New Loop: Data Breach to Lawsuit

By Matt Fisher, General Counsel, Carium
Twitter: @matt_r_fisher
Twitter: @cariumcares
Host of Healthcare de Jure – #HCdeJure

A recurring pattern has developed when it comes to data breaches. The first part of the pattern is that healthcare is under constant cyber attacks that challenge security measures while aiming to get access to private and sensitive information within the systems. The prevalence of data breach notifications underscores how frequently security measures are being circumvented.

The second developing part of the recurring pattern is that bigger data breaches (though the size seems to be shrinking) result in lawsuits, which often seek certification as a class action. The certification as a class action is necessary because a lawsuit cannot necessarily automatically start as a class action. As a quick aside, a class action is a lawsuit that allows the court to group together what would otherwise be a number of separate lawsuits into one case where each of the individuals suffered the same harm. To be able to proceed as a class action, the court must find that there are so many people impacted that separate cases or just joining cases would be impracticable, common questions of law or effect are in place, the claims of the proposed class representative are typical for the whole purported class, and the proposed class representatives will adequately protect the interests of the whole class. As the brief description hopefully shows, class certification is not a given.

Beyond the discussion about how to bring a class action, another component of filing a lawsuit is asserting some sort of harm. The harm assertion is supposed to be an actual harm not a potential or theoretical harm.

Getting back to the more serious issue, the number of post-data breach notification lawsuits is gaining momentum, which means the impact of a data breach may linger even longer than just recovering from the breach itself. The impact of a breach on an individual should not be downplayed, but there is a real question of whether a lawsuit will actually result in an appropriate or even expected remedy.

Nature of Breach Related Lawsuits

What do the lawsuits following a data breach look like? In most, if not all, instances the lawsuits are premised upon state laws and state-level privacy obligations. Where is HIPAA? Nowhere when it comes to a direct claim because there is no private right of action under HIPAA. If HIPAA will show up, then it may be used as a reference point for an organization’s baseline obligations or as a potential standard of care that the claimants want a court to apply.

Thinking about claims in the abstract can be difficult though. Briefly summarizing some of the recent cases that have been revealed will be instructive in understanding the nature of the claims being brought.

  • Bansley & Kiener (accounting firm) – An individual whose health information was purportedly held by the accounting firm filed suit alleging (i) that notice of the breach was not timely and (ii) a failure to implement appropriate safeguards to protect information under its control. The plaintiff goes on to assert that delaying the notification left impacted individuals unaware of the increased risk to their privacy and the leakage of data has left the individuals susceptible to an increased risk of identity theft and related issues. No direct harm seems to have been alleged though.
  • Broward Health – After a health system provided notification of a breach to potentially impacted individuals. One individual then filed suit, including seeking class certification, that the system failed to adequately protect the information in its systems. There is also an assertion that notice was not timely, though it should be noted that the incident occurred in October 2021 and notification was out by early January 2022). In what will be a common assertion, the harm alleged by the plaintiff is an increased risk of identity theft, financial fraud, and other similar types of fraud. No actual incident was identified yet.
  • QRS (EHR vendor) – After a hacker was found to have accessed a server dedicated to a patient portal operated by the vendor, notification of the breach was sent out. The claims in the subsequently filed lawsuit allege that QRS was negligent because it did not reasonably secure, monitor, and maintain the sensitive information that it handled. Similar to the other suits, a claim of delayed notification was thrown in, though again in this instance the notification appears to have occurred within the timeframe permitted by HIPAA. Turning to the harm incurred, the plaintiff tries to claim actual damages by stating that in addition to the increased threat of identity theft, the impacted individuals suffer from a diminishment in value of their personal information, incurred unspecified out of pocket costs responding to the notification, and had to spend time trying to mitigate the impact of the breach.
  • BioPlus Specialty Pharmacy – A cyberattack resulted in access to BioPlus’ system over a period of time spanning late October 2021 into early November 2021. A review could not determine whether all or only a subset of data were impacted. Even with the uncertainty, notification of the breach was given in December 2021, which included a relatively standard offer of credit monitoring. The subsequent lawsuit, in a differentiation from the notice, claims that data were stolen and that theft of the data created risk of ongoing issues. The complaint tries to detail direct harm by asserting that impacted individuals had to spent time address and mitigating the potential impacts, which translated to reduced productivity ostensibly connected to jobs as well as broadly stating that emotional grief resulted from the uncertainty. Lastly, the complaint faulted the lack of assurance that data had been returned or destroyed, which seems to run contrary to the lack of any definitive statement in the notice that data were taken.

Purported Harms

A common theme running through the lawsuits is the inability to identify actual harms or somewhat stretching to claim some vague or indefinable harm from responding to the breach. As previous cases have shown, the difficulty in asserting actual harm is a stumbling block for the cases. While nothing can really stop a suit from being filed, the question is whether the suit will be able to go anywhere. A frequent first step after the filing of the suit is to bring a motion to dismiss. The motion to dismiss will focus on the vague harms identified in the complaint, which may not be enough to pass muster in being able to sustain a claim. A potential factor in that regard may be the number and frequency of data breaches. If an individual has been impacted many times, there is a real question of what impact, if any, another breach will have on the information.

As of yet, there is not necessarily a clear standard being followed by courts across the country. Given that many of the cases rest on state law, it should not really be all that surprising that a national standard does not yet exist. Despite cases relying upon state law though, decisions from out of state can be used as persuasive precedent as a new state sets the direction that it will follow. From that perspective, publishing decisions and the reasoning for decisions will be important. Establishing consistency would make it easier for all to understand the playing field.

Resolving a Suit

Even when a suit does progress, it is not clear how much direct benefit the impacted individuals receive. While big dollar figures may be included in a settlement, a frequent component of the settlement is that a majority of the money will be spent by the settling organization to improve its own security practices and measures. Any money directly in the pocket of an individual can be limited, often to what amounts to only a token amount.

Taking a broader view on the settlements, resolving a suit could actually most appropriately be considered as getting rid of a nuisance. An organization could easily incur fees and costs in excess of a settlement amount by pursuing litigation. Further, if part of the settlement involves internal investment, then it is actually more of an outward commitment to activities that arguably should have occurred anyway.

Where Next?

There is no reason to expect that lawsuits will slow down or stop, but the next steps in the road, as already suggested, should be establishing clear nationwide standards for breach related claims and just better focusing on security upfront. Level setting expectations would serve to help all.

This article was originally published on The Pulse blog and is republished here with permission.