully inform and present the FDA with state-compliant warnings is equally great.

Consider Playing By This Book's Rules: FDA-MITRE Cybersecurity Guidance

31 Oct 2018

ABSTRACT: In an October 1, 2018 statement issued from FDA Commissioner Scott Gottlieb, M.D., the FDA not only announced its efforts to strengthen its medical device cybersecurity program, but also unveiled its collaborative effort with MITRE, producing a cybersecurity "playbook" in order to assist entities in preparing for and responding to cybersecurity attacks.

As part of Cybersecurity Awareness Month, we continue our discussion about the FDA’s efforts to help prepare various entities to address cybersecurity threats, vulnerabilities, and even attacks. In our previous post, we previewed the FDA and MITRE’s cybersecurity Regional Incident Preparedness and Response Playbook (the “playbook”) for health care delivery organizations. Here, we take a more in depth look into what that playbook has to offer.

The playbook’s focus is primarily aimed at preparing Health Care Delivery Organizations (“HDOs”), including their stay, for addressing and responding to cybersecurity threats. The playbook is not intended to address the day-to-day patch management of devices, but rather addresses threats and vulnerabilities for large-scale, multi-patient impact and patient safety concerns.

The playbook’s guidance primarily consists of four guiding steps, going in chronological order: (1) preparation, (2) detection and analysis, (3) containment eradication and recovery, and (4) post-incident activity. Below is a summary of these action steps, but you are encouraged to read the actual playbook for a more in-depth explanation and/or expansion on the summary below.

(1) PREPARATION

Assess and bolster cyber defensive measures and develop handling process and procedures to enable better operations when an incident arises.

Suggested Steps:

1. Incorporate cybersecurity awareness into medical device procurement in order to strengthen the response to a cybersecurity incident. (E.g. Request a Software Bill of Materials to identify and address vulnerable device components.)

2. Take a medical device asset inventory. (E.g. Identify device name and description, physical location of device, device owner and manager.)

3. Perform a hazard vulnerability analysis to assess and identify potential gaps in emergency planning, including a review as anticipated cybersecurity threats and existing mitigations. (E.g. Identify potential cybersecurity risks, such as lack of staff with the ability to detect and respond to a cybersecurity incident.)

4. Prepare medical technical specialists (i.e. the response team to all hazard incidents) with cybersecurity and medical device expertise as part of the hospital incident management team.

5. Create an Emergency Operation Plan to determine how the HDO will “respond to and recover from a threat, hazard, or other incident” with a device. (E.g. Identify members and their roles and responsibilities.)

6. Create an overall Incident Response communication plan (E.g. Identity key internal and external communication roles.)

a. Specify incident-sharing expectations for all participants in the above communication plan. (E.g. What incidents can and cannot be shared?)

b. Identify cybersecurity incidents, initiate outreach to manufacturer and then to broader healthcare community.

c. Implement external incident notification and continue to stay abreast of intrusion information and/or mitigation recommendations from manufacturer(s).

d. Create a communication template for how incident notification will occur and how.

7. Implement user awareness training with all medical device users in your company and conduct preparedness and response exercises for all-hazards.

(2) DETECTION AND ANALYSIS

Identify and establish that an incident has occurred.

Suggested Steps:

1. Define the priority of and appropriate level of response to incidents.

2. Implement formal and informal reporting obligations (Note: Manufacturers are required to conduct a formal notification of the incident to its customers and user community.)

3. The incident investigation and analysis can begin once initial incident parameters have been set.

4. All activities taken to address cybersecurity incidents and responses must be recorded or otherwise documented. Benefits of recording these activities include preserving evidence for potential criminal activity and learning to improve the response for the future.

(3) CONTAINMENT ERADICATION AND RECOVERY

Response to the confirmed cybersecurity incident begins. Such activities could include a strategy of “contain, clear, and deny” (i.e. halt cybersecurity incident, fix it and restore services quickly) or a “monitor and record” strategy (i.e. watch and “capture” adversary actions).

(4) POST-INCIDENT ACTIVITY

Identify what went well and what did not; such information can be leveraged to improve existing plan and future response. It is also suggested to retain a trained, digital forensics expert to fully identify the damage done.

For immediate, additional information about addressing cybersecurity breaches in medical devices, consider visiting the Baker Sterchi blog posts below addressing cybersecurity:

Summary of FDA’s 10.1.18 Announcement.
Three-part series on addressing cybersecurity breaches in medical devices: Part I, Part II, Part III.
Four-part series addressing postmarket management of cybersecurity in medical devices: Part I, Part II, Part III, Part IV.

FDA Announces Strengthened Focus On Cybersecurity

11 Oct 2018

ABSTRACT: In an October 2, 2018 statement issued from FDA Commissioner Scott Gottlieb, M.D., the FDA announced its efforts to strengthen its medical device cybersecurity program in order to protect patients from medical device vulnerabilities and emerging threats to those devices.

CYBERSECURITY. In a statement issued from FDA Commissioner Scott Gottlieb, M.D., the FDA made clear the threat of cybersecurity attacks are no longer a theoretical discussion, but are present and as such steps must be taken to proactively address future threats. Such attacks are already here in other capacities, including attacks on financial institutions, government agencies, and health care systems.

The FDA’s specific concerns revolve around attacks on patient medical devices. Cybersecurity researchers have found various vulnerabilities in patient medical devices that could result in bad actors gaining access and control over the patient’s medical device. While “FDA isn’t aware of any reports of an unauthorized user exploiting a cybersecurity vulnerability in a medical device that is in use by a patient,” the “risk of such an attack persists.” As a result, in an effort to instill confidence in both patients and providers that it can effectively address any reported medical device cyber vulnerabilities, the FDA has determined that it is important to address such a threat of an attack now.

