Healthcare Information Security

Patient Privacy News

Do Healthcare Data Breach Lawsuits Have Reasonable Standards?

Healthcare data breach lawsuits often have a difficult task in proving what is expected in terms of data protections, but are they actually unreasonable expectations?

Healthcare data breach lawsuits may have unreasonable expectations with patient privacy.

Source: Thinkstock

By Elizabeth Snell

- Being able to prove fault in a healthcare data breach class action lawsuit is inherently difficult, but it is also important to understand the privacy expectations, according to a recent Corporate Clients Insight blog post.

Data breach cases are not as simple for plaintiffs as it may seem, wrote LeClairRyan Partner Chad Mandell. It is hard to prove proper legal standing “and class certification remains an obstacle that has yet to be successfully overcome,” he noted.

Citing the Anthem data breach where approximately 80 million individuals’ records were potentially compromised, Mandell stated that no court has yet certified a consumer data breach class.

“The aforementioned Anthem case also highlights another question worth considering in these suits — namely, whether plaintiffs are attempting to hold companies to standards of data-privacy protection that are realistic or fair in today’s cybersecurity environment,” Mandell explained.

The question has been raised, what are reasonable privacy expectations in an increasingly digital age?

Mandell noted that some internet users do not practice smart security and privacy practices. Lackluster passwords and failing to “opt out” of certain invasive requests could potentially also cause information to be compromised.

“No organization, no matter how large and no matter what security protocols are in place, is immune from its systems being compromised,” Mandell wrote. “Thus, it is reasonable to ask whether alleged damages in a data-breach case truly can be traced to a given hack of a particular company or whether they stem from a prior breach or multiple prior breaches of the plaintiff’s own computer.”

Calling back to the Anthem case, Mandell explained how the court “framed an order that drastically limited the amount of information that could be culled from forensic examination of the plaintiffs’ computers.”

Measures were also put in place to control who had access to the plaintiffs’ information.

“[Enough measures] so that one could safely state that the degree of protection afforded to these plaintiffs’ personal information in the course of the forensic examination would actually have been greater than under most everyday circumstances,” Mandell stated.

Even so, it was not enough for all plaintiffs, he said. Therefore, companies – such as Anthem and other healthcare providers – may be held to impossible standards when it comes to keeping personal privacy protected.

Earlier this year, the US Court of Appeals, Fourth Circuit, dismissed a data breach lawsuit that alleged the William Jennings Bryan Dorn Veterans Affairs Medical Center (Dorn VAMC) had violated the Privacy Act of 1974 and the Administrative Procedure Act (APA).

In that case, plaintiffs claimed that earlier reported Dorn VAMC data breaches created an “increased risk of future identity theft,” and that there were costly measures to protect against it.

The appeals court though agreed with the district court’s ruling in that there was a lack of subject-matter jurisdiction.  

Similarly, the Pennsylvania Superior Court recently dismissed claims in a healthcare data breach class action lawsuit in 2016. The superior court stated that the trial court needed to review the plaintiff’s claim under the Uniform Trade Practices and Consumer Protection Law (UTPCPL).

Plaintiffs had filed a class action lawsuit against Keystone Mercy Health Plan and Amerihealth Mercy Health Plan for a missing USB flash drive that allegedly contained PHI. The plaintiffs claimed that the health plans had performed deceptive practices under UTPCPL.

The judge explained though that justifiable reliance is necessary for deceptive practice claims under UTPCPL.

“As stated previously, on December 9, 2014, a panel of this Court affirmed the trial court’s denial of class certification on Appellant’s negligence claims but vacated its decision to deny class certification on the UTPCPL deceptive conduct claim,” the opinion stated. “In doing so, the panel noted the trial court had concluded that Appellant’s UTPCPL claim did not satisfy the commonality requirement of Rule 1702(2) because a plaintiff who brings a private cause of action under the UTPCPL must show reliance…”


SIGN UP and gain free access to articles, white papers, webcasts and exclusive interviews on

HIPAA Compliance
Data Breaches

Our privacy policy

no, thanks

Continue to site...