Litigation Evolves With Data Breach Scope, Frequency
By Elizabeth S. Goar
For The Record
Vol. 30 No. 4 P. 24
Did someone say more lawsuits?
From ransomware and malware to lost equipment and unauthorized access, breaches of protected health information (PHI) are occurring with alarming regularity. A study conducted by HIMSS Analytics on behalf of Mimecast Ltd found that 78% of participating health care organizations had experienced an e-mail–related cyberattack in the previous 12 months. Many reported more than a dozen instances of attack, whether in the form of ransomware, malware, or both.
According to the Office for Civil Rights (OCR), 277 breaches impacting more than 2.63 million individuals were reported during 2017. The majority (123) were caused by hacks or IT "incidents," while 96 were due to unauthorized access or disclosure. In all, the largest breaches were due to ransomware attacks, unauthorized server access, and viruses.
Furthermore, Ponemon Institute reports that health care organizations carried an average cost of $380 per lost or stolen record in 2017—the highest per-record cost among the industries studied and higher than the four-year average cost of $369.
Happening in tandem with rising instances of data breaches and a higher volume of affected individuals is an uptick in related litigation. Chris Apgar, CISSP, CEO and president of Apgar Associates and a frequent expert witness in breach litigation, notes that while he has not seen a dramatic increase in breach lawsuits, the number is climbing.
"The numbers continue to trend up and, along with that, the lawsuits," he says. "Over the past two or three years I think there's been a trend that when a significant breach occurs it's closely followed by the filing of lawsuits. Attorneys and plaintiffs have been paying attention to the headlines and previous lawsuits filed so they are, it seems, more prepared to file early."
Class Action Leads the Charge
According to Helen Oscislawski, JD, primary legal consultant to ComplyAssistant, class action lawsuits are one of the most visible trends in breach litigation as more individuals seek to hold organizations responsible for violating their privacy. While many have been tossed out, with lower courts finding that the breach alone doesn't meet the preliminary legal thresholds required to certify a class action lawsuit, "There are a few cases where we are starting to see judges permitting the class to move forward so that at least plaintiffs are being given an opportunity to demonstrate the facts supporting their claims rather than dismissing them outright for failing to meet the burden of proof," Oscislawski says. "We are also seeing cases in states, like California, that have enacted 'breach statutes' that do not require plaintiffs to demonstrate actual harm or damages from the breach of their data and have set statutory penalty amounts that can be automatically assessed against the breaching organization for failing to adequately protect data."
Among the theories employed by plaintiffs in class action cases are breach of contract arising from violating an organization's HIPAA Notice of Privacy Practices down to "your run-of-the-mill invasion of privacy tortlike claims," Oscislawski says. "There are also states that afford additional avenues to pursue a private right of action when certain specific types of information have been implicated in a breach, like HIV/AIDS information."
In New Jersey, statutes allow individuals to sue an organization when HIV/AIDS information has been breached. For example, a $17 million settlement was recently reached in a class action lawsuit brought against Aetna Health by The AIDS Law Project of Pennsylvania and Berger & Montague. The action stemmed from an informational mailing by Aetna in which the HIV medication information of 12,000 customers was exposed in envelope windows.
The growing volume of data breaches is not the only catalyst driving the increase in class action lawsuits. Today, HIPAA requires covered entities, including insurers and vendors, to notify individuals in writing—and, in some cases, the media—when their PHI has been breached. This was not the case in years past.
"More and more individuals are becoming aware of when their data are being compromised. As a result, it is likely that this in turn leads to a higher number of affected individuals to seek legal counsel to see if they have a legal remedy," Oscislawski says. "People are more likely to try to seek redress for data breaches where in the past they might not have even been aware that their data were compromised."
While each action is unique, Oscislawski notes that, in the absence of any injury to the plaintiff, "working to obtain a dismissal as quickly as possible and defeating any certification as a class action are typically key defenses."
Enter the Individual
Settling or securing dismissal of a class action suit doesn't necessarily mean the organization is safe from wronged patients seeking redress in court. Many states have passed legislation paving the way for individuals to pursue legal action even in the absence of physical injury or harm, and a growing number of courts are finding in the patient's favor.
"It amounts to permitting victims of breaches to sue for violations of HIPAA in certain states with state laws that include a private right of action," Apgar says, pointing to a recent ruling by the Connecticut Supreme Court that found in favor of plaintiffs who sued for damages following a breach. "I've also seen more cases crop up where the courts aren't requiring definite proof of harm following a breach. That is a significant change from 'If you can't prove harm, you don't have a case.'"
