Data Breach Characterized Instead As Violation of Medical Confidentiality and Privacy Provides Basis for Class Action

by John Zen Jackson

In a posting on this blog earlier in April of this year, we commented on the approval of a class action settlement in a matter in the United States District Court for Southern Florida arising out of the loss of laptops with unencrypted protected health information but without any demonstration of actual injury in the form of identity theft.  That outcome seemed contrary to the major trend in data breach cases, including the then fairly recent decision in Polanco v. Omnicell, Inc., 2013 WL 6823265 (D.N.J. Dec. 26, 2013).  The Florida Federal case had been grounded in state law and not HIPAA or HITECH.  But there may be a groundswell developing that may signal a likely increase in class action viability based on security breaches and medical data.

In Tabata v. Charleston Area Medical Center, 2014 WL 2430061 (W.Va. May 28, 2014), the highest court in West Virginia ruled that the plaintiffs had standing and met the requirements for class certification.  More than 3,000 patients of the MedicalCenter had their personal and medical information placed on the internet for an approximate six-month period so that it was exposed to view “if someone were to conduct an advanced internet search.”   In connection with the eventual breach notification to patients required by HIPAA/HITECH, all patients were offered a year’s worth of credit monitoring at the Medical Center’s cost.

Five of the patients filed a complaint alleging causes of action under West Virginia law for breach of a duty of confidentiality, violation of privacy, and negligence.  Plaintiffs filed a motion for class certification.  Discovery conducted to that point had not identified any instance of unauthorized users actually accessing or making any harmful use of the plaintiffs’ data or an instance of identity theft or any economic losses.  The trial court denied class certification finding that the burden of establishing commonality, typicality, and predominance of common issues of law or fact had not been met.  It also found that the plaintiffs lacked standing to bring the claims “because they have failed to show that they have suffered a concrete and particularized injury that is not hypothetical or conjectural.”

On appeal, the West Virginia Supreme Court of Appeals agreed with the lower court that the risk of future identity alone did not constitute an injury in fact for purposes of standing.  However, it noted that the complaint also asserted causes of action for breach of physician-patient confidentiality and invasion of privacy and that it was well established in West Virginia law that a patient had a cause of action against a physician who wrongfully disclosed confidential health information.  In a 2012 decision, the court had held that these common law torts were not preempted by HIPAA.

The court concluded that as patients of the MedicalCenter, plaintiffs had “a legal interest in having their medical information kept confidential,” that “this legal interest is concrete, particularized, and actual,” and that “when a medical professional wrongfully violates this right, it is an invasion of the patient’s legally protected interest.”  All of this was sufficient to give plaintiffs standing to bring a cause of action for breach of confidentiality.  It reached a similar conclusion with regard to the cause of action for invasion of privacy and went on to find the prerequisites for class certification were also present.

A brief dissent was filed by a single justice, stating that “[t]his case is a typical example of a frivolous class-action lawsuit.”  Invoking the proposition of “no harm, no foul,” he would have held that plaintiffs lacked standing and prognosticated that after “massive amounts of attorneys fees” were incurred by defendant conducting discovery of the several thousand unnamed plaintiff, there would still be no injury identified.  The trial court would then decertify the class and dismiss the matter.

Although it is widely accepted that neither HIPAA nor the expansion with HITECH and the 2013 Omnibus Rule provide for a private cause of action, the HIPAA/HITECH provisions can be used to provide a standard of care and concomitant legal duty regarding protection of health information from wrongful disclosure.  This has been quietly developing since at least 2006 when the appellate court in Acosta v. Byrum, 638 S.E.2d 246 (N.C. App. 2006) looked to HIPAA as “evidence of the appropriate standard of care, a necessary element of negligence.”  See generally Renewed Concerned for Tort Actions Based on HIPAA, 1 MDAdvisor 14 (January 2008).  Certainly the expanded liability of Business Associates as a result of HITECH presents an increased scope of exposure for breaches of patient confidentiality and an enlarged list of defendants for a class action claim.  This is a trend to keep an eye on.