James Houston (firstname.lastname@example.org) is Division Privacy Officer at CHI St. Luke’s Health Texas Division, Corporate Responsibility.
Being sued by patients and fined by government agencies is generally part of doing business in the healthcare arena. Large-scale data breaches are now changing that landscape. With the near ubiquitous use of electronic health records (EHR) and the ever-increasing volume and sophistication of attacks against organizations, a seemingly trivial oversight in an organization’s privacy and security compliance program can lead to unexpected and overwhelming consequences imposed by a class action lawsuit. The purpose of this article is to introduce the reader to what a class action lawsuit is and explain what claims are being exerted by plaintiffs as a result of a data breach.
Class action lawsuit
If you have a television, you have probably seen any one of the countless commercials produced by law firms that target people who may have mesothelioma, had defective breast implants, or suffered any number of injuries from medications. Many of those law firms are looking for people who can be plaintiffs in new class action lawsuits. The idea of a class action lawsuit is that there is a large number of people across a large geographic area who have suffered the same types of injuries at the hands of one or more specific organizations. A class action lawsuit is a massive lawsuit involving hundreds, thousands, or even millions of people. It is defined as “civil action filed under rule 23 of the Federal Rules of Civil Procedure or similar State statute or rule of judicial procedure authorizing an action to be brought by 1 or more representative persons as a class action.” In a class action lawsuit, the representative person(s) may sue on behalf of all the members in the class if (1) there are so many members that joining everyone to the lawsuit would be impractical, (2) there are questions of law or facts shared among all the members in the class, (3) the claims of the representative person are typical of the claims of the class members, and (4) the representative party “will fairly and adequately protect the interests of the class.” In order to file a class action lawsuit in federal court, the amount claimed in the lawsuit must be more than $5 million, and any member of the class of plaintiffs must be a citizen of a state different from any defendant (the discussion in this article will evolve around the Federal Rules of Civil Procedure and federal statutes, because state class action statutes are generally modeled after the federal statutes and rules.)
Having a large group of injured people (class) alone is not enough to file a class action lawsuit. There must be some underlying legal basis for suing (action). That legal basis is known as the cause of action. Cause of action is defined as “the ground on which an action can be maintained.” It is what makes it legally possible for someone to file a lawsuit. Consider the following example. Imagine that a vendor contracted to install a fire suppression system in a clinic. A year after the installation, a fire breaks out, and because the system failed to operate as intended, the clinic was destroyed and a dozen people were injured. The clinic and the injured patients may not sue the vendor unless there is a cause of action. In that example, the legal grounds for suing the vendor—the cause of action—may be that the vendor materially breached their contract, that the vendor was negligent in installing the system, that the vendor violated some regulation when installing the system, or even that they intentionally installed the system wrong. Whatever the reason may have been for the fire suppression system failure, the vendor cannot be sued unless there is a cause of action found in the law. In this example, the legal basis for suing the vendor includes breach of contract, negligence, negligence per se, and intentional tort.
Data breach class action lawsuits
There are any number of legal theories that could support a class action lawsuit. This article focuses on the legal theories exerted in the following data breach class action lawsuits.
Anthem Inc.: A 2015 data breach in which hackers infiltrated a data warehouse that contained protected health information (PHI) and personally identifiable information (PII) of nearly 80 million people. The case was settled for $115 million in 2018.
University of California, Los Angeles: A 2015 data breach in which hackers entered into the network that contained PHI and PII of approximately 4.5 million patients. The case was settled for $7.5 million in 2019.
Community Health Systems Inc.: A 2014 data breach in which hackers entered into the network that contained PHI and PII of approximately 4.5 million patients. The case was settled for $3.1 million in 2018.
Washington State University: A 2017 data breach that resulted from the theft of an unencrypted hard drive from a storage facility that contained PHI and PII of approximately 1.2 million people. The case was settled for $4.7 million in 2019.
Baystate Health Inc.: A February 7, 2019, data breach in which hackers gained access to employee emails through a phishing attack and subsequently accessed PHI and PII of more than 12,000 patients. The class action lawsuit was filed on April 11, 2019, a mere three days after Baystate notified the patients about the breach.
Hackensack Meridian Health Inc.: A December 2, 2019, ransomware attack that brought down the health system’s entire computer network for two days. Hackensack paid an undisclosed ransom amount in order to stop the attack and recover its records from the hackers. The class action lawsuit was filed on February 10, 2020, despite Hackensack’s declaration that there is “no indication that any patient or employee information was subject to unauthorized access or disclosure.”