Aetna's HIV/AIDS breach is a prime example. While the class action case was settled, two of the plaintiffs decided to strike out on their own against the behemoth insurer and the vendor responsible for mailing the letters at the center of the breach.
"Oftentimes, the key issues aren't associated with the breach itself. There's more of a focus on what may have led to the breach in the first place," says Apgar, who points to a lawsuit for which he served as an expert witness in which a health care delivery system employee shared patient information with a patient's ex-husband.
"The case focused on the lack of privacy and security controls that had been implemented and the health care delivery system's privacy officer's lack of knowledge of what was really happening on the ground as it relates to following company privacy and security policies," Apgar says, adding that he's also seen cases where the defendant is being sued not because of the breach but rather because a stolen laptop was unencrypted.
"Several states have laws on the books referencing that 'reckless indifference' or 'gross negligence' when it comes to statutory compliance is a crime or at least a civil violation," he says. "That's sometimes easier to prove when it's alleged that the breaching entity is not following all the laws it's required to comply with and, as a result, a breach occurs that potentially causes harm to the individuals impacted by the breach."
Another example of a patient seeking to hold a health care organization accountable for its actions when PHI is breached is Byrne v. Avery Ctr. for Obstetrics & Gynecology, an odyssey for relief that has stretched on for more than a decade and left groundbreaking decisions in its wake. The plaintiff accused the practice of, among other things, negligence in releasing her medical file in violation of the HIPAA regulations that required it to notify the patient, adding in the suit that its actions constituted negligent infliction of emotional distress.
Despite a written statement within her record prohibiting any information to be released to her former partner, the practice turned over her entire medical record after receiving a subpoena requesting all of the plaintiff's medical records as part of a paternity suit. The practice also neglected to inform her of the request and its plan to release the information.
After multiple rulings by the lower courts and reversals by the Connecticut Supreme Court, the latter finally cleared a legal path for her to continue pursuing a remedy for breaching her confidentiality. In its final reversal of the lower court's ruling, the Supreme Court noted that Connecticut common law now provides a remedy for a health care provider's breach of its duty of confidentiality having previously decided that HIPAA "does not preempt the plaintiff's state common-law causes of action for negligence or negligent infliction of emotional distress" and could be used to "inform the applicable standard of care" for handling records.
"It seemed elementary to me, to be honest," says Bruce L. Elstein, JD, of Goldman Gruder & Woods, LLC, who represents the plaintiff. "What about the patient? What about the person who has been harmed? HIPAA provides civil and criminal sanctions for a breach but nothing for a patient harmed. Everything we know—and the Supreme Court cited it—is that it's all found in our common understanding that we reveal very private details to our doctors in order to obtain the best treatment [and are protected by] HIPAA's Privacy Rule and the doctor's Hippocratic Oath. It's why when we go to doctors we tell them what they need to know.
"If [practices] don't protect that information, we all are less safe," he continues. "Staff should be retrained to pay more attention to the requirements of HIPAA. They need to protect the patient, pay more attention, and make sure the people in medical records know what they are doing."
The Connecticut Supreme Court has reshaped state law when it comes to patients impacted by data breaches by finding that there is a duty of confidentiality between patient and physician, including not releasing medical records. This brings Connecticut in line with New York, New Jersey, and South Carolina, which have long recognized patients' rights for relief against damages caused by wrongful release of PHI.
"The majority of states that have considered it have found that there is a duty of confidentiality, and that if there is a breach, there is remedy," Elstein says. "As patients, we are all safer now. Physician's offices will pay more attention, protect our information, and be more careful in following HIPAA's Privacy Rule.
"You must notify the patient or you face the downside consequences of monetary damages for the patient's harm beyond civil penalties paid to the government."
An Ounce of Prevention
Health care organizations can no longer assume their punishment in a breach situation, regardless of the source, will stop with civil penalties. As more judgments are entered in plaintiffs' favor, protections and redress for the harmed patients are expanding. As such, health care organizations need to be aggressive about protecting data while maintaining continuous compliance with regulations governing its release.
Zuzana S. Ikels, JD, a principal at Polsinelli, an Am Law 100 law firm, expects that "a strong defense will be recognized once there is proof of a systematic plan in place, which a defendant can rely upon that it made 'reasonable' and 'industry standard' efforts to protect data."
However, she adds, "Data security is not just an IT issue. Organizations must undertake a systematic approach to evaluate and address risk."
