It is now common for the victims of healthcare data breaches to take legal action against a healthcare provider, insurer, or business associate of a HIPAA-covered entity when they have experienced a data breach that has resulted in the exposure of their personal and/or healthcare data.
Individuals whose PHI has been compromised or impermissibly disclosed cannot sue for the HIPAA violation, as there is no private cause of action in HIPAA. A HIPAA violation often correlates with a violation of state laws, which means legal action could potentially be taken over the data breach.
In cases where there has been a violation of a law that has a private cause of action, legal action is possible, but a plaintiff must be able to prove that they have suffered harm as a direct result of the violation. This is an area where many lawsuits fail, as while the theft of an individuals’ personal and healthcare data can place that individual at an increased risk of identity theft and fraud, that may not be sufficient for the claim to have standing. Many cases have not survived a motion to dismiss as the claims of harm are viewed to be too speculative.
That was the case with a recent lawsuit filed against Universal Health Services over a September 2020 ransomware attack. The Ryuk ransomware gang gained access to UHS systems, allegedly exfiltrated data, and issued a ransom demand for the keys to unlock encrypted files and to prevent the sale or public exposure of the stolen data. The attack resulted in many UHS systems being offline for a month and UHS was forced to postpone scheduled appointments due to the lack of access to its IT systems.
Following the attack, the law firm Morgan & Morgan filed a lawsuit against UHS in the U.S. District Court of the Eastern District of Pennsylvania alleging UHS was negligent for failing to implement appropriate security protection to keep patient data private and confidential, for breach of implied contract, breach of fiduciary duty, and breach of confidence.
Three plaintiffs were named in the lawsuit, two of whom claimed that the ransomware attack and alleged data theft placed them at an increased risk of identity theft and fraud. UHS filed a motion to dismiss and, this week, US District Judge Gerald McHugh ruled in favor of the defendant as the alleged harm suffered was deemed to be too speculative.
“A court is still left to speculate, [as in Reilly v. Ceridian Corp], whether the hackers acquired Plaintiffs’ PHI in a form that would allow them to make unauthorized transactions in their names, as well as whether Plaintiffs are also intended targets of the hackers’ future criminal acts,” explained Judge McHugh. “At this juncture, the most Plaintiffs can plead is that the hackers secured their PHI through a ransomware attack against Universal.”
Such a ruling is far from unusual. What is unusual, is Judge McHugh allowed the claim of one plaintiff to proceed. The third plaintiff, Stephen Motkowicz, was due to undergo surgery for a medical condition, but following the attack his surgery appointment was postponed. As a result of that postponement, Motkowicz was forced to take further time off work and lost his health insurance coverage with his employer and had to pay for a health insurance policy at a higher price.
In the case of Motkowicz, his claim of injury was not deemed to be speculative as losses had been suffered in response to the data breach. The plaintiff had demonstrated injury-in-fact, but what was not clear was the issue of causation, and whether the injury could be directly attributed to the data breach. The plaintiff is required to demonstrate that an injury-in-fact is “fairly traceable to the challenged conduct of the defendant.”
“This causal chain presents Plaintiff with a significant challenge, but a definitive answer as to standing requires further development of the record,” wrote the Judge, who gave the parties “sixty days within which to conduct discovery and supplement the record with affidavits or deposition testimony pertinent to the issue of causation.”