HealthBlawg

David Harlow's Health Care Law Blog

  • About
  • Archives
  • Podcast
  • Press
  • Awards/Reviews
  • HIPAA
  • HCSM

Stolen Laptops Class Action Gets New Legs

January 27, 2017

Longtime HIPAA aficonados will recall that there is no private right of action under HIPAA. In other words, a patient cannot sue a covered entity for damages as a result of a data breach under HIPAA. However, HIPAA may establish a standard of care relevant to an action under a different legal theory (as when lawsuits are brought under state law since no cause of action is available under HIPAA).

And sometimes one simply needs to use a different legal theory.

The Third Circuit Court of Appeals has now ruled that a class action lawsuit against Horizon Blue Cross Blue Shield (NJ) should be allowed to proceed, overruling the suit’s dismissal by a federal district court for plaintiffs’ lack of standing. The lower court ruled thus because the named plaintiffs had not experienced actual losses related to the data breach represented by the 2012 theft of two unencrypted laptops containing PHI of about 840,000 plan members. (Unencrypted — even though Horizon experienced an unencrypted laptop theft in 2008 affecting 300,000 members.)

The case was brought under the Fair Credit Reporting Act, which creates a duty of care to consumers owed by consumer reporting agencies. (Note that thanks to the complexities of health care and health insurance and federal law, insurance plans are considered consumer reporting agencies under FCRA.) The plaintiffs argued that “the violation of their statutory right [under FCRA] to have their personal information secured against unauthorized disclosure constitutes, on and of itself, an injury in fact.” (“Injury in fact” is the key component of standing that was at issue in this case.) The Appeals Court agreed, noting that it had ruled in favor of plaintiffs in similar situations — in the Google cookie placement class action in 2015 (placing a cookie on a consumer’s hard drive in violation of the Secure Communications Act gives the consumer standing to sue even absent evidence of economic harm) and in the Nickelodeon class action in 2016 (“when it comes to laws that protect privacy, a focus on economic loss is misplaced …. the unlawful disclosure of legally protected information constitutes a clear de facto injury”).

In the context of other legislative schemas, however, more than mere disclosure would be required to find liability. (Consider the most recent decision in the LabMD case.) Similarly, evidence of damages caused by the breach would be required in the context of a common law claim (even if the standard of care is extrapolated from a statute such as HIPAA).

If you are reading this from the persepctive of a covered entity or business associate, you may decry the approach of class action plaintiffs’ counsel in bringing cases like the Horizon case. If you are a member of that class, you may wonder how much you may recover, and whether you ever will. If you are an observer of the health care privacy and security compliance landscape you may ponder whether decisions in cases such as this may move covered entities and business associates to redouble their compliance efforts. After all, Horizon may still prevail in this case — there are many steps remaining — but it could have avoided the litigation entirely by devoting resources to developing and implementing more comprehensive data privacy and security policies and procedures, and ensuring that it had engendered a culture of compliance among its workforce.

Prevention is still the best medicine.

David Harlow
The Harlow Group LLC
Health Care Law and Consulting

Image credit: HowToStartABlogOnline.net – via Flickr CC

Related Posts

  • HIPAA compliance = privacy protected?

    A year ago, AHRQ found rampant confusion and mistakes among covered entities trying to comply…

  • HIPAA confusion and solutions

    The current AIS Health Report on Patient Privacy tells us: National Review of HIPAA Compliance…

  • Federal appeals court: No private right of action to enforce HIPAA

    Is there a private right of action to enforce HIPAA?  The answer is now more…

Filed Under: Health care policy, Health Law, HIPAA, Privacy, Security

« For want of a breach notification….
HIPAA Chat With David Harlow »

Comments

  1. David Harlow says

    January 31, 2017 at 1:16 pm

    Just saw news that a federal district court within the 11th Circuit has the same take on FCRA — in another context, but the bottom line is the same: injury in fact not required for standing to bring suit under FCRA. https://www.law360.com/privacy/articles/886341

Trackbacks

  1. HITECH Answers: Meaningful Use, EHR, HIPAA News - Stolen Laptops Class Action Gets New Legs says:
    February 23, 2017 at 1:16 pm

    […] article was originally published on HealthBlawg and is republished here with […]

  2. HITECH Answers: Meaningful Use, EHR, HIPAA News - Cybersecurity and Healthcare Panel Discussion with Government and Industry Experts says:
    March 13, 2017 at 7:21 am

    […] and their business associates in the health data realm – Federal Trade Commission enforcement, class action lawsuits, state attorney general actions and individual lawsuits based on state privacy […]

Threads

Follow me on: Threads

Mastodon

Follow me on: Mastodon

HIPAAtools

Hipaatools

The HIPAA Compliance Toolkit

The Walking Gallery

The Walking Gallery

Quick Links

  • Home
  • Categories
  • Archives
  • Podcast Interviews
  • HIPAAtools
  • HIPAA Compliance
  • Health Care Social Media
  • Speaking
  • In the Press
  • Blogroll

David Harlow

David Harlow

HealthcareNOW Radio

  • Subscribe
  • Contact
  • Book Me: Speaking
  • About
  • The Harlow Group LLC
Copyright © 2006–2025
HealthBlawg is a publication of The Harlow Group LLC. See Copyright notice and disclaimer.
Fair use with attribution and a link is encouraged. Click for more on David Harlow.
[footer_backtotop text="Back to top" href="#"]