In taking such proactive steps, the FDA announced it has coordinated with the MITRE Corporation to launch a cybersecurity “playbook” for health care delivery organizations, along with the “signing of two significant memoranda of understanding.” A “sneak peek” at the playbook shows it addressing the types of readiness health care delivery organizations should consider in order to be better prepared and address cybersecurity incidents involving their respective medical devices. The memoranda, among other actions, created such groups as information sharing analysis organizations, which are groups of experts (aimed to include manufacturers who share potential vulnerabilities and threats) that gather, analyze and disseminate important information about cyber threats.

The FDA’s work in addressing cybersecurity threats dates back to 2013 with the establishment of its medical device cybersecurity program. The FDA has issued a premarket and postmarket guidance for manufacturers to consider in addressing their cybersecurity vulnerabilities and threats. While the FDA’s premarket guidance was finalized in 2014, it announced in this statement that it plans on publishing a “significant update to that guidance to reflect the FDA’s most current understandings of, and recommendations regarding, this evolving space.” One such example included providing customers with a list of cybersecurity bill of materials to ensure that device customers and users are able to respond quickly to potential cybersecurity threats.

Finally, the FDA is taking steps to bring additional resources to build its medical device cybersecurity program, starting with its Fiscal Year 2019 Budget in order to establish additional “regulatory paradigms” to proactively address vulnerabilities and threats.

Be on the lookout for a future discussion of the FDA’s collaborative “playbook” with MITRE, as well as a posting on the FDA’s “significant update” to its 2014 premarket guidance.

For immediate, additional information about addressing cybersecurity breaches in medical devices, visit our prior posts addressing cybersecurity:

Three-part series on addressing cybersecurity breaches in medical devices: Part I, Part II, Part III;
Four-part series addressing postmarket management of cybersecurity in medical devices: Part I, Part II, Part III, Part IV.

"Impossibility Preemption" Remains Alive and Well in Missouri for Generic Drug Manufacturers

06 Apr 2018

“Impossibility preemption” applies to bar tort claims where it is impossible for a party to comply with both state and federal law. In the recent opinion of Raskas v. Teva Pharms. USA, Inc., No. 4:17-CV-2261 RLW, 2018 U.S. Dist. LEXIS 3507 (E.D. Mo. January 8, 2018), the Eastern District of Missouri reaffirmed application of “impossibility preemption” to generic drug manufacturers on strict liability and negligent defective design and failure to warn claims.

The allegations in the Raskas v. Teva complaint provide the story of a young man, Ralph Raskas, who, after seeking treatment for nausea and vomiting, ingested the medication prescribed by his physician - generic metoclopramide - and allegedly developed pain and restlessness in his legs. After being diagnosed with “drug-induced acute akathisia,” he complained of significant pain and eventually committed suicide after two prior attempts. His father filed a wrongful death action against Teva Pharmaceuticals, USA (Teva) and Actavis Elizabeth, LLC (Actavis) - manufacturers of the dispensed generic metoclopramide - alleging that the drug caused his son’s neurological injuries and suicide. Plaintiff asserted claims for strict liability and negligent defective design and failure to warn, negligence in identifying risks associated with the drug, as well as what he contended was a failure to update the generic medication’s labeling to conform to that of its brand name equivalent. Relying upon PLIVA, Inc. v. Mensing, 564 U.S. 608 (2011), and Mutual Pharm. Co. v. Bartlett, 570 U.S. 472 (2013), Teva and Actavis sought dismissal of all claims against them on federal preemption grounds.

The Raskas court began its analysis of the plaintiff’s claims by reviewing the approval requirements of the Food and Drug Administration (FDA) for both brand name and generic drugs. To gain approval of brand name drugs, a manufacturer must submit a new-drug application (NDA) that includes clinical investigative reports and all relevant information to allow the agency to determine whether the drug is safe for use. On the other hand, approval of a generic drug typically requires only that the generic be “bioequivalent” to the branded medication. In fact, a generic may receive FDA approval without any in vivo studies, solely based on in vitro studies that study dissolution of the proposed generic. See 21 C.F.R. §§ 320.24(b)(5) and 320.22(d)(3).

Critically for the generic drug manufacturers in Raskas, 21 C.F.R. Part 314 prohibits generic drug manufacturers from 1) making any unilateral changes to a drug’s label, and 2) deviating from the drug’s approved formulation. See 21 21 C.F.R. §§ 314.94(a)(8)(iii), 314.150(b)(10), and 314.70(b)(2)(i). These federal regulatory restrictions are the basis for the “impossibility preemption” found in Raskas.

In rejecting the plaintiff’s defective design claims, the court considered Brinkley v. Pfizer, Inc., 772 F.3d 1133 (8^th Cir. 2014), in which metoclopramide design defect claims were specifically precluded due to preemption because the only way the manufacturer could avoid liability under Missouri law was by redesigning the product. If a generic drug manufacturer were required to redesign the product to comply with Missouri state law, it would be impossible to comply with federal law, which requires a generic drug’s formulation to be bioequivalent to the branded medication and the generic’s labeling to be identical to that of the brand name drug. This is the definition, and a descriptive example, of impossibility preemption, which provides that “[w]here state and federal law directly conflict, state law must give way.” Mensing, 564 U.S. at 617.

Raskas’s failure to warn claims were found to be similarly barred by impossibility preemption, because the warning labels on the generic metoclopramide manufactured by Teva and Actavis were required, under 21 C.F.R. Part 314, to be identical to those of the brand name medication Reglan®. If the failure to warn claims were allowed to proceed, generic drug manufacturers - in order to escape state tort liability - would be required to relabel their products to provide additional information or warnings, which is directly prohibited under federal regulations. The Missouri federal district court in Raskas determined it would be impossible for Teva and Actavis to comply with both state and federal law in this instance, so dismissal of the failure to warn claims against them was appropriate.

