James Houston (jhouston@stlukeshealth.org) is Division Privacy Officer at CHI St. Luke’s Health Texas Division, Corporate Responsibility.
Being sued by patients and fined by government agencies is generally part of doing business in the healthcare arena. Large-scale data breaches are now changing that landscape. With the near ubiquitous use of electronic health records (EHR) and the ever-increasing volume and sophistication of attacks against organizations, a seemingly trivial oversight in an organization’s privacy and security compliance program can lead to unexpected and overwhelming consequences imposed by a class action lawsuit. The purpose of this article is to introduce the reader to what a class action lawsuit is and explain what claims are being exerted by plaintiffs as a result of a data breach.
Class action lawsuit
If you have a television, you have probably seen any one of the countless commercials produced by law firms that target people who may have mesothelioma, had defective breast implants, or suffered any number of injuries from medications. Many of those law firms are looking for people who can be plaintiffs in new class action lawsuits. The idea of a class action lawsuit is that there is a large number of people across a large geographic area who have suffered the same types of injuries at the hands of one or more specific organizations. A class action lawsuit is a massive lawsuit involving hundreds, thousands, or even millions of people. It is defined as “civil action filed under rule 23 of the Federal Rules of Civil Procedure or similar State statute or rule of judicial procedure authorizing an action to be brought by 1 or more representative persons as a class action.”[1] In a class action lawsuit, the representative person(s) may sue on behalf of all the members in the class if (1) there are so many members that joining everyone to the lawsuit would be impractical, (2) there are questions of law or facts shared among all the members in the class, (3) the claims of the representative person are typical of the claims of the class members, and (4) the representative party “will fairly and adequately protect the interests of the class.”[2] In order to file a class action lawsuit in federal court, the amount claimed in the lawsuit must be more than $5 million, and any member of the class of plaintiffs must be a citizen of a state different from any defendant[3] (the discussion in this article will evolve around the Federal Rules of Civil Procedure and federal statutes, because state class action statutes are generally modeled after the federal statutes and rules.)
Having a large group of injured people (class) alone is not enough to file a class action lawsuit. There must be some underlying legal basis for suing (action). That legal basis is known as the cause of action. Cause of action is defined as “the ground on which an action can be maintained.”[4] It is what makes it legally possible for someone to file a lawsuit. Consider the following example. Imagine that a vendor contracted to install a fire suppression system in a clinic. A year after the installation, a fire breaks out, and because the system failed to operate as intended, the clinic was destroyed and a dozen people were injured. The clinic and the injured patients may not sue the vendor unless there is a cause of action. In that example, the legal grounds for suing the vendor—the cause of action—may be that the vendor materially breached their contract, that the vendor was negligent in installing the system, that the vendor violated some regulation when installing the system, or even that they intentionally installed the system wrong. Whatever the reason may have been for the fire suppression system failure, the vendor cannot be sued unless there is a cause of action found in the law. In this example, the legal basis for suing the vendor includes breach of contract, negligence, negligence per se, and intentional tort.