Longtime HIPAA aficionados will recall that there is no private right of action under the Act. In other words, a patient cannot sue a covered entity for damages as a result of a data breach under HIPAA. However, HIPAA may establish a standard of care relevant to an action under a different legal theory (as when lawsuits are brought under state law since no cause of action is available under HIPAA).
The Third Circuit Court of Appeals has now ruled that a class action lawsuit against Horizon Blue Cross Blue Shield (NJ) should be allowed to proceed, overruling the suit’s dismissal by a federal district court for plaintiffs’ lack of standing. The lower court ruled thus because the named plaintiffs had not experienced actual losses related to the data breach represented by the 2012 theft of two unencrypted laptops containing personal health information of about 840,000 plan members. (Unencrypted — even though Horizon previously experienced an unencrypted laptop theft in 2008 affecting 300,000 members.)
The case was brought under the Fair Credit Reporting Act, which creates a duty of care to consumers owed by consumer reporting agencies. Thanks to the complexities of healthcare and health insurance and federal law, insurance plans are considered consumer reporting agencies under FCRA. The plaintiffs argued that “the violation of their statutory right [under FCRA] to have their personal information secured against unauthorized disclosure constitutes, on and of itself, an injury in fact.” (“Injury in fact” is the key component of standing that was at issue in this case.)
The Appeals Court agreed, noting that the court had ruled in favor of plaintiffs in similar situations. One case was the Google cookie placement class action in 2015 (placing a cookie on a consumer’s hard drive in violation of the Secure Communications Act gives the consumer standing to sue even absent evidence of economic harm). Another was the Nickelodeon class action in 2016 (“when it comes to laws that protect privacy, a focus on economic loss is misplaced …. the unlawful disclosure of legally protected information constitutes a clear de facto injury”).
In the context of other legislative schemas, however, more than mere disclosure would be required to find liability. (Consider the most recent decision in the LabMD case.) Similarly, evidence of damages caused by the breach would be required in the context of a common law claim, even if the standard of care is extrapolated from a statute such as HIPAA.
If you are reading this from the perspective of a covered entity or business associate, you may decry the approach of class action plaintiffs’ counsel in bringing cases like the Horizon case. If you are a member of that class, you may wonder how much you may recover, and whether you ever will. If you are an observer of the health care privacy and security compliance landscape you may ponder whether decisions in cases such as this may move covered entities and business associates to redouble their compliance efforts. After all, Horizon may still prevail in this case — there are many steps remaining — but it could have avoided the litigation entirely by devoting resources to developing and implementing more comprehensive data privacy and security policies and procedures, and ensuring that it had engendered a culture of compliance among its workforce.
A Deep-dive Into Specialty Pharma
A specialty drug is a class of prescription medications used to treat complex, chronic or rare medical conditions. Although this classification was originally intended to define the treatment of rare, also termed “orphan” diseases, affecting fewer than 200,000 people in the US, more recently, specialty drugs have emerged as the cornerstone of treatment for chronic and complex diseases such as cancer, autoimmune conditions, diabetes, hepatitis C, and HIV/AIDS.
