[BreachExchange] Banner Health Suits Raise Significant Questions for Data Breach Class Actions

Thu Sep 15 20:24:10 EDT 2016

http://www.jdsupra.com/legalnews/banner-health-suits-
raise-significant-76124/

Banner Health recently announced that hackers may have gained “unauthorized
access to patient information” and “payment card data” from approximately
3.7 million patients, health plan members, food and beverage customers, and
physicians.  The breach has been reported as the largest for a hospital in
2016.

According to Banner Health, attackers obtained access to the
“point-of-sale” systems at food and beverage outlets in its facilities,
reminiscent of recent attack suffered by the hospitality industry.
Apparently, Banner Health failed to separate its systems and servers
containing personally identifying information (“PII”) and protected health
information (“PHI”) from those used for its point-of-sale system.  After
the breach, Banner informed its employees and its patients that their data
may have been compromised.

Banner Health’s patients and providers wasted little time in bring suit,
with both having filed class action complaints in the District of Arizona.
Plaintiffs allege that Banner Health negligently maintained the security of
Plaintiffs’ PII and PHI, failed to immediately notify them of the data
breach, breached Banner Health’s representations concerning its data
security, and violated Plaintiffs’ right to privacy.

Banner Health has not yet filed motions to dismiss or answers.  But given
the allegations in the complaints, the district court will need to resolve
a number of unsettled questions:

•  Standing: The named Plaintiffs do not know whether hackers accessed—let
alone used—their data. Accordingly, they pled that they “live in fear of
identity theft” and that they have spent “time and money safeguarding”
their personal and private information.  Although the Seventh Circuit
heldthat such allegations are sufficient for Article III standing, the
Ninth Circuit has not weighed in on this issue.

•  Contractual Obligations: In other data breach class actions against
health care providers and insurers, plaintiffs have claimed—with mixed
success—that their contracts incorporated the entities’ PHI and PII privacy
policies. In the Banner Health complaints, Plaintiffs have not asserted a
claim for breach of contract, instead asserting a promissory estoppel
claim.  It is unclear whether this tactic will prove successful.

•  Failure to Notify: Some courts have held that defendants who disclose
data breaches or provide free fraud protection services admit—at least at
the pleading stage—that plaintiffs were among those affected by a data
breach. The complaints in Banner Health, in contrast, show that failure to
promptly notify consumers of a breach raises its own set of problems.
Relying on Arizona law, Plaintiffs alleged that Banner Health is liable for
not providing notice in the “most expedient manner possible and without
unreasonable delay.”

•  Federal Trade Commission (“FTC”) Act Violations: The FTC has stepped up
its enforcement effortsagainst companies that fail to protect consumers’
data. The Commission has concluded that lax cybersecurity practices are
“unfair or deceptive acts” under the FTC Act.  That Act, though, does not
provide a right of action for private parties.  So, Plaintiffs in Banner
Health are bootstrapping recent FTC decisions, claiming that Banner Health
acted negligently under Arizona law because it violated the FTC Act.
Plaintiffs may also argue that, in light of the FTC’s recent decisions,
Banner Health violated the Arizona Consumer Fraud Act—which, like the FTC
Act, prohibits “deceptive or unfair” acts and practices.  Rev. Stat.
§44-1522; see Sellinger v. Freeway Mobile Home Sales, 110 Ariz. 573, 575
(1974) (implying a right of action).

These law suits are not the end of Banner Health’s problems.  It does not
appear that the Department of Health and Human Services (“DHHS”) has
initiated proceedings against Banner Health.  But if the past is a
prologue, an enforcement action is a real possibility.  Banner Health owns
and operates over 29 hospitals and various other health facilities.  As
such, it is a covered entity under the Health Insurance Portability and
Accountability Act of 1996 (“HIPAA”) and the Health Information Technology
for Economic and Clinical Health Act (“HITECH”).  And the implementing
regulations for those statutes require covered entities to properly secure
electronic PII and PHI—or face monetary penalties.

The Banner Health breach shows the danger of not segregating point-of-sale
systems from systems that store medical records.  Indeed, a 2012 study by
Verizon showed that point-of-sale systems are responsible for 48% of assets
compromised in health care data breaches.  Health care providers should
make sure that attackers cannot use point-of-sale systems—especially if
those systems are also used by third party vendors—as a jumping off point
to access the company’s entire network.

Whatever the Arizona district court ultimately decides, this case should
have a significant impact on future data breach class actions.  We will
continue to monitor the case, so stay tuned for further updates.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160915/c3bd311b/attachment.html>