To that end, Ikels points to the "Report on Improving Cybersecurity in the Health Care Industry" issued in 2017 by the Health Care Industry Cybersecurity Task Force, which "offers a laundry list of recommendations, guidelines, and practices aimed to streamline the compliance process and reduce risk while encouraging technological innovation, research and development, and sharing information."
Created by Congress as part of the Cybersecurity Act of 2015, the task force evaluated the cybersecurity threats to the health care industry, the current state of HIT systems, and the related health care laws and regulations. Among its observations was that health care has "invested in cybersecurity only in the last five years, while rapidly expanding the use of the Internet of Things … and the transition to EHR data, the combination of which magnifies the risk of breaches and data theft," Ikels says.
The report also discusses the acute threats related to the increasingly sophisticated ransomware attacks that hold data hostage, both critical patient information and data generated by connected monitoring devices.
"The key preventive actions, in my opinion, include cybersecurity planning, obtaining due diligence both internally and externally with your vendors, evaluating your operational structure and your contractual structure, implementing cyber insurance, and creating incident response plans," Ikels says. "Those are the most critical actions we counsel our clients on for immediate implementation of risk prevention."
Krystyna Monticello, JD, a partner with the Oscislawski law firm, recommends organizations assess their data collection and disclosure practices as well as data security to ensure they are compliant with industry and regulatory standards and implementing the appropriate best practices. Good cyber liability and breach insurance coverage is also important, as is ongoing employee training "in response to organizational changes, rapidly evolving external threats such as malware and phishing campaigns, and other risks affecting the organization," she says.
ComplyAssistant CEO Gerry Blass says it's important for covered entities to review their cyber and breach insurance terms. Those that don't could find their coverage in jeopardy as a result of failing to provide documented evidence of HIPAA compliance such as conducting periodic risk assessments and managing risk mitigation. Failure to do so could result in payment denials on the grounds of willful neglect.
"Covered entities that are not able to provide evidence of due diligence are likely in breach of the terms of their cyber insurance policy," Blass says. "There can be a double risk of damages due to an incident as well as a denial of payment. Covered entities should therefore avoid having a false sense of comfort and choose the path of due diligence knowing that health care is under attack and they could be next."
Apgar notes that a popular defense strategy is to refute noncompliance allegations by bringing in expert witnesses to demonstrate all the ways the health care organization is compliant, including providing copies of policies, training material, and employee training attendance records. Another strategy is to state that the organization has identified and addressed the deficiencies that led to the breach in the first place.
"It's sometimes a matter of demonstrating that the health care delivery system has done its due diligence up front and has taken the necessary steps to mitigate risk in a timely manner," Apgar says, adding that organizations need to go back to the basics with periodic risk analyses.
Finally, more attention must be paid to security, down to encrypting mobile devices, communicating polices to employees, and deploying tools to protect networks. This is especially critical now as the OCR moves toward an enforcement agency rather than just providing guidance and technical assistance.
"In a word," Apgar says, "OCR has lost patience with covered entities and business associates who, after more than a decade, fail to live up to the minimum requirements of HIPAA. Plaintiffs aren't just going after health care organizations for violations of federal law; they're also going after violations of state law."
— Elizabeth S. Goar is a Tampa, Florida-based freelance writer specializing in health care and HIT.
When it comes to data breach lawsuits, one area that remains gray is the standard for defining "harm." It can be a linchpin for many cases, which can be tossed out if the judge finds no harm has been identified.
"Federal courts are grappling with the harm standard along with the more existential question of the expectation of privacy for individuals. I expect the debate to continue for some time as cybersecurity standards and protocols evolve through trial and error," says Zuzana S. Ikels, JD, a principal at Polsinelli law firm.
Some circuits require evidence of actual harm, which is typically proof that the plaintiff has suffered identity theft or been a fraud victim. Others hold that the higher risk of harm created by a protected health information violation is enough to find a de facto injury sufficient to grant standing even if economic harm to the plaintiff is not shown.
"The Supreme Court has not yet addressed this split, although a petition was filed earlier this year by a health insurer urging its review," says Krystyna Monticello, JD, a partner with the Oscislawski law firm.
Apgar and Associates CEO Chris Apgar, CISSP, says the definition of harm is in a state of transition, moving away from requiring it be definitively proven through the ability to demonstrate financial impact or emotional distress to a place where harm "can be inferred by the circumstance surrounding the breach.
"I don't believe there will be a set definition of what represents harm until more courts move to the position that harm doesn't need to be proven to have occurred at the time the lawsuit was filed."