Common facts, common legal theories
The common facts in each case are that a data breach of PHI/PII occurred as a result of some intentional misconduct by a bad actor against an organization and the allegations that the organization failed to prevent or stop them. For the purposes of this article, a breach means “the acquisition, access, use, or disclosure of protected health information in a manner not permitted [by regulation] which compromises the security or privacy of the protected health information.”
In each class action lawsuit, the data breach was the factual basis that formed the foundation for the causes of action that ultimately made up each lawsuit. There are four legal theories that are common to these class action lawsuits and are the legal basis for suing: breach of contract, negligence, negligence per se, and violations of state laws. I will focus on breach of contract and the two negligence theories.
Breach of contract
In order to create a contract, there generally needs to be an offer to enter into an agreement, an acceptance of that offer, some valuable consideration exchanged between the parties, and an understanding between the contracting parties about the basic substance of the agreement. A contract can either be an express contract, in which the terms of the agreement are specifically spelled out and generally formalized into a written document, or an implied contract, in which the terms of the contract are inferred from the circumstances and the relationship between the parties. In either case, if there is a valid contract and one party fails to perform any of the terms of the contract, then the contract is considered breached.
In these data breach class action lawsuits, the plaintiffs allege that the organizations entered into both express and implied contracts. The lawsuits allege that there were valid and enforceable express contracts because the organizations promised to provide services and to protect patients’ information in exchange for an agreement to pay for the services. As evidence of the promise to protect the plaintiffs’ information, they point to the organizations’ notice of privacy practices, which states that the organization will maintain the privacy and security of the health information, not use or disclose the information without authorization, and notify the patients of a breach of that information. Additionally, the allegations assert that an implied contract was created when the organizations solicited information from the patients during the regular course of business; the patients gave them that personal information with the understanding that the organization would protect it as required by the Health Insurance Portability and Accountability Act of 1996 (HIPAA), state laws, and in accordance with the notice of privacy practices.
The crux of the breach of contract theory are the allegations that the organizations failed to keep their promises to protect the patients’ information, and the patients would not have given their personal information to the organizations had they known that the organizations would not or could not keep it secure. Ultimately, the plaintiffs allege that the organization breached their express and implied contracts by failing to safeguard their private information as evidenced by the data breach.
Negligence and negligence per se
Negligence is a “failure to act as a reasonable person [would toward] someone to whom s/he owes a duty, as required by law, under the circumstances.” The general negligence cause of action requires that the following elements of tort negligence are satisfied: (1) there was a duty of care owed by the defendant to the plaintiff; (2) there was a breach of that duty; (3) the breach of the duty was the actual and proximate cause of the harm that occurred; and (4) the plaintiff was harmed by the defendant’s conduct. When thinking about what a “duty” that a person owes to another actually is, it is best to think about the duty as being a standard of care. For example, ask yourself what duty or standard of care a surgeon owes to their patient when performing surgery. Their duty to the patient is not established by the patient or even the surgeon themselves. Rather, the surgeon’s duty to the patient will be set by the medical community at large and will be based on established medical knowledge and practices. When the surgeon’s conduct falls below the established medical standard of care and that conduct causes injury to the patient, negligence is the legal basis for the patient to sue the surgeon. Negligence per se, on the other hand, is “[n]egligence due to the violation of a law meant to protect the public.” Unlike general negligence, which bases the standard of care on how a reasonable person would act in the situation, in a negligence per se case, the conduct is automatically considered negligent if it violates the law. For example, in a driving under the influence accident case, the minimum standard of care for a driver as it pertains to alcohol is the driving under the influence statute, which outlaws driving while under the influence. A violation of the statute is negligence per se. That conclusion is justified on the assumption that a reasonable person would not drive while under the influence because it is against the law, and the law is there to protect the public from drunk drivers.
In the context of a data breach class action lawsuits, the standard of care that each organization is alleged to be required to live up to is HIPAA and the other state and federal regulations pertaining to privacy and data protection. HIPAA requires that a covered entity put in place administrative, technical, and physical safeguards to protect PHI. HIPAA also requires organizations to provide timely notification to patients when their information is compromised. HIPAA and other state and federal regulations establish the minimum requirements for dealing with patient information. In other words, these regulations define the duty or the standards of care that a covered entity owes to its patients when collecting, maintaining, or using patients’ personal information. In the negligence context, the standard of care established by these regulations can be said to define the reasonable duty that a healthcare organization owes to its patients. When the conduct allegedly fails to satisfy that duty, one may be considered negligent. When the alleged conduct is in direct violation of a statute or regulation, one may be considered to be negligent per se.