Although the plaintiff attempted to distinguish its claims from those presented in controlling legal precedent, the court ultimately concluded that impossibility preemption applied to each of the asserted negligence, strict liability, and wrongful death claims for failure to warn or defective design. The plaintiff was, however, granted leave to amend his complaint to adequately plead an alleged claim against Teva and Actavis for failure to update their labeling to conform to that of Reglan®, the brand name medication.

The Raskas opinion may be found here in its entirety.

Breaking Up [Plaintiffs] Is [Not] Hard To Do

28 Mar 2018

ABSTRACT: In dismissing non-Missouri Plaintiffs from a product liability lawsuit, the United States District Court for the Eastern District of Missouri adds to split in authority between two of Plaintiffs' favorite forums in Missouri and California, testing the limits of Bristol-Myers Squibb.

While Neil Sedaka may have convinced many that breaking up is hard to do, Judge Stephen N. Limbaugh, Jr. of the United States District Court for the Eastern District of Missouri (“EDMO”) has made it clear that breaking up non-Missouri related Plaintiffs from a product liability case is certainly not hard to do in the post-Bristol-Myers Squibb Co. era.

On January 24, 2018, the EDMO added to the split in authority between Missouri and California, two forums favored by Plaintiffs, thereby testing the limits of Bristol-Myers Squibb Co. v. Super Ct. of Cal., 137 S. Ct. 1772 (2017) (“BMS”).In Nedra Dyson, et al., v. Bayer Corporation, et al., No. 4:17CV2584- SNLJ, (E.D. MO Jan. 24, 2018) (“Dyson”), Judge Limbaugh of the EDMO granted Defendants’ Motion to Dismiss 92 non-Missouri related Plaintiffs in a product liability lawsuit based on a lack of personal jurisdiction, finding that a Defendant’s clinical trials and marketing of a product in the state of Missouri does not establish personal jurisdiction for purposes of non-Missouri related Plaintiffs’ claims for that product. This is consistent with other recent EDMO decisions:

See Siegfried v. Boehringer Ingelheim Pharmaceuticals, Inc., 2017 WL 2778107 (E.D. Mo. June 27, 2017);
Jordan v. Bayer Corp., No. 4:17cv865(CEJ), 2017 WL 3006993 (E.D. Mo. July 14, 2017);
Jinright v. Johnson & Johnson, Inc., 2017 WL 3731317 (E.D. Mo. Aug. 30, 2017);
Shaeffer et al., v. Bayer Corp., et al., 4:17-CV-01973 JAR (E.D. Mo. Feb. 21, 2018).

The Dyson Defendants, who were also not citizens of Missouri, relied on BMS to argue that the EDMO lacked personal jurisdiction over the claims of 92 non-Missouri related Plaintiffs, and should be dismissed. The Defendants argued that dismissal of these Plaintiffs would provide complete diversity between the remaining Plaintiffs and Defendants and the amount in controversy would still exceed $75,000. This quickly became a fight between the parties, with one side trying to persuade the court to decide personal jurisdiction before subject matter jurisdiction and the other side arguing vice-versa. Ultimately, the court determined that personal jurisdiction could and should be decided prior to subject matter jurisdiction, because it provided the more straightforward analysis in light of BMS. Deciding subject matter jurisdiction would involve resolution of notoriously complex issues, reasoned the court.

Quick Recap On BMS: As a brief refresher, BMS involved both California and out of state Plaintiffs who sued in California state court based on alleged injuries caused by Defendant BMS’ drug. The United States Supreme Court, who took the case on a writ of certiorari, overturned the state court, applying “settled principles regarding specific jurisdiction,” finding that California state courts fail to retain specific personal jurisdiction over non-resident Defendants for claims asserted by non-resident Plaintiffs that do not arise out of or relate to the Defendant’s contacts with the forum. The Court rejected Plaintiffs arguments for specific personal jurisdiction based on alleged marketing and promotion of the product and clinical trials held in the state of California. The Court would also not allow the resident Plaintiffs’ allegations to confer personal jurisdiction over the non-resident Plaintiffs claims. Therefore, the Supreme Court dismissed the claims of the non-resident Plaintiffs.

In Dyson, the non-Missouri related Plaintiffs conceded that the medical device at issue (Essure) was not implanted in Missouri. However, Plaintiffs argued that their allegations concerning Defendant Bayer’s connections with Missouri should support the court’s exercise of personal jurisdiction. Plaintiffs alleged that Bayer’s marketing strategy was developed in Missouri, Missouri was one of the eight sites chosen to conduct pre-market clinical devices on the product (Essure), the original manufacture of the product’s conduct was in Missouri, the sponsoring of biased medical trials was in Missouri, and St. Louis, Missouri was the first city to commercially offer the Essure implant procedure.

Those arguments failed to persuade Judge Limbaugh, who ultimately found that the Dyson Plaintiffs failed to make a prima facie showing for personal jurisdiction and, as such, he denied their motion for jurisdictional discovery to support those arguments. Relying on BMS, Judge Limbaugh rejected Plaintiffs’ marketing campaign arguments, pointing out that the non-Missouri Plaintiffs not only failed to allege they viewed Essure advertising in Missouri, but also failed to allege they purchased, were prescribed or were injured by the product in Missouri. Thus, it was not relevant that Defendant first marketed Essure in Missouri. As for Plaintiffs’ argument regarding clinical trials in Missouri, Judge Limbaugh found such alleged conduct too attenuated to serve as a basis for specific personal jurisdiction over Defendants. In fact, the non-Missouri Plaintiffs failed to allege they even participated in a Missouri clinical study or that they reviewed and relied on the Missouri clinical studies in deciding to use the products.

