Healthcare data breach litigation usually requires plaintiffs to provide evidence that a breach of their Protected Health Information (PHI) has resulted in them coming to harm or suffering loss or injury as a result of the exposure of their data. At the very least, breach victims must be able to demonstrate that their PHI has at least been viewed by an unauthorized individual, and that the exposure of their PHI has placed them at an increased risk of coming to harm or suffering losses or injury as a result.
However, a recent case has seen a Massachusetts Superior Court judge rule that a plaintiff does have grounds to sue a healthcare provider based on the exposure of data alone, without any evidence needing to be provided to indicate an injury has been suffered. In this case, healthcare data breach litigation was possible based on the exposure of data alone.
Healthcare Data Breach Litigation No Longer Requires Evidence of Injury to Have Standing?
The case, Walker et al v. Boston Medical Center Corp, concerned a data breach suffered by Boston Medical Center in 2014. In total, 15,000 patients had their PHI exposed in a security breach involving a business associate of Boston Medical Center. The company suffering the breach, MDF Transcription Services, had posted medical information of patients along with their names and addresses on a website used by physicians; however, no passwords were required for the data to be viewed.
The incident was a violation of HIPAA Rules and a violation of patient privacy. An investigation conducted by the healthcare provider did not uncover any evidence to suggest any data were actually viewed by unauthorized individuals. The vendor was fired as a result of the privacy breach, and patients received a breach notification letter in the mail.
Some plaintiffs decided to sue Boston Medical Center for the privacy breach. The plaintiffs have not alleged that their PHI was actually viewed by any unauthorized party, although damages are being sought under a number of statutory and common law theories. The plaintiffs do allege they face an elevated risk of suffering injury as a result of the exposure of their PHI.
Boston Medical Center sought to have the case tossed claiming the case didn’t have standing as the plaintiffs did not face a “real and immediate risk of injury.” However, the court ruled that the mere exposure of data had potential to result in injury, and the case was deemed to have standing.
The case is unlikely to set a legal precedent in federal cases even if successful, although it is possible that further cases may be filed in the state of Massachusetts based on this Superior Court ruling. Just because the case has standing it does not mean that the plaintiffs will actually succeed in obtaining damages. The case will now proceed to discovery and the plaintiffs will need to provide evidence of the elevated risk they now face.