On July 10, 2014, a Kane County, Illinois Circuit Court granted a motion to dismiss with prejudice in favor of Advocate Health & Hospitals Corporation (Advocate) in a class action case arising out of a breach of patients' protected health information (PHI). In August 2013, Advocate reported one of the largest data breaches to date under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) after four laptops containing the unencrypted information of over four million patients were stolen from an Advocate medical group administrative building. As a result of the breach, two patients filed a class action lawsuit alleging that Advocate failed to take necessary steps to safeguard patients' PHI. Plaintiffs' claims include: negligence, violation of the Illinois Personal Information Protection Act, violation of the Illinois Consumer Fraud Act and invasion of privacy. The Kane County Circuit Court granted Advocate's Motion to Dismiss the complaint with prejudice for lack of standing and failure to state a claim.
The Court held that the plaintiffs lacked standing because they could not prove that the information stolen had been accessed or used, and therefore, they could not prove that there had been actual identify theft or harm. The Court stated that "there had been no injury and no change in the status quo." While the Court noted that there was an increased risk of harm due to the theft of the laptops and the potential accessibility of the unsecured PHI, there had been no impending certainty of identity theft. In order for the matter to be ripe, the thieves would actually have to disclose, sell to other criminals or otherwise misuse the PHI.
The Court further ruled that there were insufficient allegations of present injury to sustain negligence and Illinois Consumer Fraud Act claims. With respect to the invasion of privacy claim, the Court ruled that there were insufficient allegations of intentional conduct.
This case is an example of the challenges in bringing claims under state law for HIPAA data breaches. There is no private cause of action under HIPAA so plaintiffs must rely on state law theories. Because most, if not all, states require that plaintiffs show actual injury to state a sufficient claim, plaintiffs often must overcome a high hurdle because they cannot show that their PHI was used to commit identity theft or other harm. Even if there is an identity theft, they often cannot prove that the identity theft was the result of the HIPAA breach.
Even though state causes of action may be difficult to prove, covered entities and business associates face penalties under HIPAA. Also, although difficult, state causes of action are still a risk. Therefore, HIPAA covered entities and business associates should take steps to protect sensitive information, including encrypting PHI that is stored on portable devices such as laptops, tablets and smartphones.