In contrast to Dyson, Plaintiffs have tried to rely on the recent California case Dubose v. Bristol-Myers Squibb Co., No. 17-cv-00244, 2017 U.S. Dist. LEXIS 99504 (N.D. Cal. June 27, 2017) in support of specific personal jurisdiction over non-forum Defendants. Dubose, however, does not appear to employ the same analysis as BMS or its progeny.

In Dubose, a South Carolina resident Plaintiff sued AstraZeneca, Bristol-Myers Squibb, and McKesson in California federal court, alleging a defect in a prescription diabetes drug. The Dubose court relied upon Walden v. Fiore, 134 S.Ct. 1115 (2014), a 2014 U.S. Supreme Court decision that was in fact a pro-Defendant ruling intended to limit the states’ exercise of personal jurisdiction over non-resident Defendants. The Dubose Court reasoned that because Walden stressed that only the Defendants’ conduct could justify exercise of personal jurisdiction, any jurisdictional analysis should ignore Plaintiff’s residence or place of injury, and focus instead upon conduct that might “tether” the Defendant to the forum state. Ultimately, the Court relied on the Ninth Circuit’s preexisting “but for” test, holding that the pre-approval clinical trials were “part of an unbroken chain of events leading to Plaintiff’s alleged injury” and, therefore, specific jurisdiction existed because Plaintiff’s injuries “would not have occurred but for [Defendants] contacts with California.” Regardless, the Dubose Court ultimately transferred the case to South Carolina, the Plaintiff’s home state.

The judge in Dubose also decided Cortina v. Bristol-Myers Squibb Co., No. 17-cv-00247-JST, 2017 U.S. Dist. LEXIS 100437 (N.D. Cal. June 27, 2017) on the same theories, denying a motion to dismiss but transferring the case to New York, where the Plaintiff was a resident and was prescribed the drug at issue. However, in a footnote, the Cortina court noted that, “[it] does not mean to suggest that even a de minimis level of clinical trial activity would satisfy the requirements of specific jurisdiction.”

While the holdings for the Dubose and Cortina case appear to have relied upon attenuated claims of specific personal jurisdiction, in the EDMO, Judge Limbaugh concluded that the Dyson non-Missouri Plaintiffs’ claims were too attenuated from Missouri to prove specific, case linked personal jurisdiction. For example, the Dubose Plaintiff did not allege that she participated in any of the Defendants’ California clinical trials, but the Dubose court relied on others, not a party to the case, who participated in them. If specific personal jurisdiction exists in every state where a clinical trial occurred, then any Plaintiff who used the subject drug conceivably could sue the manufacturer in any of those states—no matter where the manufacturer is based and no matter where the Plaintiff resides or used the drug. It would be illogical for courts to adopt this rationale, calling that “specific” personal jurisdiction, and would be contrary to the United States Supreme Court’s recent pronouncements on personal jurisdiction, including in BMS.

Other recent cases have held similarly to the EDMO in Dyson, dismissing non-resident Plaintiffs due to a lack of both general and personal jurisdiction. For example, the Southern District of Illinois has been granting dismissal of non-Illinois Plaintiffs and denying remand in pharmaceutical drug, product liability cases. Specifically, those cases held that misjoined, multi-Plaintiff complaints no longer preclude removal, that there was no general personal jurisdiction pursuant to Daimler AG v. Bauman, 134 S. Ct. 756 (2014) and no specific personal jurisdiction existed pursuant to BMS, and/or found that conducting in-state clinical trials is not sufficient contact to support specific personal jurisdiction in suits by non-residents. See; Braun v. Janssen Research & Development, LLC, 2017 WL 4224034 (S.D. Ill. Sept. 22, 2017); Bandy v. Janssen Research & Development, LLC, 2017 WL 4224035 (S.D. Ill. Sept. 22, 2017); Pirtle v. Janssen Research & Development, LLC, 2017 WL 4224036 (S.D. Ill. Sept. 22, 2017); Roland v. Janssen Research & Development, LLC, 2017 WL 4224037 (S.D. Ill. Sept. 22, 2017); Woodall v. Janssen Research & Development, LLC, 2017 WL 4237924 (S.D. Ill. Sept. 22, 2017); and Berousee v. Janssen Research & Development, LLC, 2017 WL 4255075 (S.D. Ill. Sept. 26, 2017).

Bringing this back to Dyson, Judge Limbaugh’s decision reaffirms that it really is not that hard to break up Missouri Plaintiffs from non-Missouri Plaintiffs in a product liability lawsuit where the non-Missouri Plaintiffs cannot truthfully allege that their claims arise out of a connection to the state of Missouri (and cannot solely rely on clinical trials occurring in Missouri). This is not to say that non-Missouri Plaintiffs will never find another forum and/or that their claims are foreclosed; rather, those Plaintiffs have a better chance of avoiding a bad break-up by bringing their claims in the forum out of which their claims allegedly arise.

Missouri Supreme Court May Be Signaling a Change in Analysis of Misjoinder of Claims in Multi-Plaintiff Product Liability Cases

19 Oct 2017

ABSTRACT: The Missouri Supreme Court has recently issued a preliminary writ of prohibition regarding a City of St. Louis trial court's refusal to formally sever one of dozens of product liability cases that the court has ordered be separately tried. The preliminary writ may provide hope of a reversal in course on recent jurisprudence related to misjoinder of claims.

