Overseas litigation for breach of privacy relating to medical records

April 18, 2012 |

Health Records are particularly sensitive documents.  They store highly sensitive information which are regarded as deeply private even to those who have a robust approach to privacy protections.  The other characteristic of health records are that they are accessible to a whole range of individuals, particularly hospital records.  Doctors, nurses and  administrators all have some need to view a patient’s record, or at least part of it.  Then therre are orderlies, students, security staff and cleaners who could get access to records in hard copy form without too much difficulty. There is potentially a larger group again who can get to them electronically.  This makes for a heightened need for data security.  In Victoria this has been recognised with the enactment of the Health Records Act.

Law firms see big money in healthcare breach cases is an interesting article highlighting the exposure of US health care providers to data breaches.  It provides:

In California, where a unique state law provides for damages of $1,000 per person per violation of the Confidentiality of Medical Information Act of 1981 (CMIA), plaintiff law firms are lining up to file privacy data breach class-action lawsuits against hospitals, medical service providers and health insurers that, if successful, could easily yield payouts in the multiple millions.

The San Francisco-based legal publication The Recorder reported April 6 that at least a half-dozen plaintiff firms had filed complaints for privacy breaches so far, seeing it as a lucrative new source of income.

Brian Kabateck of the Los Angeles plaintiffs firm Kabateck Brown Kellner told The Recorder, “There’s an awful lot at stake here.”

Indeed, a suit pending against St. Joseph Health System involves the exposure of medical information of about 31,800 patients. At $1,000 each, even if only one violation is involved, it is simple math to see that would yield damages of $31.8 million.

But there is considerable distance between that gleam in a law firm’s eye and reality. The attorneys filing the complaints and the attorneys defending their targets agree that they are in untested legal waters. Filing privacy breach cases as class actions is new, and all those involved say new legal precedents will be made in the next several years.

The CMIA, now more than 30 years old, was obviously designed for an era when documents were secured in file cabinets, and the most a single thief could carry away would likely be less than 30. And, without having somebody on the inside, it would also take breaking locks, smashing windows and generally defeating all the physical security measures common to medical facilities.

Now, with patient records in digital form, “you could have a million records stolen in a couple of seconds,” says Randy Sabett, an attorney with ZwillGen, a Washington, D.C.-based law firm specializing in legal issues involved in doing business on the Internet.

Sabett says health care companies could be vulnerable if they took no measures to protect data.

He says a colleague took part in a survey where 38 percent of companies in the medical and financial industries admitted to being knowingly out of security compliance.

But, he says, everybody knows, including judges, that 100 percent security on the Internet simply does not exist. Indeed, there are endless examples of breaches of companies that are in compliance, which makes it much more difficult to prove negligence.

“There is a requirement for reasonable security measures,” he says, “but there is a difference in the nature of attacks between the physical and digital world. Today, they change daily, if not hourly. They can be very sophisticated.”

Kabateck agrees with that much. “Im not pursuing cases where there isnt negligence,” he says, “but there is disregard for security protocols in many cases. If there is an intervening criminal act, that is a different story.”

There are other reasons these cases may not be the proverbial layup for the plaintiffs. The Oregon Supreme Court recently struck down a class-action suit against Providence Health Systems that had been settled six years ago, finding no evidence that any of 365,000 patients whose data had been on disks/tapes that were stolen from a Providence employee’s car had suffered any financial loss or other adverse consequences.

That, Sabett says, may be a problem with the California law. “I’m not opining on whether this is good or bad,” he says, “but there may be a flaw in the presumption that every single person has suffered $1,000 in damages.”

He notes that virtually all companies offer mitigation to their customers. “I haven’t worked on a breach case in more than four years where the company has not offered free credit monitoring,” he says, “and banks and credit companies issue a new card for free.”

Sasha Romanosky, of the Heinz College of Information Systems and Public Policy at Carnegie Mellon University, is a co-author of a paper published in February titled “Empirical Analysis of Data Breach Litigation,” which found that the odds of a company being sued in federal court was six times lower when it offered free credit monitoring to customers whose information was breached.

