Liability from a breach of health information may be much more significant than the costs of notifying the affected individuals. Although there is no private right of action under HIPAA, private litigants have been attempting to devise theories which would support recovery of damages for violations of HIPAA. A recently amended complaint alleges that victims of the largest reported breach of health information are victims of financial fraud. This follows closely on the heels of an opinion from the Oregon Supreme Court which rejected a similar class action stemming from a breach because there was no actual harm caused by the breach. The amended complaint appears to signal a recognition by the plaintiffs’ bar of the need to demonstrate actual harm when seeking redress for a breach of protected health information.
D.C. District Court Case
The class action filed in the D.C. District Court arises out of the much publicized September 13, 2011 breach of sensitive personal information pertaining to 4.9 million TRICARE beneficiaries. According to the complaint, unencrypted computer tapes were stolen from a parked car belonging to an employee of a TRICARE contractor. The personal information included Social Security numbers, addresses, dates of birth, phone numbers, and protected health information, such as medical records, provider information, laboratory test results, and prescription information. As a result of the theft, according to the complaint, plaintiffs had credit cards cancelled for suspicious activity, and incurred fraudulent and unauthorized charges to their credit cards and bank accounts.
Oregon State Supreme Court Case
In the Oregon class action, there was no such alleged financial fraud. Rather, plaintiffs claimed damages for financial injury allegedly suffered by virtue of their personal information being stolen. Importantly, the plaintiffs’ alleged harm was a risk of future identity theft. The court concluded that, in the absence of any allegations that the information was misused or even viewed by a third party, plaintiffs did not suffer an injury that could provide a basis for a cause of action. The distinction between damages based on the breach itself, and damages subsequently arising out of the breach, was critical to the Court’s analysis. In order to recover damages, the plaintiffs needed to allege actual, not potential, injury. Although speculative on our part, it appears that the plaintiffs in the D.C. class action may have adapted their position based on the reasoning in the Oregon decision.
What this means for entities which have experienced a breach is that the potential liability is much more than the initial cost of breach response and notification to affected individuals. First, the HIPAA Privacy Rule requires covered entities to “mitigate, to the extent practicable, any harmful effect that is known to the covered entity of a use or disclosure of protected health information” in violation of the Privacy Rule. 45 C.F.R. § 164.530(f). In an environment of heightened enforcement, each Privacy Rule violation is viewed independently. Second, as is becoming more and more evident, failing to mitigate the harms which may result from a breach increases the risk of private litigation. Thus, an entity responding to a breach must be particularly mindful to mitigate the harmful effects of a breach, e.g., financial fraud, not only in order to comply with the HIPAA Privacy Rule, but also, and maybe even more importantly, to best position itself in the event it must respond to private claims arising out of the breach. As breaches are becoming much more prevalent (and certainly more public!), timely and effective mitigation strategies are essential to any effective HIPAA compliance and risk management plan.