The negligence allegations in these class action lawsuits fall into four main categories of failures. Those categories are the failure to secure the information, the failure to implement safeguards, the failure to monitor, and the failure to notify. The failure to secure allegation means that the organizations failed to build networks that could operationally protect the information according to industry standards and regulatory requirements. Conduct like not encrypting devices, not installing adequate firewalls, not installing or updating patches, and not providing adequate resources to maintain the systems were alleged to be negligent. The failure to implement safeguards allegation means that the organizations did not implement reasonable security protocols, employee training programs, password management procedures, or update the system following notification of other major breach events. Despite the organizations potentially having the proper infrastructure and procedures in place, the failure to monitor allegation stated that the organizations failed to monitor their systems, failed to recognize that their systems had been breached, and subsequently failed to prevent or stop the breach once they discovered their systems were compromised. Finally, the failure to notify allegation means that the organizations failed to notify the victims in a timely manner; failed to clearly and conspicuously explain to the victims the true nature and scope of the breach; and that the notification letters were inadequate or that the letters were flat-out misleading, resulting in inaction by the patients who unknowingly did nothing to protect themselves from harm to their identities.
The class action lawsuit plaintiffs and their attorneys are using state and federal laws to define contractual relationships between patients and healthcare organizations. They are also using those same laws combined with industry expectations to define what the standards of care are for safeguarding patient information. By doing so, they are unwittingly putting healthcare organizations into a catch-22, for which the only solutions are to create impenetrable computer systems, beef up the compliance programs with unlimited resources, or stop collecting patient information altogether. Neither option is a solution. Breaches are simply a reality of our industry. How organizations protect data and prepare to prevent breaches is a complex balance between regulations, resources, technology, risks, and time.
In the current healthcare arena that compliance personnel work, these cases represent a new and greater threat to our organizations. Whether these types of cases are settled by a jury verdict, a settlement agreement, or dismissed outright, the monetary costs are significant and the reputational harm unmeasurable. The facts of each individual case are specific to the circumstances of that case, but the core breach of contract and negligence allegations are virtually the same. The boundary line between compliance activities and lawsuit prevention can no longer be a mystical gray area for healthcare organizations. Compliance professionals must step into the void and aggressively promote programs that are not only minimally compliant with industry standards and regulations, but also plan for future compliance and legal risks as technology, laws, and expectations evolve. Close collaboration with executives and attorneys is required to sort out the legal implications of certain courses of action and to help guide executive decisions. Compliance programs need to be aggressive, consistent, and ever evolving. Compliance professionals must also be willing to cross over into the legal realm to ask questions and prod their legal peers regarding new legal threats and trends in order to discover new or better compliance options. When it comes to data breaches, compliance programs that allow equipment and software to exceed its serviceable lifespan, allow the consolidation of and retention of large amounts of information indefinitely, allow large numbers of individuals access to too much data, fail to educate about evolving threats, and are inconsistent create vulnerability that will likely result in a data breach and class action lawsuit.
Review the notice of privacy practices with the legal department to determine whether it unwittingly creates contractual obligations where none were intended.
Review regulatory requirements involving administrative, technical, and physical safeguards for protecting PHI and assess your organization’s situation to ensure that minimum safeguards are in place.
Review industry standards pertaining to information security and assess whether your organization’s capabilities and practices are up to the minimum standards.
Establish practices (based on industry standards) for reviewing and addressing new and evolving security risks.
Involve the legal department in drafting and reviewing notice of privacy practices and other patient rights documents to ensure that they do not unwittingly create contractual obligations when none are intended. Reword the rights and organizational requirements in such a way as to avoid creating unintended contractual obligations.
When determining whether to do a breach notification under state and federal regulations, consider the possibility that a delay in notification or a failure to notify a patient may result in additional liability stemming from a class action lawsuit.
Work closely with legal to clearly identify what duty the organization owes to patients when collecting and maintaining information, then make sure that duty and associated risks are communicated to the executives early so they can plan their budgets and operations accordingly.
Do not assume that legal knows the standards of care or the risks associated with collecting, creating, maintaining, or transmitting patient information.
Obtaining patient information is necessary for any treatment relationship. We should expect that patients will demand that we protect that information as part of their agreement to pay for the treatment.
Organizations may be unwittingly creating contractual relationships where none were intended when they make promises to patients in their notice of privacy practices.
Federal and state law may be used to establish the duty that organizations owe to patients who give them protected information.
Maintaining electronic systems and practices that operate below the minimum regulatory requirements and basic industry standards creates vulnerabilities that expose organizations to data breaches and class action lawsuits.
Compliance personnel must proactively and aggressively engage legal counsel and leadership to analyze technological advancements, capabilities, and practices if they ever plan to remain ahead of the ever-evolving threats to their data.