Companies that have a breach involving protected health information (“PHI”) worry not only about fines and penalties imposed by the Department of Health and Human Services (“HHS”), but about class action lawsuits. The risk that a class action lawsuit will lead to financial liability, however, is often misunderstood.

In many, if not most, class action lawsuits that involve the loss of PHI, plaintiffs have been unable to prove that they have standing to seek recovery. Specifically, unless a plaintiff has been the victim of identity theft or has suffered some other type of concrete injury, most courts have refused to let them proceed based solely on the allegation that they are subject to an increased risk of harm as a result of the breach.1 The following summarizes the types of allegations that courts have, and have not, led to a finding of standing.

Click here to view the table.

What factors should you look at when considering the risk that litigation poses following a breach:

Click here to view the table.