Healthcare Data Breach Lawsuits On the Rise, Report Shows

April 11, 2022 - As healthcare data breaches continue to impact small and large organizations across the country, accompanying data breach lawsuits are becoming increasingly common. Law firm BakerHostetler’s latest data security incident report showed an increase in duplicative lawsuits, often resulting in steep defense and settlement costs.

BakerHostetler analyzed more than 1,200 data security incidents from 2021 that its Digital Assets and Data Management Practice Group members helped clients manage. The incidents spanned a variety of sectors, but the results showed that healthcare was the most impacted industry, with 23 percent of the analyzed incidents affecting the sector.

The report revealed that 23 of the incidents resulted in one or more lawsuits. While this may not seem like a big number, over 58 lawsuits stemmed from those 23 incidents.

“Previously, there was always a risk of multidistrict litigation following large data incidents. However, now we are seeing multiple lawsuits following an incident notification in the same federal forum. Or, in the alternative, we see a handful of cases in one federal forum and another handful of cases in a state venue,” the report noted.

“This duplicative litigation trend is increasing the ‘race to the courthouse’ filings and increasing the initial litigation defense costs and the ultimate cost of settlement, due to the number of plaintiffs’ attorneys involved.”

READ MORE: Latest Healthcare Data Breaches Impact Providers, Business Associates

What’s more, 43 of the more than 58 lawsuits were filed against healthcare organizations specifically.

As recent cases have shown, it is difficult to succeed in healthcare data breach lawsuits from a plaintiff’s perspective. This is partly thanks to Ramirez v. TransUnion, in which the Supreme Court ruled that data breach victims must demonstrate actual injury and prove that the defendant’s conduct caused the damage.

The June 2021 ruling signified a significant shift in how data breaches are handled in court. Plaintiffs must now prove that they suffered a concrete injury to claim Article III standing. For example, in February 2022, a judge recommended the dismissal of a class-action lawsuit against medical management company Practicefirst, citing insufficient evidence of actual harm resulting from a December 2020 breach.

“Over the past decade, there have been very few published class certification rulings following data incidents, but the majority that existed were favorable to the defense,” BakerHostetler noted.

“However, 2020 and 2021 brought two critical class certification rulings that are emboldening plaintiffs’ firms, in both the number of their litigation filings and their negotiation tactics during mediations.”

READ MORE: FDA Seeks Feedback on Medical Device Security Guidance

The class certification rulings, In re Brinker Data Incident Litig. and Fero v. Excellus Health Plan, Inc., brought new arguments to the surface.

In Brinker, the defendant reasoned that the plaintiffs, whose payment card information had been breached, could not prove causation because at least one of them was impacted by a previous breach. The court ruled that the “multiple breach issue” did not disqualify causation.

“We predict that this same reasoning will not be applied to non-payment card cases, but its holding will need to be considered in any litigation strategy, as long as it remains good law,” the report stated.

In Fero v. Excellus Health Plan, Inc., the court “certified an injunctive relief-only class but denied certification of all damages,” the report explained.

“Ultimately, certification of only injunctive claims can be a hollow victory for plaintiffs because it eliminates the possibility of a large monetary judgment and because most defendants who have suffered a data breach will have made significant changes to their data security posture by the time the case gets to trial.”

READ MORE: OCR Seeks Public Input on Penalties, Security Measures Under HITECH

Interestingly, smaller data breaches resulted in more lawsuits than larger ones. BakerHostetler found that 8 of the 23 lawsuits resulted from data breaches that impacted more than 1.2 million individuals, while 11 lawsuits resulted from breaches that impacted less than 700,000 individuals.

In addition to litigation insights, the report noted that 37 percent of the 2021 incidents could be attributed to ransomware, compared to 27 percent in 2020. The firm also observed hackers using double or triple extortion tactics to increase pressure on victims.

“A key difference between organizations that had meaningful ransomware events and those that did not was the use of a fully deployed endpoint detection and response tool that was set in enforcement mode with the anti-uninstall feature enabled,” Craig Hoffman, co-leader of BakerHostetler’s national digital risk advisory and cybersecurity team, said in a press release.

“Organizations that were affected by a ransomware attack in 2021 were more likely to have effective backups to restore from. Ransomware attacks are not going away. In addition to an EDR tool and a robust business continuity plan, effective measures to combat this risk include multi-factor authentication, effective patch management and addressing remote desktop protocol. These measures apply to both the organization and its vendors.”