Class action lawsuits can result from a protected health information data breach

Breaches involving protected health information (“PHI”) often evoke concerns regarding reporting obligations to the U.S. Department of Health and Human Services (“HHS”), as well as the potential fines under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). What most entities do not realize is that a class action lawsuit can be equally, if not more costly, in terms of reputational, legal, and financial damages.

For those unfamiliar with class actions, this particular cause of action, if filed in a United States District Court, must meet the requirements of Federal Rule of Civil Procedure 23, in order to be certified as a class. As Arthur R. Miller, a renowned Professor of Civil Procedure at New York University School of Law relayed to me during an interview for The Federal Lawyer, “[t]o justify the class form, a high level of overlap among the claim is required. Sometimes efficiency, economy, and system values trump individual actions; we need to aggregate when the commonality is extremely high.” It is not surprising that a data breach involving PHI has a commonality related to a particular event.

Two recent cases, one settled and one just filed, are illustrative of the effects of class actions, which are filed in relation to an underlying data breach involving PHI. First, on August 15, 2018, a court granted final approval of a class action settlement of $115 million related to a 2015 cyber attack perpetrated on Anthem BlueCrossBlueShield. Leniski v. Anthem Inc., et al., Case No. 5:15-cv-02992 (N. D. Ca.). One of the largest data breach settlements to date, Anthem was also penalized $16 million by HHS for failing to have the appropriate technical safeguards in place to prevent a breach.

More recently, in June 2020, Florida Orthopedic Associates (“FOA”) was named as a defendant in a class-action lawsuit related to its failure to safeguard patient’s PHI, as well as its subsequent failure to act once the breach was detected. In this case, availability of the data was affected by a ransomware attack, which came to light on April 9, 2020. After a root cause analysis by a third-party, it was determined that the attackers may have accessed and exfiltrated sensitive data. Subsequently, the affected patients were notified on or about June 19, 2020. The financial, legal, and reputational costs to FOA could be significant. In addition to a potential class action settlement, HHS could also levy a fine, just as it did in the Anthem data breach case.

What can covered entities, business associates, and subcontractors do to mitigate the risk of a breach, including those caused by a ransomware attack? First and foremost, persons should cultivate a “culture of compliance” that includes an annual comprehensive risk analysis as a first step. Spending a little money up front to conduct a risk analysis, train employees and comply with the other facets of the HIPAA Security Rule and Privacy Rule can lead to great savings in the long run.

_{About the Author}

_{Rachel V. Rose, JD, MBA, advises clients on compliance and transactions in healthcare, cybersecurity, corporate and securities law, while representing plaintiffs in False Claims Act and Dodd-Frank whistleblower cases. She also teaches bioethics at Baylor College of Medicine in Houston. Rachel can be reached through her website, www.rvrose.com.}