If someone’s healthcare data is breached – if it’s lost, stolen or sold by cyber thieves – obtaining justice can seem remote. If you are a patient whose data was stolen, know that filing a lawsuit is expensive and risky – but can it work? If you are a covered entity or a business associate, should you be concerned? The answer to both questions is ‘yes’ and ‘no’.
Righting the Wrongs of a Healthcare Data Breach
HIPAA, the federal law designed to protect the security and privacy of health information, does not provide individuals a right to sue under HIPAA. Instead, HIPAA is enforced by the Office for Civil Rights (OCR) within the U.S. Department of Health and Human Services (HHS). OCR will investigate all healthcare data breaches that affect 500 or more individuals but the outcomes of those investigations vary widely, depending on the organization’s HIPAA compliance, their cooperativeness in the investigation, and the extent of the harm caused by the breach.
However, other laws can be used in court by someone who suffers harm from a healthcare data breach. State privacy and consumer protection laws permit private lawsuits, and the legal arguments of negligence and breach of contract can be used. These cases can be brought by individuals, alone or combined in a class action; and State attorneys general can bring lawsuits against organizations for violating state laws. One of the largest lawsuits brought by State attorneys general occurred against a HIPAA business associate, American Medical Collection Agency for a 2018 breach, and was settled early last year. Another huge breach at Blackbaud, another business associate, resulted in multiple lawsuits. Hospitals and other providers have also been sued.
Although HIPAA does not provide a right for individuals to sue, creative lawyers use HIPAA to bolster their case; they argue that HIPAA establishes a professional standard of care that healthcare providers should meet, and some judges have agreed. But proving that a defendant was wrong, or was negligent, or breached a contract is only half the battle. To win a lawsuit, a plaintiff needs to prove actual harm, usually monetary losses.
The trend of privacy lawsuits against health care providers and business associates continues. However, while some cases succeed, or at least settle with payments to the plaintiffs, others fail. Often, the ones that failed did so because the plaintiffs were not able to provide evidence of actual harm, damages or loss.
Two Different Results
Two recent healthcare data breach privacy lawsuits show contrasting results.
First, a Big Settlement
A healthcare clearing house (a covered entity), Inmediata Health Group of Puerto Rico, reached a $1.13 million settlement to resolve a class-action lawsuit brought against it by individuals whose protected health information (PHI) was breached.
Beginning in January 2019, a cyber thief gained access to Inmediata networks during a criminal cyberattack. The data breach compromised protected health information held by Inmediata, including names, addresses, Social Security numbers, telephone numbers, and other private health information. Over 1.5 million individuals were affected. Shortly after Inmediata notified individuals affected, a group of them filed a class action lawsuit.
Inmediata denied all wrongdoing in the settlement, but agreed to reimburse individuals for their out-of-pocket expenses related to the data breach, e.g., credit monitoring services, fraudulent charges, various fees, and even three hours of lost time billable at a rate of $15 per hour. Each individual may receive up to $2,500 in reimbursement and must apply with proof in order to participate in the settlement.
Second, a Judge Recommends Dismissal
PracticeFirst, a medical management company, was sued by a group of individuals whose data was breached in December 2020. Recently, a judge of the U.S. District Court for the Western District of New York recommended the dismissal of the class-action lawsuit against Practicefirst, citing insufficient evidence of actual harm resulting from the breach.
The need for proof of actual harm was underscored in a Supreme Court decision last year. In Ramirez v. TransUnion, the Supreme Court ruled that data breach victims must demonstrate actual injury and prove that the defendant’s conduct caused the damage. Some see this ruling as a sign that courts will begin to take a harder stand in handling healthcare data breaches in court. Plaintiffs must now prove that they suffered a concrete injury to claim “standing” to sue. This is actually not a new concept. Plaintiffs have always been required to prove actual damages, not speculative, or future possible damages to win, but the recent Supreme Court decision specifically about healthcare data breaches is directly applicable, and persuasive. It may discourage new cases where the proof of harm is not concrete.
In the PracticeFirst case, plaintiffs tried to argue that that the breach caused actual injuries, including a “diminished PHI value”, a violation of their privacy rights, and the possibility of future harm due to the increased risk of identity theft. The judge was not persuaded however, and now the case will likely be dismissed.
The parties have fourteen days to file objections to the judge’s recommendations, and the pleadings may be amended with new evidence, if it exists, of actual harm or costs incurred. But speculative damages, or costs incurred “in anticipation of possible non-imminent harm” were not enough for this judge, who followed Ramirez v. TransUnion, the Supreme Court case mentioned above.
Unfortunately, harm resulting from a healthcare data breach is not seen immediately, but lurks in the future. There are patient safety risks caused by medical identity theft, in the form of insurance fraud or changed/inaccurate medical records that may not be evident for months or years.
Lessons from Data Breach Privacy Lawsuits
Protecting patient privacy and security should be the top priority for every covered entity and business associate complying with HIPAA, with or without regard to possible lawsuits.
Healthcare organizations need to protect patient privacy to maintain trust and uphold quality care. They also face the risk of OCR investigations for HIPAA compliance and possible lawsuits from individuals and State attorneys generals for failing to comply with state privacy laws. At least with regard to private lawsuits, plaintiffs are increasingly being required to show actual concrete harm before a case can move forward. How future cases unfold will depend on the evidence they bring.