Companies that have a breach involving protected health information ("PHI") worry not only about fines and penalties imposed by the Department of Health and Human Services ("HHS"), but about class action lawsuits. The risk that a class action lawsuit will lead to financial liability, however, is often misunderstood.
In many, if not most, class action lawsuits that involve the loss of PHI, plaintiffs have been unable to prove that they have standing to seek recovery. Specifically, unless a plaintiff has been the victim of identity theft or has suffered some other type of concrete injury, most courts have refused to let them proceed based solely on the allegation that they are subject to an increased risk of harm as a result of the breach.
What factors should you look at when considering the risk that litigation poses following a breach?
The following summarizes the types of allegations where courts have, and have not, found standing.
Allegations Found to be Insufficient
• Alleged violation of the Health Insurance Portability and Accountability Act of 1996 ("HIPAA")
• Data loss, but no evidence of access or misuse
• Data loss, but no evidence of identity theft
• Loss of value of PHI because the PHI can be sold on the cyber black market
• Patients’ right to truthful information about the security of their PHI after the breach
• Plaintiffs’ receipt of unsolicited phone calls from telemarketers and scam artists, without evidence that such calls resulted from the breach
• Costs incurred to travel to a different hospital with allegedly better security
Allegations Found by Some Courts to be Sufficient
• Plaintiffs' lost data has been actually accessed or misused
• Plaintiffs with no prior history of identity theft become identity theft victims shortly after breach
• Plaintiffs’ personal information had not previously been the subject of another unrelated breach
• Plaintiffs receive unsolicited phone calls marketing products related to information that has been breached (e.g. the products are for a specific medical condition listed in the breached PHI), but have never received such phone calls in the past