Legal consequences abound at every corner in healthcare. Each month this blog discusses examples of what those consequences can be.
In my first post of this year, “What Lies Ahead in 2017,” I suggested some “hot topics” of concern for the healthcare industry. One of those related to continued data breaches. This month I want to discuss several recent breaches and consider how such breaches might (and I stress might) give rise to class actions against the provider which suffered the breach.
Let’s start with MAPFRE Life Insurance Company of Puerto Rico (MAPTRE). On January 18th the Office for Civil Rights (OCR) announced a settlement with MAPFRE arising out of the “impermissible disclosure of unsecured electronic protected health information (ePHI).” MAPFRE “underwrites and administers a variety of insurance products and services in Puerto Rico, including personal and group health insurance plans.” MAPFRE reported to OCR in 2011 that a “USB data storage device (described as a ‘pen drive’) containing ePHI was stolen from its IT department, where the device was left without safeguards overnight.” The device stored names, birth dates, and Social Security numbers of over 2,000 people. Subsequent investigation by OCR determined MAPFRE was not compliant with HIPAA Rules. According to a press release from the Department of Health and Human Services (HHS), MAPFRE exhibited:
“a failure to conduct its risk analysis and implement risk management plans, contrary to its prior representations, and a failure to deploy encryption or an equivalent alternative measure on its laptops and removable storage media until September 1, 2014.”
According to Healthcare Informatics, “MAPFRE also failed to implement or delayed implementing other corrective measures it informed OCR it would undertake, according to HHS.”
MAPFRE paid $2.2 million and implemented a corrective action plan. The Resolution Agreement and Corrective Action Plan is available at https://www.hhs.gov/sites/default/files/mapfre-ra-cap.pdf.
In another recent case, OCR imposed a $3.2 million HIPAA civil monetary penalty on Children’s Medical Center of Dallas (Children’s). Announced on February 1st, this penalty arose out of several data breaches. First, in 2009, there was a “loss of an unencrypted, non-password protected BlackBerry device” at a local airport. In 2013, there was a “theft of an unencrypted laptop” from Children’s that stored the ePHI of over 2,400 people. According to a press release from HHS,
“OCR’s investigation revealed Children’s noncompliance with the HIPAA Rules, specifically, a failure to implement risk management plans, contrary to prior external recommendations to do so, and a failure to deploy encryption or an equivalent alternative measure on all of its laptops, mobile devices and removable storage media until April 9, 2013. Despite Children’s knowledge about the risk of maintaining unencrypted ePHI as far back as 2007, Children’s issued unencrypted BlackBerry devices to nurses and allowed its workforce members to continue using unencrypted laptops and other mobile devices until 2013.”
What’s the Common Thread?
What do these data breaches have in common? Among other things, ePHI was stored on unencrypted devices. Moreover, there was a failure to undertake adequate security measures.
Might similar breaches lead to individual or class actions filed by the individuals whose protected health information was the subject of a breach? The answer depends on how a federal court interprets and applies to the facts and law before it the decision of the United States Supreme Court in Spokeo v. Robins, 136 S. Ct. 1540 (2016). At issue is “standing” under Article III of the Constitution. Article III standing requires an “injury in fact,” a “causal connection between the injury and the conduct complained of,” and a likelihood “that the injury will be redressed by a favorable decision.” Lujan v. Defenders of Wildlife, 504 U.S. 555, 560 (1992). The injury-in-fact element requires a “concrete and particularized” harm, and the question becomes whether, absent any allegation that a breach led to an actual injury to someone whose ePHI was lost, she can maintain an action. The answer to this question is beyond the scope of this blog but the reader might look at information regarding In re: Horizon Healthcare Services Inc. Data Breach Litigation, No. 15-2309 (3d Cir. Jan. 20, 2017), for a possible answer.
The dispute in Horizon began with the theft of two laptops, “containing sensitive personal information,” which were stolen from Horizon, a health insurer. The plaintiffs alleged that Horizon had committed “willful and negligent violations of the Fair Credit Reporting Act (“FCRA”) *** as well as numerous violations of state law. Essentially, they say that Horizon inadequately protected their personal information.” The district court dismissed the complaint since “none of the Plaintiffs had claimed a cognizable injury because, although their personal information had been stolen, none of them had adequately alleged that the information was actually used to their detriment.” The United States Court of Appeals for the Third Circuit reversed the dismissal, concluding that, “[i]n light of the congressional decision to create a remedy for the unauthorized transfer of personal information, a violation of FCRA gives rise to an injury sufficient for Article III standing purposes.”
Decisional law interpreting Article III standing in the context of data breach absent evidence of misuse of breached data is developing and inconsistent. Compare the ruling in Horizon with that in Gubala v. Time Warner Cable, Inc., No. 16-2613 (7th Cir. Jan. 20, 2017), which affirmed the dismissal of a class action complaint brought under the Cable Communications Policy Act because the defendant failed to destroy but continued to store the named plaintiff’s personal information after he cancelled his subscription. The Supreme Court may again need to weigh in on Article III standing.
The actions or inactions of MAPFRE and Children’s, of course, implicate information governance. My next blog will discuss what effective information governance principles and competencies might do to prevent or minimize data breaches.
**Editor’s note: The views expressed in this column are those of the author alone and should not be interpreted otherwise or as advice.