Law firms see big money in healthcare breach cases

Cybercriminals are not the only ones looking to make money from health data breaches.

In California, where a unique state law provides for damages of $1,000 per person per violation of the Confidentiality of Medical Information Act of 1981 (CMIA), plaintiff law firms are lining up to file privacy data breach class-action lawsuits against hospitals, medical service providers and health insurers that, if successful, could easily yield payouts in the multiple millions.

The San Francisco-based legal publication The Recorder reported April 6 that at least a half-dozen plaintiff firms had filed complaints for privacy breaches so far, seeing it as a lucrative new source of income.

Brian Kabateck of the Los Angeles plaintiffs firm Kabateck Brown Kellner told The Recorder, "There's an awful lot at stake here."

Indeed, a suit pending against St. Joseph Health System involves the exposure of medical information of about 31,800 patients. At $1,000 each, even if only one violation is involved, it is simple math to see that would yield damages of $31.8 million.

But there is considerable distance between that gleam in a law firm's eye and reality. The attorneys filing the complaints and the attorneys defending their targets agree that they are in untested legal waters. Filing privacy breach cases as class actions is new, and all those involved say new legal precedents will be made in the next several years.

The CMIA, now more than 30 years old, was obviously designed for an era when documents were secured in file cabinets, and the most a single thief could carry away would likely be less than 30. And, without having somebody on the inside, it would also take breaking locks, smashing windows and generally defeating all the physical security measures common to medical facilities.

Now, with patient records in digital form, "you could have a million records stolen in a couple of seconds," says Randy Sabett, an attorney with ZwillGen, a Washington, D.C.-based law firm specializing in legal issues involved in doing business on the Internet.

Sabett says health care companies could be vulnerable if they took no measures to protect data.

He says a colleague took part in a survey where 38 percent of companies in the medical and financial industries admitted to being knowingly out of security compliance.

But, he says, everybody knows, including judges, that 100 percent security on the Internet simply does not exist. Indeed, there are endless examples of breaches of companies that are in compliance, which makes it much more difficult to prove negligence.

"There is a requirement for reasonable security measures," he says, "but there is a difference in the nature of attacks between the physical and digital world. Today, they change daily, if not hourly. They can be very sophisticated."

Kabateck agrees with that much. "Im not pursuing cases where there isnt negligence," he says, "but there is disregard for security protocols in many cases. If there is an intervening criminal act, that is a different story."

There are other reasons these cases may not be the proverbial layup for the plaintiffs. The Oregon Supreme Court recently struck down a class-action suit against Providence Health Systems that had been settled six years ago, finding no evidence that any of 365,000 patients whose data had been on disks/tapes that were stolen from a Providence employee's car had suffered any financial loss or other adverse consequences.

That, Sabett says, may be a problem with the California law. "I'm not opining on whether this is good or bad," he says, "but there may be a flaw in the presumption that every single person has suffered $1,000 in damages."

He notes that virtually all companies offer mitigation to their customers. "I haven't worked on a breach case in more than four years where the company has not offered free credit monitoring," he says, "and banks and credit companies issue a new card for free."

Sasha Romanosky, of the Heinz College of Information Systems and Public Policy at Carnegie Mellon University, is a co-author of a paper published in February titled "Empirical Analysis of Data Breach Litigation," which found that the odds of a company being sued in federal court was six times lower when it offered free credit monitoring to customers whose information was breached.

"It tends to make them less angry, and also cuts the knees out of a legal claim of damages," he says.

There may be cases where embarrassment or even professional damage from the disclosure of things like names, height, weight, smoking history, blood pressure, patient account numbers, treatment dates, lab results, diagnosis codes and billing charges could cause damages of far more than $1,000.

"But are you going to presume that for everyone?" Sabett asks.

Not in the view of the Oregon Supreme Court, which said in the Providence case, "We are aware of no other jurisdiction that has allowed recovery for negligent infliction of emotional distress in circumstances where the alleged distress is based solely on concern over the increased risk that a plaintiff's personal information will, at some point in the future, be viewed or used in a manner that could cause the plaintiff harm."

Of course, the California law doesnt require proof of damages. It imposes the $1,000 simply for proof of violation of the CMIA. And Kabateck notes that the theft of digital data can be very damaging indeed. "If somebody broke into a building and stole records, thats one person looking at them," he says. "On the Internet, its the whole world. It can affect the ability of people to get jobs, insurance -- things like that."

Kabateck says he doesnt think such suits will become a long-term trend. "I dont think we will be doing this 10 years from now, because corporations will realize there is a cost to screwing up," he says.

Eric Cowperthwaite, CISO of Providence Health & Services, agrees, noting that the average cost per record breached so far has been about $150. "When it more than quintuples to $1,000, that is significant," he says. But he adds that the concern is not just monetary. "I know a lot of health-care security leaders, and every one of them is concerned with protecting patient data," he says.

Still, these cases will undoubtedly be watched closely in other states. An estimated 18 million confidential patient records have been breached in just the past two years, providing the potential for billions in damages. Cowperthwaite says a suit against Sutter Health is of particular interest, since the magnitude of the breach was 4.24 million people, with potential liability to Sutter at $4.5 billion, including attorney fees.

And Romanosky says plaintiffs are "trying everything," to succeed in data-breach suits. "We identified over 86 unique causes of action (from only 231 cases) for essentially the same event: the unauthorized disclosure of personal information," he says.

Read more about data privacy in CSOonline's Data Privacy section.

Join the CSO newsletter!

Error: Please check your email address.

More about Carnegie Mellon University AustraliaEmpiricalISOMellon

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Taylor Armerding

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place