HIPAA/HITECH Data Breaches and Class Action Exposure?

by John Zen Jackson

A new adverse consequence for violations of HIPAA requirements for the security of protected health information and data may be emerging.  On February 28, 2014 the United States District Court for the District of Southern Florida entered an Order Granting a Motion for Final Approval of Class Action Settlement in Curry v. AvMed, Inc., Civil Action No. 10-cv-24513.  The District Court’s approval of the $3 million settlement is the conclusion of a litigation that had initially been dismissed for failure to state a cognizable injury by predicating recovery upon the spectre of injury in the form of heightened likelihood of identity theft rather than injury in fact and that the expenditure of time and money to combat future identity theft was not sufficient.  The case had gone to the Eleventh Circuit Court of Appeals which reversed and remanded the matter.  Resnick v. AvMed, Inc., 693 F.3d 1317 (11th Cir. 2012).  The settlement in effect implemented the approach promulgated by the Court of Appeals.

Violations of HIPAA’s requirements for security of protected health information as reinforced by the more recent HITECH and Omnibus Rule provisions have been drawing increasing scrutiny and severe enforcement from the Office of Civil Rights.  The $1.7 million settlement with WellPoint for security violations and the $1.2 million settlement with Affinity Health Plan for returning a leased photocopier without erasing the data on the hard drives are only recent instances of this phenomenon.  In addition to the substantial penalties that accrue at up to $50,000 per violation with each involved patient being a separate violation, there are the costs associated with the data breach notification requirements and the resultant negative publicity.

Civil lawsuits, especially in the form of federal class action claims, have not been a meaningful danger.  The lack of a private right of action for HIPAA violations is firmly entrenched.  The requirements for standing in a federal class action have worked to preclude most consumer litigation alleging data breach.  According to Clapper v. Amnesty International USA, 133 S. Ct. 1138 (2013), actual or imminent injury is necessary for Article III standing in a federal lawsuit and not simply the potential for injury.  Clapper was not a data breach claim but its analysis is applicable.  In addition, the Class Action Fairness Act of 2005, 28 U.S.C. § 1332(d) gives the district courts original jurisdiction over putative class actions where minimal, even if not complete, diversity of citizenship exists.  The Act permits removal of a lawsuit from state to federal court where there is a class of more than 100 people and the aggregate claims are more than $5 million, even if only state law claims are being made.  Thus, data breach cases are routinely removed to federal court which has been notably less hospitable to such claims.  However, data breach class actions may still be brought in state court.  Indeed, the Supreme Court recently held on January 14, 2014 that actions brought by state attorneys general are not removable to federal court. See Mississippi ex rel. Hood v. AU Optronics Corp., 134 S. Ct. 736 (2014).  This would include civil damage actions pursuant to HITECH for HIPAA privacy and security regulations by covered entities and business associates.  See generally 42 U.S.C. § 1320d-5(d).

The factual scenario in Resnick v. AvMed is unfortunately too familiar and recurrent.  Laptops with unencrypted protected health information of over a million health plan members were lost.  The court of appeals held that the pleading alleging that plaintiffs had experienced no identity theft before the data and discovered instances of identity theft about a year after the loss of the laptops set forth a sufficient cognizable injury with sufficient facts to allow a plausible inference that AvMed’s failure to secure the data resulted in identity thefts regarding the plaintiffs and that there was a sufficient nexus between the data breach and the identity theft.  The claims in Resnick were not based on HIPAA or HITECH provisions but rather Florida law.  However, a number of cases have used the HIPAA regulations as a “standard of care” for purposes of state law breach of confidentiality claims.

The February 2014 approval of the class action settlement may be the precursor of a lower threshold for data breach claims.  In contrast is the decision in the District of New Jersey in Polanco v. Omnicell, Inc., 2013 WL 6823265 (D.N.J. Dec. 26, 2013), in which a class action was dismissed for lack of injury-in-fact.  This was another lost laptop case, with PHI for thousands of patients that had been provided to a vendor of medication control and dispensing systems.  An employee’s laptop with this unencrypted information was stolen from a parked car.   The defendants included several hospitals and healthcare systems to which patients had provided their personal information while seeking healthcare treatment. (McElroy, Deutsch, Mulvaney & Carpenter, LLP was counsel of record for one of the defendants in the lawsuit).

Relying on Clapper, Judge Hillman found that plaintiffs had failed to allege sufficient injury-in-fact so as to have standing to bring the lawsuit in federal court.  The court found that Clapper was “controlling.”  In his opinion, Judge Hillman rejected the attempt by plaintiff to distinguish Clapper and claim that the current matter was not a data breach case.  Plaintiff asserted that the data breach had revealed that at least one of the hospitals was not HIPAA-compliant and that it continued in a failure to take corrective steps to prevent further dissemination and to compel the institutions to purge their records of her PHI.  The court noted that there was no private action under HIPAA and the enforcement responsibility rested with the Secretary of Health and Human Services.  Citing the Third Circuit decision in Reilly v. Ceridian Corp., 664 F.3d 38 (3rd Cir. 2011), it rejected the contention that time and expense for monitoring the consequence of the alleged data breach satisfied the injury requirement.   The court dismissed the complaint without prejudice based on lack of subject matter jurisdiction.

The Eleventh Circuit opinion in Resnick was issued before the SCOTUS opinion in Clapper.  Although the approval of the class action by the Florida District Court suggests a continuing vitality to the Resnick approach to standing and injury, decisions such as Polanco call into question whether it is still good law.  That remains to be seen.  But what is clear – and has been for some time – is that the costs associated with encrypting data are small in comparison to the costs of litigation, breach notification protocols, and potential penalties arising from failure to comply with HIPAA and HITECH.