“It tends to make them less angry, and also cuts the knees out of a legal claim of damages,” he says.

There may be cases where embarrassment or even professional damage from the disclosure of things like names, height, weight, smoking history, blood pressure, patient account numbers, treatment dates, lab results, diagnosis codes and billing charges could cause damages of far more than $1,000.

“But are you going to presume that for everyone?” Sabett asks.

Not in the view of the Oregon Supreme Court, which said in the Providence case, “We are aware of no other jurisdiction that has allowed recovery for negligent infliction of emotional distress in circumstances where the alleged distress is based solely on concern over the increased risk that a plaintiff’s personal information will, at some point in the future, be viewed or used in a manner that could cause the plaintiff harm.”

Of course, the California law doesnt require proof of damages. It imposes the $1,000 simply for proof of violation of the CMIA. And Kabateck notes that the theft of digital data can be very damaging indeed. “If somebody broke into a building and stole records, thats one person looking at them,” he says. “On the Internet, its the whole world. It can affect the ability of people to get jobs, insurance — things like that.”

Kabateck says he doesnt think such suits will become a long-term trend. “I dont think we will be doing this 10 years from now, because corporations will realize there is a cost to screwing up,” he says.

Eric Cowperthwaite, CISO of Providence Health & Services, agrees, noting that the average cost per record breached so far has been about $150. “When it more than quintuples to $1,000, that is significant,” he says. But he adds that the concern is not just monetary. “I know a lot of health-care security leaders, and every one of them is concerned with protecting patient data,” he says.

Still, these cases will undoubtedly be watched closely in other states. An estimated 18 million confidential patient records have been breached in just the past two years, providing the potential for billions in damages. Cowperthwaite says a suit against Sutter Health is of particular interest, since the magnitude of the breach was 4.24 million people, with potential liability to Sutter at $4.5 billion, including attorney fees.

And Romanosky says plaintiffs are “trying everything,” to succeed in data-breach suits. “We identified over 86 unique causes of action (from only 231 cases) for essentially the same event: the unauthorized disclosure of personal information,” he says.

ID thefts plague hospitals highlights the danger of health care providers suffering data breaches.

It provides:

According to a February study, 91 percent of small healthcare organizations suffered at least one data breach, with 24 percent of them likely resulting in medical identity theft. That list already is growing as about 100 North Shore University Hospital patients had their identities compromised, North Shore-Long Island Jewish Health System announced Thursday.

An ongoing investigation has found that an ID theft ring involved about 1,000 victims throughout the Northeast, affecting people outside of North Shore University Hospital.

The health system already informed involved patients of the ID theft. Patients who haven’t gotten a letter have not been deemed victims and should not believe their personal information has been improperly accessed, North Shore-LIJ said.

However, more North Shore patients have started coming forward as ID theft victims, only after watching an Eyewitness News report last week. For example, North Shore patient Denise Abdale never received a letter from the hospital and had no idea how her identify was stolen until she saw the report on the North Shore ID theft ring Wednesday night, according to WABC Eyewitness News.

A registered nurse was charged Thursday for ID theft and possessing stolen information from North Shore and an international freight company, noted the article.

Meanwhile, another privacy breach has occurred at Memorial Healthcare System (MHS), in which workers stole patient information to file false tax returns, the Florida system announced last week. The system discovered the breach Jan. 27 but didn’t say how the information was accessed.

After getting the okay from law enforcement officials, the system notified potentially affected patients that former employees may have accessed their names, dates of birth and Social Security numbers between 2011 and early 2012. The personal information did not include medical records, MHS noted.

Recent instances of health related breaches in the US include:

  • 1,700,000 affected by a NY Hospital Corporation losing (through theft) of a back up tape.  See here.
  • claims data of 182,000 Medicaid and Children’s Health Insurance Plan recipients being compromised by hacking.  See here.

 


Leave a Reply