Sunday, June 28, 2015

Fraud Detection in Patient Records Patent -- Is it Patent-Eligible?

"In other words, Claim 1 comprises..." Perhaps the most dangerous words in a court opinion directed to the patent eligibility of a challenged patent. I say dangerous because essentially any patent claim can be presented "in other words" in order to describe them broadly directed to some abstract idea and doing so avoids careful analysis of the particular meaning of all words in a challenged claim. 

Fairwarning IP, LLC sued Iatric Systems for infringement of U.S. Patent 8,578,500 directed to a method and system for detecting fraud and misuse in connection with electronic patient data.  The defendant asked the Court to dismiss the claim, arguing the patent was directed to an ineligible abstract idea.

The Court went through the basic framework for making such a determination: (1) Is the claim directed to an abstract idea; and (2) if so, look at the claims to determine whether the elements of the claim transform the nature of the claim into patent-eligible subject matter.  See Alice Corp. v. CLS Bank International, 134 S. Ct. 2347, 2355 (2014).

The Federal Circuit has sought to clarify this test, particularly in connection with computer inventions.  See DDR Holdings LLC. v., L.P., 773 F.3d 1245, 1247 (Fed. Cir. 2014) (upholding claims which are "necessarily rooted in computer technology in order to overcome a problem specifically arising in the realm of computer networks.")

Claim 1 of the '500 patent requires the following elements:
1. A method of detecting improper access of a patient’s protected health information (PHI) in a computer environment, the method comprising: 
generating a rule for monitoring audit log data representing at least one of [the] transactions or activities that are executed in the computer environment, which are associated with the patient’s PHI, the rule comprising at least one criterion related to accesses in excess of a specific volume, accesses during a pre-determined time interval, accesses by a specific user, that is indicative of improper access of the patient’s PHI by an authorized user wherein the improper access is an indication of potential snooping or identity theft of the patient’s PHI, the authorized user having a pre-defined role comprising authorized computer access to the patient’s PHI;  
applying the rule to the audit log data to determine if an event has occurred, the event occurring if the at least one criterion has been met;  
storing, in a memory, a hit if the event has occurred; and providing notification if the event has occurred. 

Here, the defendant argued the claims were directed to the abstract idea of "analyzing records of human activity to detect suspicious behavior."  The Court agreed:

[T]he ’500 patent is “directed to” or “drawn to” the concept of “analyzing records of human activity to detect suspicious behavior.” (Doc. 50 at 2) Reviewing activity to detect suspicious behavior is not unique to the context of private health information, and binding precedent has invalidated patents “directed to” similar concepts. E.g., CyberSource Corp. v. Retail Decisions, Inc., 654 F.3d 1366, 1367 (Fed. Cir. 2011) (invalidating a patent that claimed a “method and system for detecting fraud in a credit card transaction between [a] consumer and a merchant over the Internet”); accord Intellectual Ventures II LLC v. JP Morgan Chase & Co., 2015 WL 1941331, *3 (S.D.N.Y. April 28, 2015) (Hellerstein, J.) (invalidating a patent that claimed a “method for monitoring multiple computer hosts within a network for anomalies, and alerting the various hosts of possible intrusion”); Wireless Media Innovations, LLC v. Maher Terminals, LLC, 2015 WL 1810378, *8 (D.N.J. April 20, 2015) (Linares, J.) (invalidating patents “directed to the . . . abstract idea[ of] monitoring locations, movement, and load status of shipping containers within a container-receiving yard, and storing, reporting and communicating this information in various forms through generic computer functions”). Reviewing activity to detect suspicious behavior is a basic and well-established abstract idea 
[EDITOR'S NOTE: The Court referred to "binding precedent," yet only cited a 2011 (i.e. pre-Alice and pre-DDR) decision.]

FairWarning argued the claims were necessarily rooted in computer technology (per DDR Holdings) because the claims "provide[] a solution to a technological problem, namely identifying potential snooping and identify theft by authorized users."  The Court was not persuaded.

Finding the patent directed to an abstract idea, the Court turned to the second step -- do the claim elements transform the patent into something more.  The Court begins the discussion as follows:

In other words, Claim 1 comprises (1) generating a rule “related to” the number of accesses, the timing of accesses, and the specific users in order to review “transactions or activities that are executed in a computer environment”; (2) applying the rule; (3) storing the result; and (4) announcing the result.
[EDITOR'S NOTE: The Court looked at the individual elements of the claim, but then merely paraphrased what those elements might be.  And the Court did so without considering what one of skill in the art would understand the terms to mean.]

The Court conducted the analysis as follows:

None of the steps in Claim 1’s method transforms the abstract idea into a patentable concept. Although the first step of the method requires “generating a rule for monitoring audit log data,” Claim 1 neither states a rule nor instructs a computer to generate a rule. Instead, in at least one embodiment of the invention, “the rule is created by the user and/or a third party, such as a consultant with particular knowledge as to fraud or misuse of the particular type of data.” ’500 patent, col. 13, ll. 11–13. Also, the function performed by the computer in each remaining step of Claim 1’s method is “purely conventional.” Alice, 134 S. Ct. at 2358 
[EDITOR'S NOTE:  The Court appears to have limited its analysis to a single embodiment disclosed in the specification.  And it's not clear the Court addressed Claim 1's limitation that the rule at issue must be "indicative of improper access of the patient's PHI by an authorized user wherein the improper access is an indication of potential snooping or identify theft of the patient's PHI, the authorized user having a pre-defined role comprising authorized computer access to the patient's PHI"]

The Court went on to find the patent directed to ineligible subject matter, and to dismiss plaintiff's complaint without prejudice, allowing "FairWarning [to] amend the complaint to assert a claim that is independent of the '500 patent's validity."

Motion to dismiss, granted.

FairWarning IP, LLC v. Iatric Systems, Inc., Case No. 8:14-CV-2685 (M.D. Fla. June 24, 2015) (J. Merryday)