Health Care Data Breaches and “Actual Injury”

Slack Davis Sanger attorney Paula Knippa, writing in the June 29  issue of Texas Lawyer, says that the health care industry is being increasingly targeted by hackers because the industry has failed to make cybersecurity a priority. Full article below.

Health Care Data Breaches and “Actual Injury”
by Paula Knippa

It seems not a day goes by without a report of another data breach. Target, Home Depot and even, most recently, the federal government, among others, have all been forced to disclose that their data storage systems have been compromised and that hackers, exploiting the weaknesses of those systems, have been able to gain access to the sensitive personal information of millions of unsuspecting customers and employees.

As the large-scale health care data breaches disclosed in the last year by Anthem, Premera and Community Health Systems suggest, the health care industry is both a vulnerable and attractive target to these hackers. In fact, according to the Fifth Annual Benchmark Study on Privacy & Security of Healthcare Data conducted by the Ponemon Institute, there has been a 125 percent increase in hacking attempts on healthcare data storage systems since 2010. Further, this same study estimates that malicious hacking attacks now account for roughly 45 percent of data breaches reported by healthcare providers.

Why is the health care industry being targeted by hackers? Two plausible reasons come to mind. The first lies in the nature of the information collected and stored by healthcare entities—that is, the personal medical information of literally millions of patients. As it turns out, a patient’s personal medical information is extremely valuable on the black market. Cybersecurity experts report that it is worth at least ten times more than the credit card information typically sought by hackers.

Stolen patient data includes names, birth dates, policy numbers, diagnosis codes and billing information, which are then used by criminals to commit medical fraud. In this underground market, a patient’s number may be paired with a fake provider number and then used to file fraudulent claims with insurers. Or the patient’s data may be used to create fake identification, which is then used to obtain medical services or purchase medical supplies, equipment or drugs that are then resold to unscrupulous buyers.

Not only is this market for patient credentials lucrative, but their value is further enhanced by the fact that medical identity theft is not easily detected by the health care provider, insurer or patient. In contrast to credit card fraud, which tends to be identified relatively quickly either by the consumer or the financial institutions, resulting in the swift cancellation of the affected credit cards, the theft and use of medical information may go undetected for years, permitting fraudsters to profit from that information for a much longer period of time.

The second reason the health care industry is being increasingly targeted by hackers is likely due to the healthcare industry’s failure to make cybersecurity a priority, leaving its systems vulnerable to hacking efforts. According to cybersecurity experts and industry insiders, many healthcare companies rely upon outdated computer systems that do not employ the latest cybersecurity features. In other cases, even with state-of-the-art computer networks, companies make entirely avoidable blunders that compromise the security of their data storage systems. For example, in one recent case, a company responsible for the security and management of the data of millions of patients permitted a test server that was never intended to be connected to the Internet—but had the security credentials installed necessary to access its system—to, in fact, become connected to the Internet. Hackers were then able to exploit that access using a well-known virus that could have been easily deflected by the installation of a simple software security patch.

The successful hacking of health care entities’ data storage systems has spawned class action lawsuits across the nation. Such lawsuits typically assert claims for negligence, violations of individual state consumer protection statutes, violations of individual state data-breach notification statutes, breach of contract, and unjust enrichment. Most, if not all, of these lawsuits are subject to the Class Action Fairness Act of 2005, which expanded federal jurisdiction over a vast majority of class action lawsuits in the United States. The act gives federal courts jurisdiction over certain class actions in which the amount in controversy exceeds $5 million, the proposed class consists of at least 100 plaintiffs and any member of a class of plaintiffs is a citizen of a state different from any named defendant.

The most significant impact of the exercise of federal jurisdiction over data-breach class actions has been the imposition and interpretation of the constitutional requirement that a plaintiff have Article III standing. In 2013, the U.S. Supreme Court appeared to espouse a more stringent view of Article III standing in Clapper v. Amnesty Int’l. In interpreting the requirement that the injury complained of must be “concrete, particularized, and actual or imminent,” the court noted that an injury that has not yet manifested must be “certainly impending to constitute an injury in fact” capable of conferring Article III standing. Allegations of a possible future injury, however, would not be sufficient to confer standing and would require dismissal of the plaintiff’s claims.

Although Clapper did not address data-breach claims, many lower federal courts have interpreted the Supreme Court’s holding to mean that, unless a data-breach claimant can demonstrate that his or her identity has actually been stolen or some other immediately-quantifiable financial harm has been caused as a result of the breach, that claimant lacks Article III standing. For these courts, the undisputed fact that criminal hackers have in their possession the personal medical information of data-breach claimants and that the sole objective of obtaining such information is to sell it on the black market is insufficient to confer standing because the “actual injury” has not yet materialized. If this trend continues, it may be that an individual whose personal information is stolen as a result of the negligence of sophisticated corporate entities to whom that information was entrusted may be deprived of the opportunity to pursue a claim against and thereby exert pressure on those entities to take greater care with such information.