On October 13, 2017, the Missouri Supreme Court issued a preliminary writ of prohibition directed to Circuit Judge Rex Burlison of the Circuit Court for the City of St. Louis, temporarily staying the talc case, Valerie Swann, et al. v. Johnson & Johnson, et al. The Supreme Court case number is SC96704. The plaintiffs, on behalf of the trial court, are to answer the writ petition by November 13, 2017.

Plaintiff Michael Blaes is one of 47 plaintiffs in the case, who contend that they or their decedents developed ovarian cancer following use of talcum powder. Johnson & Johnson alleges that Blaes’s decedent did not purchase or use talcum powder in the City of St. Louis. Blaes’s case was set for separate trial from those of the other plaintiffs, but Judge Burlison declined to formally sever his claim such that it could be reassigned and venue assessed. That decision is the subject of Johnson & Johnson’s petition for a writ of prohibition.

Missouri has long had a troubled history with venue analysis. As part of tort reform in 2005, the legislature made significant changes to the venue statute, designed to prevent forum shopping. The recent explosion in “litigation tourism” focused in the City of St. Louis has not been due to any change in, or deficiency of, the venue statute and the joinder rules, but in changes in the application of long-standing principles of venue and joinder.

Refusal to sever unrelated claims is at the core of the problem. Litigation tourism in St. Louis depends upon a single, anchor plaintiff who is a Missouri resident with a plausible jurisdictional claim and basis to claim venue in the City of St. Louis, with dozens of unrelated, out-of-state plaintiffs clinging to that anchor plaintiff’s case to justify pursuit of claims in Missouri against non-residents. The claims are misjoined and should be severed, but to date the Missouri Supreme Court has declined to find that a trial court’s refusal to sever misjoined claims warrants reversal on appeal unless the defendant can establish that the severance decision was prejudicial to the outcome (by establishing that the City of St. Louis is a biased venue). See Barron v. Abbott Labs., Inc., No. SC96151, 2017 Mo. LEXIS 403, at *6 (Sep. 12, 2017).

Severance has not always been this controversial, but reflects a change in the application of Missouri law and procedure in recent years. Rule 52.06 of the Missouri Rules of Civil Procedure is titled “Misjoinder and nonjoinder of parties,” and provides that “Any claim against a party may be severed and proceeded with separately.” Misjoinder of claims or parties requires severance of the claims. See State ex rel. Gulf Oil Corp. v. Weinstein, 379 S.W.2d 172, 174 (Mo. App. St. L. 1964).

Rule 52.05 identifies the only circumstances under which the claims of multiple plaintiffs may be properly joined in a single action:

All persons may join in one action as plaintiffs if they assert any right to relief jointly, severally, or in the alternative in respect of or arising out of the same transaction, occurrence or series of transactions or occurrences and if any question of law or fact common to all of them will arise in the action.

Mo. R. Civ. P. 52.05(a) (emphasis added). Both tests must be met for plaintiffs to be joined in a single action. Id.; State ex rel. Allen v. Barker, 581 S.W.2d 818, 826 (Mo. banc 1979). If those requirements are not met, the claims are misjoined and severance is required. Even if joinder is permitted, severance is still permissible in the trial court’s discretion, based upon factors related to fairness, economy, and prejudice. See Wilson v. Bob Wood & Associates, Inc., 633 S.W.2d 738, 743 (Mo. App. W.D. 1981).

Rule 52.05(a) is analogous to Fed. R. Civ. P. 20(a), which provides that parties may be properly joined only where claims by or against them arise out of the same transaction or occurrence or present common questions of law or fact. In State ex rel. Allen v. Barker, 581 S.W.2d 818, 826 (Mo.1979) the Missouri Supreme Court discussed the adoption of Rule 52.05(a), recognized that it was patterned after the federal rule, and applied federal cases to interpret it. Id. The federal rule has been extensively construed, and overwhelmingly find that the claims of multiple plaintiffs are misjoined when the only commonality amongst plaintiffs is that they allege damages resulting from using the same product. See, e.g., In re Orthopedic Bone Screw Prods. Liab. Litig., MDL No. 1341, 1995 WL 428683, at *5-6 (E.D. Pa. July 15, 1995). In the bone screw litigation, the only plaintiffs who were allowed to remain joined in a single action were those who underwent surgery by the same doctor or group of doctors, at the same hospital, and who received the same or a similar device by the same manufacturer. Id. at *5. There is no reason in the rule why Missouri should be applying joinder principles in a manner so inconsistent with the federal courts.

Recent jurisprudence in the City of St. Louis and in the Eastern District Court of Appeals, in fact, is inconsistent with those courts’ own past precedent on misjoinder and severance. In Gulf Oil, plaintiffs had purchased fuel oil in unrelated transactions at different times. Id. at 174. These transactions did not constitute the “same transaction nor a series of transactions.” Id. at 175. Moreover, even though the plaintiffs all sustained fires, these occurred on different dates. Id. Accordingly, the plaintiffs’ losses did not constitute the same “occurrence.” Id.

The Gulf Oil court was keenly focused upon what is the “transaction” and what is the “occurrence” that is common to the plaintiffs. Because the issue is joinder of plaintiffs, it is a plaintiff-focused, not defendant-focused analysis. Recent jurisprudence on the eastern side of the state has shifted that focus to the notion that plaintiffs’ claims can arise out of the same transaction or occurrence when they derive from common conduct of the defendant, which has been expanded to include the design, marketing, and sale of the product. In reaching these decisions, the early trial court orders rely upon cases analyzing the proper joinder of defendants, which is, of course, a defendant-behavior-focused analysis.

