Sued for ransomware attack? Hacked health system hit with class action claim, Partner Avery Dial quoted, Part B News, Jan 2023
Health IT A patient has brought a class action suit against a health system, claiming its negligence led to the breach of privacy and potential harm for which the plaintiff seeks damages — an ominous sign for practices in a time of rising ransomware attacks (PBN 1/23/23)….
No private right under HIPAA, but … “When you have a statute like HIPAA that doesn’t provide for a private cause of actions, sometimes plaintiffs will cite the statute just as a general standard of care by which you could [allege] a breach of duty, so they don’t have to rely on the[more] general allegation that the defendant had a duty to protect personal information,” says Avery A. Dial, co-deputy chair of the Data Privacy & Cybersecurity Practice Group at Kaufman Dolowich Voluck in Fort Lauderdale, Fla.
Weak negligence claim?
Dial suggests that will require more than what’s in the complaint. “They can’t go into court and just say the defendant failed to implement and follow basic security procedures, because then the response is, ‘well, how?’” he says.
On the other hand
That doesn’t mean CommonSpirit is out of the woods, though. “Just because the damages don’t appear on the face of the complaint, that doesn’t mean they can’t come out in discovery,” Dial says.
While it’s not evident from the complaint that actual harm has been caused, “if a breached credential is used to steal the user’s identity and financial damages occur, that would be actual harm,” Dial adds. Also, the plaintiff won’t be the only one investigating. “The OCR [HHS Office for Civil Rights] will conduct its own investigation, which may result in a fine to the company,” Wang says. “If the OCR finds CommonSpirit at fault in adherence to HIPAA regulations, that could be strong ammunition for the plaintiff in this case.” Dial and Wang agree that a settlement may be in the offing in any case. In recent years courts seem to have become more sympathetic to those who suffer data breaches. “A 623,000 person class, with the amount of documentation and time and the discovery and forensic analysis involved, is really disruptive to a business,” Dial says. “So, I could see settlement as a possibility.”