Dismissed Breach Cases: A Common ElementYet Another Suit Thrown Out Because of Lack of Proven Harm
Yet another California healthcare breach-related lawsuit has been dismissed in the courts because of the lack of proof that anyone actually viewed data stored on an unencrypted computer device that was stolen.
See Also: The 5 Foundational DevOps Practices
A federal court this week dismissed a class action lawsuit against Alere Home Monitoring tied to a 2012 breach impacting more than 100,000 patients.
The suit against Waltham, Mass-based Alere, which provides home testing products and services for patients, was filed in January 2013 in the U.S. District Court in the northern district of California. In the court's Oct. 7 decision, the judge ruled that there can be no liability for the negligent release of stolen medical information under California's Confidential Medical Information Act because there is no proof the data was actually viewed by a third party as the result of the theft of an unencrypted laptop.
Two Similar Cases
There have been similar court rulings in several other recent health data breach cases, including two that are being argued before the California Supreme Court, says Eric Grover, a partner at law firm Keller Grover LLP, who represented plaintiffs in the Alere case.
One of those cases is a consolidated class action lawsuit against Sutter Health related to a 2011 breach involving a stolen unencrypted desktop computer containing data on more than 4.2 million individuals. That case had been dismissed in July by an appellate court in California (see Sutter Health Breach Suit Dismissed).
In a finding similar to the Alere case, the appellate court ruled in the Sutter case that "plaintiffs have failed to state a cause of action under the [California] Confidentiality Medical Information Act because they do not allege that the stolen medical information was actually viewed by an unauthorized person."
The other case being argued before the California Supreme Court involves a class action suit filed against the Board of Regents of the University of California stemming from a breach involving a 2011 burglary at the home of a UCLA Faculty Group Practice physician. An unencrypted external hard drive stolen in the burglary contained data on more than 16,000 patients treated at UCLA facilities. That suit alleged UCLA failed to have reasonable controls in place to prevent the disclosure of private medical information. In its dismissal of the case, a California appellate court noted there was no confirmation that the affected patients' data was actually inappropriately accessed.
Where Data Ends Up
A challenge in breach-related lawsuits involving lost or stolen unencrypted devices is "plaintiffs showing where the data ended up or what thieves did with the equipment," Grover tells Information Security Media Group. Even in breach cases where there have been plaintiffs who have become victims of identity theft, the challenge is "proving with certainty that the identity theft followed the breach," he says.
Grover says the recent ruling gives the plaintiffs 21 days to file an amended complaint against Alere that addresses other concerns. However, no decision has been made yet on whether an amended complaint will be filed, he says.
"The Alere Home Monitoring decision adds to the growing case law in California that holds that a class action under the California Confidentiality of Medical Information Act requires an affirmative showing that medical information was actually viewed by an unauthorized party, not merely lost or stolen," says privacy attorney Adam Greene of law firm David Wright Tremaine.
"This trend is great importance to California entities because the statute provides nominal damages of $1,000 a person," Greene says. "Accordingly, if a laptop containing medical information of 100,000 is lost or stolen and there is no evidence that the information was accessed, rulings like Alere potentially mean the difference between a dismissal and a $100 million verdict."
Attorney Boris Segalis, a partner in the New York office of national law firm InfoLawGroup LLP, says recent court rulings in California and elsewhere send a mixed message to healthcare companies when it comes to breaches.
On one hand, breach notification laws - including the federal HIPAA regulations - expect companies to report incidents that involve the theft or loss of unencrypted patient data, even if there's no certainty information has been viewed or accessed.
Yet, when it comes to the pattern of recent court decisions in breach lawsuits, judges have ruled that plaintiffs have not suffered damages because there's no proof their lost or stolen data has been accessed or viewed. "There's a disconnect between breach notification laws and whether there's enough evidence for courts in these cases that a breach has actually occurred," Segalis says. "There's a lot of ambiguity in breach laws."
Attorney Stephanie Ann Sheridan of the law firm Sedgwick LLP in San Francisco, who represented Alere in the case, disagrees with that assessment.
"Breach notification is proactive in that it tells individuals there are potential problems that could result from an incident, so that individuals can protect themselves," she tells ISMG. In the Alere case, the company offered free credit monitoring to help individuals potentially affected by the incident, she notes. "Alere is pleased with the outcome, and the court rendered the correct judgment," she adds.