[BreachExchange] Do Healthcare Data Breach Lawsuits Have Reasonable Standards?

Wed Apr 12 14:02:29 EDT 2017

http://healthitsecurity.com/news/do-healthcare-data-breach-lawsuits-have-
reasonable-standards

Being able to prove fault in a healthcare data breach class action lawsuit
is inherently difficult, but it is also important to understand the privacy
expectations, according to a recent Corporate Clients Insight blog post.

Data breach cases are not as simple for plaintiffs as it may seem, wrote
LeClairRyan Partner Chad Mandell. It is hard to prove proper legal standing
“and class certification remains an obstacle that has yet to be
successfully overcome,” he noted.

Citing the Anthem data breach where approximately 80 million individuals’
records were potentially compromised, Mandell stated that no court has yet
certified a consumer data breach class.

“The aforementioned Anthem case also highlights another question worth
considering in these suits — namely, whether plaintiffs are attempting to
hold companies to standards of data-privacy protection that are realistic
or fair in today’s cybersecurity environment,” Mandell explained.

The question has been raised, what are reasonable privacy expectations in
an increasingly digital age?

Mandell noted that some internet users do not practice smart security and
privacy practices. Lackluster passwords and failing to “opt out” of certain
invasive requests could potentially also cause information to be
compromised.

“No organization, no matter how large and no matter what security protocols
are in place, is immune from its systems being compromised,” Mandell wrote.
“Thus, it is reasonable to ask whether alleged damages in a data-breach
case truly can be traced to a given hack of a particular company or whether
they stem from a prior breach or multiple prior breaches of the plaintiff’s
own computer.”

Calling back to the Anthem case, Mandell explained how the court “framed an
order that drastically limited the amount of information that could be
culled from forensic examination of the plaintiffs’ computers.”

Measures were also put in place to control who had access to the
plaintiffs’ information.

“[Enough measures] so that one could safely state that the degree of
protection afforded to these plaintiffs’ personal information in the course
of the forensic examination would actually have been greater than under
most everyday circumstances,” Mandell stated.

Even so, it was not enough for all plaintiffs, he said. Therefore,
companies – such as Anthem and other healthcare providers – may be held to
impossible standards when it comes to keeping personal privacy protected.

Earlier this year, the US Court of Appeals, Fourth Circuit, dismissed a
data breach lawsuit that alleged the William Jennings Bryan Dorn Veterans
Affairs Medical Center (Dorn VAMC) had violated the Privacy Act of 1974 and
the Administrative Procedure Act (APA).

In that case, plaintiffs claimed that earlier reported Dorn VAMC data
breaches created an “increased risk of future identity theft,” and that
there were costly measures to protect against it.

The appeals court though agreed with the district court’s ruling in that
there was a lack of subject-matter jurisdiction.

Similarly, the Pennsylvania Superior Court recently dismissed claims in a
healthcare data breach class action lawsuit in 2016. The superior court
stated that the trial court needed to review the plaintiff’s claim under
the Uniform Trade Practices and Consumer Protection Law (UTPCPL).

Plaintiffs had filed a class action lawsuit against Keystone Mercy Health
Plan and Amerihealth Mercy Health Plan for a missing USB flash drive that
allegedly contained PHI. The plaintiffs claimed that the health plans had
performed deceptive practices under UTPCPL.

The judge explained though that justifiable reliance is necessary for
deceptive practice claims under UTPCPL.

“As stated previously, on December 9, 2014, a panel of this Court affirmed
the trial court’s denial of class certification on Appellant’s negligence
claims but vacated its decision to deny class certification on the UTPCPL
deceptive conduct claim,” the opinion stated. “In doing so, the panel noted
the trial court had concluded that Appellant’s UTPCPL claim did not satisfy
the commonality requirement of Rule 1702(2) because a plaintiff who brings
a private cause of action under the UTPCPL must show reliance…”
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170412/8678bace/attachment.html>