Healthcare Legal News: April 13, 2012 - Volume 2, Number 3

DATA BREACH ISSUES CONTINUE TO TAKE CENTER STAGE

Michigan is the Second State to See a Data Breach Class Action; OCR Issues First Penalty under HITECH

By Brian R. Balow

As we predicted in an article in our December 2011 issue, actions stemming from data breaches have increased in the first quarter of 2012. So far this year we have seen an increase in class action litigation and enforcement activity from the Office of Civil Rights.

Class Action - Sutter Health

In our December issue, we discussed the class action filed in California against Sutter Health, Sutter Medical Foundation, Sutter Physician Services, and Does 1 - 100, in connection with an October 2011 data breach from the theft of a password-protected, unencrypted computer, alleging violations of California's Confidentiality of Medical Information Act and California's breach notification law. This computer contained data on over 4 million patients. Since the initial filing in December, an additional 12 class actions were filed in California as a result of this same incident. In an effort to conserve judicial resources, the Judicial Council of California combined the 13 class actions in February. Since then, we have seen little additional activity.

California's pro-consumer environment provides an attractive test bed for private lawsuits related to data security breaches. Although in December, we anticipated that these California actions would get further along before similar actions appeared in other states, so far, this has not been the case.

Class Action - Henry Ford Health System

In February, Michigan became the second state to have a data breach class action lawsuit filed when the Henry Ford Health System ("Henry Ford") was sued for an alleged data breach that occurred at a medical transcription provider. According to the complaint, Henry Ford mailed a breach notification letter to the "named" Plaintiff (as "Jane Doe") in January 2010. In the letter, attached as an exhibit to the complaint, Henry Ford explained that the affected patient's data was visible on the Internet. Henry Ford learned of the data breach on November 29, 2009, and had the Plaintiff's information removed from public display by December 4, 2009. Henry Ford explained that it "is unable to determine exactly how long the information was visible online, however there is no proof it was viewed or used inappropriately." Part of the information allegedly disclosed was that the Plaintiff had a sexually transmitted disease.

This lawsuit seeks damages for (i) invasion of privacy through a public disclosure of per se embarrassing private facts and (ii) negligence. In Michigan, a plaintiff must prove actual damages to recover under a negligence claim, but in a claim of public disclosure of private facts, emotional distress and mental anguish may be enough.

HHS/OCR HITECH Action - Blue Cross Blue Shield of Tennessee

Most recently, on March 13, 2012, the Department of Health and Human Services (HHS)...