Taken to the illogical extreme, the approach of focusing upon the defendants’ business practices and product design to establish joinder would allow any purchaser of a product to join with any single Missouri plaintiff and to pursue their claims in Missouri. It is simply untenable, and seems inevitable that, if the Missouri Supreme Court does not curtail this problem, the U.S. Supreme Court will. Allowing non-residents to sue non-residents for extraterritorial conduct and injuries is not constitutionally defensible. Personal jurisdiction limitations “are a consequence of territorial limitations on the power of the respective States.” Hanson v. Denckla, 357 U.S. 235, 251 (1958); see also World-Wide Volkswagen Corp v. Woodson, 444 U.S. 286, 292 (1980) (minimum contacts requirement serves the dual functions of protecting defendant against the burden of litigation and ensuring states “do not reach out beyond the limits imposed on them by their status as coequal sovereigns in our federal system”).

There are hopeful signs – the Eastern District Court of Appeals just overturned the first talcum verdict against Johnson & Johnson for lack of personal jurisdiction. See Estate of Fox v. Johnson & Johnson, No. ED104580, 2017 Mo. App. LEXIS 1043 (Mo. App. E.D. Oct. 17, 2017). The dust has not yet settled on these issues, however.

Johnson & Johnson’s writ of prohibition takes a subtly different track from the issue argued in Barron. In its recent writ, Johnson & Johnson does not argue that Judge Burlison erred in denying the original motion to sever based upon misjoinder of the plaintiffs’ claims, but that, when the court ordered separate trial of each of the claims, that the claims of each plaintiff should have been formally severed such that venue (and presumably jurisdiction) would be independently assessed as to each of the severed claims.

Rule 66.02 provides:

The court, in furtherance of convenience or to avoid prejudice, or when separate trials will be conducive to expedition and economy, may order a separate trial of any claim, cross-claim, counterclaim, or third-party claim, or of any separate issue or of any number of claims, cross-claims, counterclaims, third-party claims, or issues.

Rule 52.06 provides that “Any claim against a party may be severed and proceeded with separately.” Missouri law has been somewhat ambiguous as to the relationship between these rules, including whether “proceed[ing] separately” with a claim is the same as severing it.

The 3-judge concurring opinion in Barron, upon which Johnson & Johnson relies for its writ petition, suggested that, when the trial court determines that a plaintiff’s claims should be separately tried, it has effectively “severed” that plaintiff’s claims from the remaining plaintiff(s). Alternatively, where the trial court has determined that the claims should not be tried together, it would ordinarily have no basis to deny a subsequent motion to sever. Because Mo. Rev. Stat. § 508.012 (part of the 2005 tort reform) requires reassessment of venue when a plaintiff is either added to or removed from the petition, and mandates transfer if venue is improper, the trial court’s failure to formally sever a separately-tried claim deprives defendants of the benefit of the statute.

When there has been severance, the normal administrative process would involve the assignment of a new case number to the severed case and, normally, random judicial reassignment. Severance of claims permits the court to render separate judgments which will be deemed final for purposes of appeal. Engel Sheet Metal Equipment, Inc. v. Shewman, 301 S.W.2d 856, 859 (Mo. App. St. L. 1957). The claims, being independent, would be subject to independent venue and jurisdictional analysis, having been unchained from the Missouri anchor plaintiff.

It is interesting that the Supreme Court has issued a preliminary writ in the Blaes matter. Although an order for separate trials is not generally deemed to be equivalent to an order for severance, that general principle must be considered in the context of the venue statute, which does contemplate a reassessment of venue. A court may be required to order severance based upon misjoinder, and the Johnson & Johnson argument seems targeted squarely at overcoming the “lack of prejudice” finding in Barron – the prejudice is in the denial of the rights afforded under Mo. Rev. Stat. § 508.012. Additionally, where the court has discretion to sever based upon judicial economy, fairness, and prejudice, it still appears to be an abuse of discretion to order 47 separate trials but refuse to sever them into independent actions.

Johnson & Johnson’s writ petition may be the hook to pry loose severance orders in these multi-plaintiff cases. Ideally, however, the impropriety of joinder would be assessed at an earlier stage of the litigation, before decisions on trial management have been made. We are hopeful that recent developments in the talc cases indicates a shift away from recent practices in these multi-plaintiff cases.

Is It Necessary for an Expert Opinion to Take Into Account Obvious Alternative Explanations for an Injury? Eighth Circuit Weighs In.

07 Aug 2017

In Redd v. DePuy Orthopaedics, Inc., the Eighth Circuit Court of Appeals has reminded litigators of the importance of ensuring expert witnesses perform a thorough review of a matter, including apparent alternative causal explanations, prior to issuing their opinions.

In 2008, plaintiff Redd underwent a total hip replacement, receiving an implant supplied by hip manufacturer DePuy Orthopaedics, Inc. At the time of her surgery, Redd suffered from a number of risk factors that placed her at a higher risk for failure of the implant as she took immunosuppressant drugs and was considered morbidly obese. Four years after her initial surgery, the implanted hip stem fractured. During the revision surgery to replace the hip stem, the doctors determined that the stem had not properly grown into the bone at the top of Redd’s hip, which was a known possibility given her risk factors. Two years after her revision, Redd again experienced a hip stem fracture. Plaintiff brought a federal diversity action against DePuy Orthopaedics, alleging negligence and strict liability claims based on product defect and failure to warn. DePuy moved for summary judgment and for exclusion of plaintiff’s expert testimony under Federal Rule of Evidence 702 and the analysis set forth in Daubert v. Merrell Dow Pharmaceuticals, Inc., 509 U.S. 579 (1993).

Plaintiff retained a professor of metallurgy and materials science, Dr. Shankar Sastry, to testify as to the cause of the fracture. In preparing his expert report, Dr. Sastry failed to review records related to the manufacturing process of the hip implant and disregarded consideration of biomechanical factors that could have resulted in failure of the prosthesis. Dr. Sastry concluded that it was the physical state of the implant’s metal that caused the fracture. He further concluded that any individual environmental or biomechanical factors would have been a secondary cause of the fracture.

