Patient breach lawsuits pose new arguments about privacy expectations

Lawsuits from healthcare data breaches are growing more sophisticated as lawyers change tactics beyond trying to show that exposure of patients' personal information led to financial harm. An increasing number now are being filed on behalf of classes of plaintiffs, rather than individuals.

Two new arguments are arising, according to a Reuters article, including:

  • Unjust enrichment, in which the expectation of privacy was part of the purchase decision. When data is breached, as the argument goes, the provider gets to keep the payment, but the buyer loses the benefit of the bargain.
  • Breach of contract claims point to specific provisions in contracts and terms of service agreements that mention privacy, also arguing that privacy was promised as part of the service. These suits allege that the plaintiff was financially harmed by buying the service in the beginning.

Both still are difficult to prove, especially since 40 percent of large data breaches involve laptop or storage devices that are lost or stolen, according to the U.S. Department of Health & Human Services. Stolen laptops generally are resold for the hardware, not the data they contain.

The case that has advanced the furthest is against health insurer AvMed, which lost  information on 1.2 million patients when two laptops disappeared from a conference room in 2009. Last fall, the 11th Circuit Court of Appeals allowed a data breach suit alleging unjust enrichment and breach of contract to go forward, according to Reuters. Though the U.S. District Court in Miami dismissed the case, the appeals court ruled that the plaintiffs' claims should be heard. That case awaits trial.

Meanwhile, a case against Adventist Health System alleges unjust enrichment and breach of contract stemming from an alleged scheme by an employee to sell tens of thousands of patient records. Among the claims of inadequate security protections in its EHR system, the lawsuit alleges employee Dale Munroe was able to access the records of 760,000 patients at a hospital in Celebration, Fla., rather than the 12,000 records such an employee normally could open.

And in California, the state Confidentiality of Medical Information Act allows damages of $1,000 for anyone whose medical information is wrongfully disclosed, without the need to prove harm. Plaintiffs against Sutter Health, which is the target of at least 11 lawsuits, argue that the act should apply to the 4.24 million patients whose records were on a computer stolen in 2011.

To learn more:
- read the Reuters article