Dive Brief:
- Two recent California court cases are highlighting the difficulty that plaintiffs have in suing hospitals after a data breach.
- After the theft of a computer containing personal information on more than 500,000 patients, a class-action suit for $500 million in damages was filed against Eisenhower Medical Center. Courts ruled that health systems aren't liable for loss of information that doesn't include medical histories, conditions or treatments. Plaintiffs also lost a $4-million suit against Sutter Health after another computer theft.
- Two other suits have been dismissed this year because plaintiffs could not demonstrate they were harmed: one was a data breach at Advocate Health and Hospitals Group that released the health information and Social Security numbers of more than 4 million people; the second was the defense department's TRICARE program in which 4.7 million people's information was compromised.
Dive Insight:
"These decisions set a powerful precedent on damages that can be awarded in the event of data breaches," Beth Diamond, claims team leader for Beazley's technology, media and business service focus group, said in a statement regarding the hearings. "While healthcare providers have a clear duty to protect patient information, they should not be subject to opportunistic damages claims. We applaud the courts' decisions in establishing firm boundaries on liability."
But with the number of breaches growing every day, attorneys will continue to sue health systems when they occur. At least two separate class-actions lawsuits have been filed against Community Health Systems in response to its breach of data impacting 4.5 million patients that was disclosed in August. One suit was filed on behalf of five Alabama residents and other patients; the other was for Briana Brito of San Miguel County, New Mexico and other patients affected. The second suit addresses not only the risk to patients incurred by the suits, but notes the value of services was diminished due to the breach.
"We expect to see further efforts by the plaintiffs' bar to develop innovative theories of liability that will present additional risks to affected organizations in the wake of a data breach," Ted Kobus, national co-leader on privacy and data protection at BakerHostetler, the law firm that represented Eisenhower Medical Center, said in a statement.