In granting DePuy’s motion to exclude Dr. Sastry’s testimony, the US District Court for the Eastern District of Missouri concluded that Dr. Sastry lacked a scientific or factual basis to conclude that there was a manufacturing defect or to opine on causation, and that he failed to consider the necessary issues of the forces that were exerted on the implant as it was placed in Redd’s hip. Following exclusion of Dr. Sastry’s testimony, Redd lacked expert testimony on defect or causation and DePuy’s motion for summary judgment was granted.

On appeal, the Eighth Circuit reviewed the district court’s exclusion of Dr. Sastry’s testimony, the propriety of which is governed by Rule 702 and the Daubert standard. Plaintiff argued that the district court erred by requiring Dr. Sastry to exclude other potential causes of the fracture. The Eighth Circuit concluded that, while an expert is not required to rule out all possible causes of an injury, he or she nonetheless should adequately account for obvious alternative explanations. Dr. Sastry did not consider the obvious alternative explanation for the fracture—failure of the hip stem to grow into the patient’s upper hip bone and subsequent failure to properly distribute her weight—which was a known possibility at the time of Redd’s surgery given her risk factors. Because Dr. Sastry failed to consider the individual biomechanical forces placed on the prosthesis in issuing his report, the district court’s decision to exclude the causation testimony was affirmed.

The opinion may be found here.

For more on Missouri’s recent adoption of the expert witness standard set forth in Federal Rules of Evidence 702 and Daubert, see The Daubert Standard – Coming Soon to a Missouri Court Near You.

FDA - Postmarket Management of Cybersecurity in Medical Devices

05 Jun 2017

It seems almost impossible in today’s world to escape our dependence on technology. From the minute we wake-up in the morning, we access news reports on our tablets, keep track of our health with fitness trackers, receive and respond to e-mails on our mobile phones, and many of us rely upon interconnected medical devices, such as insulin pumps, to safely navigate through a typical day. But such convenience is not without risk.

Medical devices, like all interconnected technology, can be vulnerable to security breaches, which “may compromise the essential clinical performance of a device” and potentially impact patient safety. The Food and Drug Administration (“FDA”) thoroughly understands this benefit v. risk balance, and has issued a number of recommendations that address comprehensive cybersecurity over the lifecycle of medical device products. Most recently, on December 27, 2016, the FDA issued its final Guidance on Postmarket Management of Cybersecurity in Medical Devices. The recommendations apply to medical devices that use software, including programmable logic and software that is regulated as a medical device, including mobile medical apps. You can link to the full text of the Guidance here. This final Guidance closely resembles a draft of the document, issued for comment almost a year prior. For more details on our take of the draft Guidance, see our prior series “FDA Issues Draft Guidance Document for Postmarket Management of Cybersecurity in Medical Devices” posted in four parts here, here, here, and here. This Postmarket Guidance also follows the FDA’s Guidance on medical device premarket cybersecurity, issued in October 2014, discussed in more detail here.

The final Guidance outlines steps that medical device manufacturers and health care systems should take to monitor, identify, understand and address cybersecurity risks once medical devices and mobile medical devices have entered the marketplace. Yet, don’t allow the “guidance” nature of the document fool you into believing its recommendations are optional, as the FDA takes the position that manufacturers are required to ensure the safety and efficacy of their medical devices, and should they choose not to follow this guidance, the device vendor must have in place another similar cybersecurity strategy in order to avoid regulatory scrutiny.

From this Guidance emerges two predominant concepts: 1) the Guidance, like its predecessor draft and the 2014 Premarket Guidance, follows a risk-based approach, i.e., guiding manufacturers to identify, assess, and mitigate risks that emerge after the device has been introduced to market; and 2) medical device cybersecurity and cybersecurity risk management must be proactively addressed throughout the entire lifestyle of a product, and is a shared responsibility among stakeholders including health care facilities, patients, providers, and manufacturers of medical devices.”[1] In other words, cybersecurity controls should be incorporated into the design, development and manufacture of a device. But after marketing and during patient use, the device should be continuously monitored, and cybersecurity concerns addressed.

As Suzanne B. Schwartz, the FDA’s associate director for science and strategic partnerships, stated in a blog post concurrent with the issuance of the Guidance itself, “[w]ith this guidance, we now have an outline of steps the FDA recommends manufacturers take to remain vigilant and continually address the cybersecurity risks of marketed medical devices.”[2] “This approach enables manufacturers to focus on continuous quality improvement, which is essential to ensuring the safety and effectiveness of medical devices at all stages in the device’s lifecycle.”[3] Essential to the FDA’s recommendations is the belief that device manufacturers implement comprehensive cybersecurity risk management programs and documentation which emphasizes “addressing vulnerabilities which may permit the unauthorized access, modification, misuse or denial of use, or the unauthorized use of information that is stored, accessed, or transferred from a medical device to an external recipient, and may result in patient harm. Manufacturers should respond in a timely fashion to address identified vulnerabilities.”[4]

Critical components of such a program include:

Monitoring cybersecurity information sources for identification and detection of cybersecurity vulnerabilities and risk;
Maintaining robust software lifecycle processes that include mechanisms for:
- monitoring third party software components for new vulnerabilities throughout the device’s total product lifecycle;
- design verification and validation for software updates and patches that are used to remediate vulnerabilities, including those related to Off-the-shelf software;
Understanding, assessing and detecting presence and impact of a vulnerability;
Establishing and communicating processes for vulnerability intake and handling
Note: The FDA has recognized ISO/IEC 30111:2013: Information Technology – Security Techniques – Vulnerability Handling Processes;
Using threat modeling to clearly define how to maintain safety and essential performance of a device by developing mitigations that protect, respond and recover from the cybersecurity risk;
Adopting a coordinated vulnerability disclosure policy and practice. The FDA has recognized ISO/IEC 29147:2014: Information Technology – Security Techniques – Vulnerability Disclosure which may be a useful resource for manufacturers; and
Deploying mitigations that address cybersecurity risk early and prior to exploitation.[5]

It is further recommended that the program incorporate elements consistent with the National Institute of Standards and Technology’s (NIST) Framework for Improving Critical Infrastructure Cybersecurity (i.e., Identify, Protect, Detect, Respond, and Recover). For more details on these concepts, please see our previous discussion, which can be found here.

