How to Mitigate Liability in a Data Breach Lawsuit

A class-action lawsuit is virtually guaranteed to be filed if a data breach is suffered that exposes healthcare data or Social Security numbers of patients or plan members; however it is possible to mitigate liability in a data breach lawsuit. The catch? Action must be taken early, prior to a data breach being suffered.

Take proactive steps and you will reduce liability to pay damages as well as reduce the probability of a HIPAA data breach being suffered. It is in all likelihood not possible to prevent all cybersecurity attacks, but liability is avoidable.

How to Mitigate Liability in a Data Breach Lawsuit

You will not be able to prevent lawsuits being filed if the PHI of patients or plan members has been exposed, but there are a number of ways you can mitigate liability in a data breach lawsuit, and avoid paying damages.

If plaintiffs have been affected by identity fraud, or they have suffered other losses, it may be necessary to settle claims; however in the majority of cases, data breach lawsuits are filed on the grounds of negligence, with no actual harm or damages having being suffered. Essentially the lawsuits boil down to negligence: A failure to install appropriate security defenses; a failure to train staff; a failure to send breach notifications promptly and alert breach victims, being the most common grounds for the suits.

Appropriate security defenses are a must. It is essential that PHI is protected by the appropriate physical, technical and administrative controls, as required by HIPAA. Staff must be trained on data security and patient privacy matters, updated on the latest threats, and should receive regular briefings and training refreshers.

A Tried and Tested Breach Response Plan is Essential

One of the most fundamental protections is to have a data breach response plan in place, to update that plan frequently, and to test the plan to make sure it works in practice. It must be possible to deploy a security response team immediately, which means that a security response team must exist; be trained, and be ready to respond.

It is essential that HIPAA-covered entities respond immediately to data breaches. They must be able to demonstrate the appropriate resources were in place, and a speedy data breach response was executed.

The breach response must include the termination of unauthorized access to data, the issuing of a breach notice to the media – if the breach exposed more than 500 records – the issuing of a report to the OCR, and breach notifications must be sent to patients promptly. It may also be necessary to rapidly initiate other risk mitigation measures, such as the provision of credit monitoring services for victims.

The Majority of Breaches can be Prevented

While measures can be taken to mitigate liability in a data breach lawsuit, it is better to prevent that data breach from occurring in the first place. One of the key measures to take is to ensure that all data, both at rest and in transit, is encrypted to appropriate security standards (NIST).

If a cybersecurity attack is suffered, or if a portable storage device is lost, questions will be asked about the lack of data encryption. Along with training, regular internal security audits and a swift and efficient breach response, if a data breach is suffered, the probability of a class-action lawsuit being certified or a HIPAA-covered entity being held liable for damages will be greatly reduced.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of