District of Arizona Clarifies Causes of Action Available for Breach of Health Data Baker Botts LLP JDSupra
pppHealthcare providers wrestling with the legal fallout of cyberattacks just received a fresh reminder from the District of Arizona traditional tort and contract theories remain difficult to sustain after a breach but consumerfraud statutes can keep a case aliveppIn Johnson v Yuma Regional Medical Center fourteen patients sued the hospital after a ransomware incident exposed the data of roughly 700000 individuals In a 16page opinion Judge Susan M Brnovich dismissed four of the five causes of actionnegligence breach of implied contract unjust enrichment and breach of fiduciary dutywhile allowing a single claim under the Arizona Consumer Fraud Act ACFA to proceedppTort and Contract Claims DismissedppConsumerFraud Claim SurvivedppThe Court took a different view of plaintiffs fraudbyomission theory under the ACFA Patients alleged they received the hospitals Notice of Privacy Practices and Privacy Policy relied on its assurances of confidentiality and were never told about major security deficiencies Although Rule 9b normally demands specificity the court recognized that omissionbased fraud claims have some leeway plaintiffs cannot pinpoint the time place and specific content of an undisclosed fact The complaint alleged enough detail to suggest they would have acted differently had the hospital disclosed its security gaps so the ACFA claim moves forward to discoveryppKey Takeaways for HIPAA Compliance and Breach ResponseppHIPAA remains a regulatory not civilliability framework
Courts continue to resist plaintiffs efforts to convert HIPAA into a private duty or implied contract Compliance failures can trigger OCR investigations and penalties but they rarely translate directly into negligence or contract damagesppConsumerprotection statutes are a real litigation risk
Even when traditional tort claims fail plaintiffs can survive a motion to dismiss by alleging that privacy notices or online policies omitted material facts Updating these documentsand ensuring they accurately reflect the current security environmenthas never been more importantppPuffery is not a complete shield
Generic statements that an organization is committed to protecting data may be safe from contract claims but they offer little defense against fraudbyomission allegations if the actual security posture is weak Precision and transparency are criticalppEconomic harms alone may not clear the duty hurdle
At least in the District of Arizona purely financial injuries from data theft are unlikely to support negligence under an assumedduty theory Plaintiffs must therefore focus on statutory avenues or show additional noneconomic harmsppPostincident communications matter
The hospitals proactive creditmonitoring offer and security upgrades did not insulate it from liability Courts evaluate duty and deception based on prebreach disclosures not postbreach remediationppConclusionppJohnson reinforces a growing trend HIPAA violations standing alone seldom generate private negligence or contract liability but plaintiffs can still gain traction by framing their case as a deceptive practice or fraudbyomission claim where the underlying state laws support such claims Healthcare entities should view privacy notices as live documentsnot boilerplateand align them closely with the organizations actual cybersecurity capabilitiesppPlaintiffs have not adequately established public policy imposes a legal dutypp hrcchcomppSee more ppDISCLAIMER Because of the generality of this update the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations
Attorney Advertisingpp
Baker Botts LLP
var today new Date var yyyy todaygetFullYeardocumentwriteyyyy
ppRefine your interests ppPlease take our short survey your perspective helps to shape how firms create relevant useful content that addresses your needsppBack to TopppExplore 2025 Readers Choice AwardsppCopyright var today new Date var yyyy todaygetFullYeardocumentwriteyyyy JD Supra LLCp
Courts continue to resist plaintiffs efforts to convert HIPAA into a private duty or implied contract Compliance failures can trigger OCR investigations and penalties but they rarely translate directly into negligence or contract damagesppConsumerprotection statutes are a real litigation risk
Even when traditional tort claims fail plaintiffs can survive a motion to dismiss by alleging that privacy notices or online policies omitted material facts Updating these documentsand ensuring they accurately reflect the current security environmenthas never been more importantppPuffery is not a complete shield
Generic statements that an organization is committed to protecting data may be safe from contract claims but they offer little defense against fraudbyomission allegations if the actual security posture is weak Precision and transparency are criticalppEconomic harms alone may not clear the duty hurdle
At least in the District of Arizona purely financial injuries from data theft are unlikely to support negligence under an assumedduty theory Plaintiffs must therefore focus on statutory avenues or show additional noneconomic harmsppPostincident communications matter
The hospitals proactive creditmonitoring offer and security upgrades did not insulate it from liability Courts evaluate duty and deception based on prebreach disclosures not postbreach remediationppConclusionppJohnson reinforces a growing trend HIPAA violations standing alone seldom generate private negligence or contract liability but plaintiffs can still gain traction by framing their case as a deceptive practice or fraudbyomission claim where the underlying state laws support such claims Healthcare entities should view privacy notices as live documentsnot boilerplateand align them closely with the organizations actual cybersecurity capabilitiesppPlaintiffs have not adequately established public policy imposes a legal dutypp hrcchcomppSee more ppDISCLAIMER Because of the generality of this update the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations
Attorney Advertisingpp
Baker Botts LLP
var today new Date var yyyy todaygetFullYeardocumentwriteyyyy
ppRefine your interests ppPlease take our short survey your perspective helps to shape how firms create relevant useful content that addresses your needsppBack to TopppExplore 2025 Readers Choice AwardsppCopyright var today new Date var yyyy todaygetFullYeardocumentwriteyyyy JD Supra LLCp
