HIPAA data breach claims are now a common problem faced by HIPAA-covered entities after any security breach that exposes the Protected Health Information (PHI) of health plan members or patients. At least one class action lawsuit is likely to be filed if patient data is exposed, but how likely is it that these class action HIPAA data breach claims for damages will be successful? Past evidence would suggest that plaintiffs will face a struggle to obtain damages by making HIPPA data breach claims.
HIPAA does not include the private right of action, so individuals wishing to take legal action over data breaches must file lawsuits on the grounds of a breach of (implied) contract or professional negligence. There has been a spate of these lawsuits filed in recent months as plaintiffs seek damages for having their personal and confidential data exposed.
The recent data breach at Premera Blue Cross has so far resulted in 5 class-action lawsuits being filed on the grounds of negligence, breach of contract and breach of implied contract. At face value, these claims should have a reasonable chance of success. The breach appears to have resulted from lax security standards, yet plan members have paid for the necessary security to be implemented.
However, recent court cases have shown that when it comes to damages, plaintiffs rarely get awarded what they claim and most cases are thrown out for the claims being speculative or having little evidence of harm. The courts are now becoming suspect of claims for damages, especially when the plaintiffs appear to have little proof of actual injury or loss being suffered.
HIPAA Data Breach Claims are Usually Problematic
While not a class action lawsuit against a healthcare provider, the Lovell vs. P.F Chang’s China Bistro, Inc., case highlighted a common problem with HIPAA breach claims. The case was heard in the same court in which class action lawsuits have been filed against Premera – The United States District Court for the Western District of Washington – however in the Lovell case, the court ruled against the damages claim.
Negligence claims, breach of contract and breach of implied contract, were not well founded and the case was dismissed due to a lack of evidence. This is the main problem with civil claims for damages. In order for a court to award damages, there must be some evidence of actual harm, loss or damage being suffered. In the majority of HIPAA breach cases there is not enough evidence available for the plaintiffs to build a winning case.
A class-action lawsuit filed against Horizon Healthcare Services after two unencrypted laptop computers were stolen from the healthcare provider’s facilities which exposed the data of approximately 840,000 individuals. No plaintiff claimed to have suffered from identity or medical fraud and the case was thrown out for a lack of evidence of harm.
While all healthcare providers and health plans should be wary of claims following a HIPAA data breach, at the present time at least, unless the victims have suffered identity or medical fraud, HIPAA data breach claims are likely to be difficult to win.