Longtime HIPAA aficonados will recall that there is no private right of action under HIPAA. In other words, a patient cannot sue a covered entity for damages as a result of a data breach under HIPAA. However, HIPAA may establish a standard of care relevant to an action under a different legal theory (as when lawsuits are brought under state law since no cause of action is available under HIPAA).
And sometimes one simply needs to use a different legal theory.
The Third Circuit Court of Appeals has now ruled that a class action lawsuit against Horizon Blue Cross Blue Shield (NJ) should be allowed to proceed, overruling the suit’s dismissal by a federal district court for plaintiffs’ lack of standing. The lower court ruled thus because the named plaintiffs had not experienced actual losses related to the data breach represented by the 2012 theft of two unencrypted laptops containing PHI of about 840,000 plan members. (Unencrypted — even though Horizon experienced an unencrypted laptop theft in 2008 affecting 300,000 members.)
The case was brought under the Fair Credit Reporting Act, which creates a duty of care to consumers owed by consumer reporting agencies. (Note that thanks to the complexities of health care and health insurance and federal law, insurance plans are considered consumer reporting agencies under FCRA.) The plaintiffs argued that “the violation of their statutory right [under FCRA] to have their personal information secured against unauthorized disclosure constitutes, on and of itself, an injury in fact.” (“Injury in fact” is the key component of standing that was at issue in this case.) The Appeals Court agreed, noting that it had ruled in favor of plaintiffs in similar situations — in the Google cookie placement class action in 2015 (placing a cookie on a consumer’s hard drive in violation of the Secure Communications Act gives the consumer standing to sue even absent evidence of economic harm) and in the Nickelodeon class action in 2016 (“when it comes to laws that protect privacy, a focus on economic loss is misplaced …. the unlawful disclosure of legally protected information constitutes a clear de facto injury”).
In the context of other legislative schemas, however, more than mere disclosure would be required to find liability. (Consider the most recent decision in the LabMD case.) Similarly, evidence of damages caused by the breach would be required in the context of a common law claim (even if the standard of care is extrapolated from a statute such as HIPAA).
If you are reading this from the persepctive of a covered entity or business associate, you may decry the approach of class action plaintiffs’ counsel in bringing cases like the Horizon case. If you are a member of that class, you may wonder how much you may recover, and whether you ever will. If you are an observer of the health care privacy and security compliance landscape you may ponder whether decisions in cases such as this may move covered entities and business associates to redouble their compliance efforts. After all, Horizon may still prevail in this case — there are many steps remaining — but it could have avoided the litigation entirely by devoting resources to developing and implementing more comprehensive data privacy and security policies and procedures, and ensuring that it had engendered a culture of compliance among its workforce.
Prevention is still the best medicine.