Perhaps more important than the shared responsibility of risk mitigation in cybersecurity among all stakeholders, is the concept that, in the FDA’s view, cybersecurity risk management should revolve around assessing therisk to the device’s essential clinical performance, which focuses on assessing the risk of patient harm.[6] As the Guidance explains, “[a] key purpose of conducting the cyber-vulnerability risk assessment is to evaluate whether the risk of patient harm is controlled (acceptable) or uncontrolled (unacceptable). One method of assessing the acceptability of risk involves using a matrix with combinations of “exploitability” and “severity of patient harm” to determine whether the risk of patient harm is controlled or uncontrolled.”[7] This focus is achieved by considering:

(1) The exploitability of the cybersecurity vulnerability, and

(2) The severity of patient harm if the vulnerability were to be exploited.[8]

Such risk is to be assessed according to these two considerations on a sliding scale, which ranges from a controlled risk (low probability of a cybersecurity exploit with little impact on patient health) to an uncontrolled risk (high probability of an exploited vulnerability that seriously threatens patient safety or even patient death). While in some cases the evaluation will yield a definite determination of controlled or uncontrolled, the possibility remains that not all situations will produce such distinct results.[9]

The Guidance provides that manufacturers should have processes for assessing the exploitability of a cybersecurity vulnerability as well as the severity of patient harm, if the cybersecurity vulnerability were to be exploited. The FDA suggests using a cybersecurity vulnerability assessment tool or similar scoring system for rating vulnerabilities and determining the need for and urgency of the response, such as the “Common Vulnerability Scoring System,” Version 3.0.[10] Many adequate methodologies may be utilized to analyze the potential severity of patient harm, yet the Guidance highlights an approach based on qualitative severity levels as described in ANSI/AAMI/ISO 14971: 2007/(R)2010: Medical Devices – Application of Risk Management to Medical Devices.[11] These levels range from Negligible (inconvenience or temporary discomfort) to Catastrophic (resulting in patient death).

The figure below shows the relationship between exploitability and severity of patient harm, and can be used to categorize the risk of patient harm as controlled or uncontrolled.[12]

While the FDA clearly distinguishes between a controlled risk and uncontrolled risk, even its illustrative chart above shows a large gray area of in-between, further acknowledging that it will not always be clear in which category the risk belongs.

The FDA Guidance then sets forth recommended proper responses to controlled and uncontrolled risks. Controlled risk scenarios involve relatively minor issues, where there is sufficiently low (acceptable) risk of patient harm. However, manufacturers are still encouraged to proactively promote good cyber hygiene and reduce cybersecurity risks even when residual risk is acceptable.[13] Uncontrolled risks, on the other hand, require immediate intervention and remediation, and must be reported under 21 CFR part 806, unless:

(1) There are no known serious adverse events or deaths associated with the vulnerability;

(2) The manufacturer communicates with its customers and user community regarding the vulnerability, identifies interim compensating controls, and develops a remediation plan to bring the risk to an acceptable level, as soon as possible, but no later than 30 days after learning of the vulnerability;

(3) The manufacturer fixes the vulnerability, validates the change, and distributes the deployable fix to its customers and user community within 60 days; and,

(4) The manufacturer actively participates as a member of an Information Sharing Analysis Organization or “ISAO.”[14]

Like its draft before it, the final Guidance additionally contains an essential practical element in its Appendix: “Elements of an Effective Postmarket Cybersecurity Program.” The Appendix encompasses the totality of the FDA’s recommendations, in an easy to follow five-prong framework, consistent with the elements of the NIST Framework for Improving Critical Infrastructure Cybersecurity. These prongs are: A) Identify, B) Protect/Detect, C) Protect/Respond/Recover, and D) Risk Mitigation of Safety and Essential Performance.[15]

All medical devices come with both risks and benefits. While it may not always be clear whether a particular risk is categorized as controlled or uncontrolled, the FDA has been explicitly clear in both its Premarket and Postmarket Guidances that comprehensive cybersecurity and risk analysis must be addressed over the lifecycle of medical device products, keeping a primary focus on the risk of patient harm.

[1] Guidance, at 12.

[2] https://blogs.fda.gov/fdavoice/index.php/2016/12/managing-medical-device-cybersecurity-in-the-postmarket-at-the-crossroads-of-cyber-safety-and-advancing-technology/

[3] Id.

[4] Guidance, at 13.

[5] Guidance, at 13-14.

[6] Guidance, at 15 (emphasis in original).

[7] Guidance, at 17.

[8] Guidance, at 15.

[9] Guidance, at 17.

[10] For more details, see “Common Vulnerability Scoring System,” Version 3.0: Specification Document (https://www.first.org/cvss/specification-document).

[11] Guidance, at 17.

[12] Guidance, at 18.

[13] Guidance, at 19.

[14] Guidance, at 22-23.

[15] Guidance, at 27-30.