Advocate Health Ruling: The ImpactLegal Experts Say Plaintiffs in Breach Cases Face Uphill Battle
A recent ruling by an appellate court upholding the dismissal of two lawsuits against Advocate Health and Hospitals Corp. filed in the wake of a 2013 breach affecting 4 million individuals is yet another reminder of the challenges plaintiffs face when solid evidence of harm stemming from breaches is lacking.
See Also: The 5 Foundational DevOps Practices
In a decision filed earlier this month, an Illinois appellate court affirmed the decisions by two lower courts that dismissed separate lawsuits against Advocate, a major healthcare provider in the Chicago area, in large part because allegations of harm caused to plaintiffs by the Advocate breach were "merely speculative."
The appellate court affirmed the lower courts' rejections of claims that plaintiffs in the cases "face imminent, impending or a substantial risk of harm as a result of the burglary" at an Advocate Medical Group office, in which four unencrypted desktop computers were stolen. "Allegations of possible future injury were insufficient to confer standing," the appellate court noted in its ruling.
The appellate court ruling upheld the lower courts' rejection of plaintiffs' allegations that Advocate violated the Fair Credit Reporting Act by failing to protect consumer data, resulting in plaintiffs suffering personal and financial damages, says privacy and security attorney Brad Rostolsky of the Philadelphia office of law firm Reed Smith, who is not involved in the case.
"At its core, this action was dismissed ... because Advocate was determined not to meet the definition of 'consumer reporting agency' under the federal Fair Credit Reporting Act, of FCRA," he says.
What's most significant about the ruling, Rostolsky says, is that courts may be unwilling to extend the applicability of a statute like FCRA, which primarily addresses other issues, "to a more classically described breach situation."
In a statement about the ruling provided to Information Security Media Group, Advocate says, "While we are pleased with the outcome of the class action suit, we deeply regret any inconvenience caused by the data breach and remain fully committed to protecting patient information.
The statement notes: "In order to prevent such an incident from reoccurring, Advocate performed an extensive audit to identify and remedy any areas where patient's private information may be at risk. In addition, we conducted a thorough review of our policies and procedures and have enhanced our security protocols and encryption program with associates."
Advocate says it believes the computers were not stolen for the data they contained, and says there has been no indication that patient information has been used inappropriately as a result of the 2013 theft. Nevertheless, Advocate offered free credit monitoring protections to those potentially affected, the statement notes.
Attorneys representing plaintiffs in the case did not immediately respond to ISMG's request for comment.
The latest ruling in the Advocate case come as no surprise, says privacy and security attorney Kirk Nahra of the Washington-based law firm Wiley Rein, who is not involved in the case. "This decision is consistent with the overwhelming majority of decisions related to security breaches," he says.
"The idea is that in order to move a case forward, the individuals whose information was involved in the breach must be able to allege some kind of specific harm. There have been dozens, maybe hundreds of cases across the country holding that the mere potential of something in the future is not sufficient to allege the injury that is required to bring a case. Class action attorneys continue to bring these cases, trying to make cracks in this litigation brick wall."
Indeed, plaintiffs in the Advocate case have plenty of company when it comes to breach-related class action lawsuits being dismissed.
In April, a federal judge, citing similar reasons the court used to dismiss the Advocate case, dismissed a consolidated class action lawsuit against Horizon Blue Cross Blue Shield that was filed in the wake of a 2013 data breach. The incident, which involved the theft of two unencrypted laptop computers, exposed information on nearly 840,000 individuals
Last year, a federal district judge dismissed the majority of a consolidated class action lawsuit that was filed against TRICARE, the military health program, and Science Applications International Corp. in the wake of a 2011 data breach that affected nearly 5 million individuals.
Despite a pattern of health data breach class action lawsuits being dismissed by the courts, "there are a handful of cases where there has been some different result, at least as far as the initial claims are concerned," Nahra notes. "Typically, those have involved a situation where at least some members of the class can allege actual harm."
One example is the $3 million settlement agreed to in 2013 by AvMed, a Florida-based health insurer, in a case stemming from a 2009 data breach involving the theft of two unencrypted laptop computers containing data on 1.2 million individuals (see Settlement in AvMed Breach Suit).
The AvMed settlement, filed in a U.S. District Court, is considered significant because it awarded payments to individuals who were not victims of identity theft, but who paid premiums to AvMed in years leading up to the theft.
Settlement documents in that case explain that awards of up to $30 each to about 460,000 individuals affected by the breach represents what AvMed should have spent on protecting data, amounting to a refund of premium overpayment. Additionally, individuals who were victims of identity theft as a result of the breach can submit claims to be reimbursed by AvMed for their monetary losses.
As for the recent Advocate lawsuit ruling, "this result is a good one for the overall healthcare [sector]," Nahra contends. "Many, and probably all, potential security events do not ever result in anything bad happening to anyone."
This ruling, and the others like it, mean that there is no ability to bring a claim and get money from a healthcare provider where there has been no demonstration of harm, he says. "It preserves the ability to bring suits for any individuals actually harmed by these events, in the rare circumstances where there is an actual harm," he adds.
The dismissal of the Advocate case may lead others to change their strategies in the filing of class action lawsuits related to breaches, Rostolsky says. "The Advocate decision may serve to refocus plaintiff's attorneys as they formulate causes of action. Certainly, the decision reflects the likelihood that courts will scrutinize attempts to characterize ... healthcare breaches as violations of the FCRA."