Health Data Breach Lawsuits Surge as Cyberattacks Keep Climbing

Health Data Breach Lawsuits Surge as Cyberattacks Keep Climbing
DEEP DIVE
Skye Witley
Skye Witley
Reporter


Christopher Brown
Christopher Brown
Staff Correspondent


Share To:

Print
Email icon
Email
Class actions over health privacy at highest rate in years
Trend shows no sign of slowing, attorneys say
Companies handling health data are fending off more cyberattacks each year, and those that do get hacked are facing costly litigation at rapidly rising rates, a Bloomberg Law analysis found.

The monthly average of new class actions filed over health data breaches so far this year is nearly double the rate from 2022, according to a Bloomberg Law analysis of 557 complaints filed against companies in federal courts over the last five years.

Many of the lawsuits seek civil damages in the millions of dollars, bolstered by claimed classes with large member numbers. Underpinning this swell in litigation is the comparably gradual uptick in health cyber incidents, according to data maintained by the US Department of Health and Human Services’ Office for Civil Rights. The health industry is one of the most commonly targeted by cyberattackers, who seek profitable identifying data they can sell on the dark web or use for fraud.


“Since health-care entities are using technology in more ways, the number of breaches is going to potentially continue to rise,” said Kristyn Looney, associate general counsel for Indiana University Health, which recently fell victim to hackers. “If breaches continue to increase, as long as attorneys continue to be successful in making claims, then litigation at least isn’t likely to go down at all.”

Many hospital systems and other large health-care entities also make tempting targets for cybercriminals because they have deep pockets, are well insured, and are willing to pay to resolve ransomware attacks, according to Gary E. Mason, a partner at Mason LLP focusing on class actions.

The health industry saw the largest increase in average ransom paid last year up to more than $1.5 million, according to an annual cybersecurity report published by Baker & Hostetler LLP in April.

Defense and plaintiff attorneys couldn’t identify a new legal precedent to explain the spurt in health data breach filings. But coalescing factors including proliferating ransomware attacks, public notification rules, and growing consumer awareness of privacy issues likely combined to fuel the litigation spike, attorneys told Bloomberg Law.

Breach Notification Rules
Companies affected by the largest health data breaches over the last five years were also among the entities most frequently sued over health data breaches, the docket analysis found.

Regulations mandating that health entities release breach notifications have made security incidents more public than cyberattacks in other industries, plaintiff and defense attorneys said. The Health Insurance Portability and Accountability Act requires that any breach affecting the health data of more than 500 people be posted on the OCR’s website.

The 2019 Laboratory Corporation of America cyber breach, for example, exposed the data of 10.2 million patients and was the second-largest health breach reported to the OCR in the last five years. LabCorp faced 19 class actions after the incident, according to the docket analysis.

More than 41 million people have had their health data exposed through Aug. 18 this year, and the volume of health data breaches reportable to the OCR has climbed year over year. The BakerHostetler report identified its health industry clients as most susceptible to cyberattacks compared with other industries including finance and retail.


That environment, and resources like the OCR website, enable plaintiff attorneys to quickly identify large security incidents that are potential litigation candidates, said Steven Nathan, an attorney who represents consumer classes in health data breach cases for Hausfeld LLP.

Other HIPAA mandates like breach notice letters, which must specify the categories of data possibly affected by a hack, give attorneys a better estimate of the class membership size than non-health data breaches, Nathan said.

“In other industries, you don’t have that mechanism to publicly and systematically identify large breaches, and then also identify how many individuals were affected,” said W. Reece Hirsch, a partner at Morgan Lewis & Bockius LLP counseling clients on health-care privacy.

The breadth of health-care class actions could grow further if the Federal Trade Commission follows through on a proposal to require entities not subject to HIPAA to report health-related breaches, because “that provides another channel for plaintiff attorneys to identify targets for litigation,” Hirsch said.

The steady flow of health-care data breaches and lawsuits has made the practice area routine and predictable for Mason’s firm, which hasn’t been typical in most plaintiff practice areas, he said.

“We all know what the arguments will be in a motion to dismiss. We know what a good settlement looks like,” Mason said. “We’re able to work with a stable of experienced mediators who are skillful at getting the parties together. We’re familiar with many of the attorneys after overlapping in cases. We’re even able to rely on some of the same templates, which I’ve never had the luxury of in my practice.”

Consumer Awareness
The class actions Bloomberg Law analyzed were filed in every state, with the highest concentration in California, where the country’s first comprehensive privacy law went into effect in 2020. Consumers in the 11 other states that recently passed data privacy protections could have a higher propensity to sue over health breaches now, attorneys said.

“Consumers are more interested in privacy than ever—and in knowing where their information goes and how it’s being used,” said Tyler Bean, an attorney at Siri & Glimstad with experience litigating on behalf of consumers in data-breach cases.

“They’re aware of their right to privacy, and are willing to file a lawsuit to protect that right,” he said.

Plaintiffs in the lawsuits Bloomberg Law analyzed commonly cited the health information privacy standards established by HIPAA in arguing that a data disclosure injured them, though the federal statute doesn’t grant a private right of action. Frequent claims included negligence and breach of contract and the median damage demand was $5,000,000.

Casie D. Collignon, a partner at BakerHostetler, said a lack of clear guidance from the courts on threshold issues related to data-breach lawsuits may also have opened doors for increased litigation.

Open questions include whether plaintiffs whose information has been exposed in a breach have suffered a concrete harm sufficient for jurisdiction in federal courts and whether any harm they suffered was caused by the breach.

“There haven’t been any key dispositive rulings that would either put data-breach litigation to bed or make it keep increasing, and so we’re left with this void,” Collignon said. “Both sides are trying to take advantage of the situation, but without good heavy-hitting rulings that could help us navigate this space, things will probably keep going along as they have been.”

To contact the reporters on this story: Skye Witley at [email protected]; Christopher Brown in St. Louis at [email protected]

To contact the editors responsible for this story: Adam M. Taylor at [email protected]; James Arkin at [email protected]