News Room

Data Breaches Are a Growing Legal Threat for Healthcare Industry

Written on Behalf of Brian S. Kabateck

August 4, 2017

The medical community is reeling from a rash of cyberattacks involving extensive data breaches that compromise the privacy of patients. According to the Government Accountability Office, healthcare data breaches are growing exponentially, affecting millions of Americans who have had their most sensitive information compromised leaving them vulnerable to identity theft. As the healthcare industry attempts to modernize its record keeping systems, hospitals, insurance companies and public companies are struggling to maintain proper IT security protocols, putting consumers at risk.

Within the past year, hackers have committed 16 healthcare data breaches nationwide, three of which occurred in Southern California. In August 2016, cyber criminals installed ransomware in two servers at University of Southern California’s Keck Medicine, encrypting documents making them inaccessible to employees. A month earlier, Los Angeles County | USC Medical Center had to notify 700 patients of a potential data breach after thieves stole protected health information from an employee’s car. In June, SCAN Health Plan in Long Beach, CA learned that contact sheets which include patients’ names, addresses, social security numbers and private health information were accessed and viewed by an outside party. It’s unknown how many people are affected by this unauthorized access to private data.    

These smaller breaches rarely get much attention because these incidents are eclipsed by massive attacks such as Anthem, Inc. which involved hackers accessing the medical records of 80 million people. Premera Blue Cross had a similar cyberattack that exposed the private information of nearly 11 million people. While these high profile breaches are a major cause for concern, the smaller scale intrusions are just as damaging and consumers are fighting back. Patients feel powerless to protect themselves after providing their private information to a trusted institution, only to find out their insurance company or medical provider has been careless with their data.

Medical identity theft is often difficult to detect shortly after a data breach. It can take time before consumers understand the extent of fraudulent charges or unauthorized accounts opened up in their name. Stolen data can be exploited for the rest of a victim’s life, especially devastating for children, who may experience consequences that can hamper their financial future. The challenges involve proving how the defendant was negligent and showing how the plaintiff suffered harm.

Anthem is facing more than 50 class action lawsuits related to its 2015 breach. The insurance giant could be held legally responsible for violating the federal Health Insurance Portability and Accountability Act (HIPAA) and various state laws. HIPAA does not allow private citizens to bring lawsuits based on violation of the statute but Security and Privacy rules can be used to demonstrate a “standard of care” which enables plaintiffs to sue on the basis of negligence.

Court decisions are beginning to shift in favor of plaintiffs who no longer have to demonstrate they’ve suffered financial damage but instead show there’s an increased likelihood of it happening. In a recent 2-1 decision, the Sixth Circuit panel reversed the dismissal of a class action lawsuit that stemmed from a 2012 data breach at Nationwide Mutual Insurance Co. The three-judge panel ruling determined that plaintiffs do not have to wait for someone to exploit their private information to meet the bar set by the U.S. Supreme Court’s 2016 decision in Spokeo, Inc. v. Robbins.

In the lawsuit, plaintiffs Mohammed Galaria and Anthony Hancox claim negligence and violations of the Fair Credit Reporting Act by Nationwide for its failure to implement strong security measures that would have prevented hackers from gaining access to personal information such as names, Social Security numbers and other private data of more than one million people.

The district court previously tossed the plaintiffs’ negligence claims citing while they may have lost control of their data, they couldn’t prove the plaintiffs’ information would be misused, such as a thief making fraudulent charges on their credit card. But the Sixth Circuit disagreed, saying that victims of data theft are at greater risk of fraud and are forced to take preventive measures to ensure crooks don’t gain access to their credit cards.

Surveys show that consumers overwhelmingly feel concerned and unsettled by data breaches. It can take months to regain trust in an organization after a cyberattack and some say their trust in the company would be lost permanently. In an increasingly digital world it’s clear data breaches will become more common but it’s time for companies to prioritize security and focus on defending its most sensitive information.

When a case is brought as a class action, the court will first decide first whether it is a proper class action through a process called class certification. Then, the parties proceed toward trial on the basis of the claims in the case. Due to the nature of the case, the court must approve any settlement and will order notice to be given to any class action members who will be bound by a settlement agreement or a dismissal of the case.

The attorneys at Kabateck LLP have honed its specialized skills in handling class action litigation for several decades. Whether the suit is for a data breach, inoperative medical device, or an improper accounting at the bank, our attorneys have successfully represented thousands of clients in class action or similar representative actions.