Data Breaches: No Harm No Foul
In the past few months there have been two Federal District Court rulings addressing lawsuits brought in part on an alleged disclosure of Personally Identifiable Information (PII) and/or Protected Health Information (PHI) protected under the Health Insurance Portability and Accountability Act (HIPAA). In the rulings, the Courts have relied on a recent Supreme Court ruling on a case involving a class action lawsuit alleging violations of the Fair Credit Reporting Act (FCRA) issued in the spring of 2021.
The Supreme Court case, titled Ramirez v. TransUnion, arose out the named plaintiff, Sergio Ramirez, being placed on a list maintained by the Treasury’s Department’s Office of Foreign Assets Control (OFAC) of people with whom United States companies cannot do business because they have been flagged as being either terrorists, drug traffickers or serious criminals. Ramirez’s credit report with TransUnion contained inaccurate information and TransUnion eventually removed the OFAC alert from any future credit reports that might be requested by, or on behalf of, Ramirez. The class action lawsuit brought by Ramirez and others similarly situated against TransUnion was premised on the fact that the class members’ credit reports contained misleading information and the information was disseminated to the third parties. The Supreme Court dismissed a portion of the class members from the suit based in part on the fact they were unable to show their information was disclosed to a third-party, that they did not suffer an actual injury-in-fact and that they were unable to demonstrate concrete harm needed to have standing to pursue a claim against TransUnion. The two recent dismissals of the HIPAA based lawsuits relied on the Supreme Court’s decision in Ramirez.
In a decision issued December 9, 2021, a class action lawsuit titled Quinto v Metro Santruce, Inc., brought in the District of Puerto Rico arising from a ransomware attack involving two Puerto Rico hospitals in which PII and PHI of patients were allegedly compromised, was dismissed because there was not a sufficient injury to confer standing to pursue a claim. The Court noted that the class was able to show a ransomware attack occurred and that data was held hostage, but not stolen. The Court, in dismissing the suit, noted that the plaintiffs were only able to provide “speculative and conclusory” statements that any of their data was accessed, stolen or misused. In issuing the dismissal the Court relied in part on the fact that the affected Hospitals sent letters to the patients that no information was exfiltrated from their networks, finding that the plaintiffs’ allegations of alleged harm were pure speculation, and that any injury is merely conjectural or hypothetical.
On February 3, 2022, a magistrate judge in the US District Court for the Western District of New York recommended dismissing a class action suit brought against a medical management company arising out of a data breach that occurred in December of 2020. The case, titled Tassmer v Professional Systems, involved a ransomware attack and unauthorized acquisition of employee and patient information. The plaintiffs alleged they spent time reviewing account statements and credit reports after being notified of the unauthorized access, as well as injuries such as the diminished value of their PHI, violation of their privacy rights and future harm due to the potential for misuse of information and an increased risk of identify theft. The Court, relying on the decision in Ramirez, concluded that the risk of any injury was speculative and that “plaintiffs cannot manufacture standing merely by inflicting harm on themselves based on their fears of hypothetical future harm that is certainly impending.”
These two recent cases cited above are obviously favorable in situations where a defendant can show that no injury-in-fact has occurred because of a breach or disclosure, but also demonstrate the need to address, as soon as possible, any potential disclosure of PII or PHI that may occur and provide clear communication in notices sent to any affected individual. Lawsuits for data breaches have been on the rise, and while HIPAA does not currently confer any private cause of action, the standards it imposes on covered entities and their business associates has been a basis for suits as litigation in this area continues to develop. While there are regulatory requirements in place that must be followed for any breach or disclosure of PII or PHI, a proper response to any breach or disclosure may mitigate, and potentially insulate, a covered entity or business associate from any potential civil liability.
For additional information please contact Rolf Lowe of Wachler & Associates at firstname.lastname@example.org.