The costs of HIPAA breaches are well-documented. Thefts of laptops containing sensitive health information of patients impose significant costs on providers and their business associates, ranging from preliminary investigations to mail notification of all patients impacted, to say nothing of the reputational harm inflicted by the mandatory self-reporting to CMS’s public wall of shame. If these costs were not enough, savvy plaintiff attorneys are finding ways to frame class actions based on these breaches, which, if successful, will add significant additional costs on top of these already severe regulatory penalties.
In a previous post, we addressed a consumer class action in which the Oregon Supreme Court held that the alleged harm – a risk of future identity theft – was not sufficient to provide a basis for a cause of action. In a recent decision in the Eleventh Circuit Court of Appeals, Resnick v. AvMed, the court reversed the district court’s dismissal, finding that the putative class alleged a cognizable injury sufficient for standing and to support their state law claims for recovery for losses suffered from identity theft following a data breach.
The facts of Resnick should sound familiar. A HIPAA covered entity had two laptops stolen from its Florida office. The laptops contained PHI, as well as social security numbers, and other personal information, of 1.2 million of its members. Nearly a year after the theft, the named plaintiffs alleged they had become victims of identity theft – bank accounts were opened, addresses were changed, credit cards were opened, and purchases were made. Naturally, they attributed their identity thefts to the laptop thefts.
The district court dismissed the complaint, finding that it failed to allege a cognizable injury. The Eleventh Circuit reversed, finding plaintiffs’ allegations of actual identity theft resulting from a data breach to be sufficient to constitute injury in fact. The court found a plausible, logical nexus between the data breach and the identity thefts. Plaintiffs alleged that they had not had their identities stolen or their sensitive information compromised prior to the laptop theft. They stated that they took considerable precautions with their own information, such as not transmitting unencrypted sensitive information over the internet. According to the Court, based on these facts, the allegations moved “from the realm of the possible into the plausible.”
To be sure, the defendant could have been more protective of its PHI to prevent the breach in the first place. The data could have been more secure, and the facility security probably could have been more robust. The Resnick decision did not address whether the defendant notified the plaintiffs, or took any remedial measures, such as attempting to locate the stolen information, or purchasing identity theft protection. Nevertheless, Resnick is particularly troubling for HIPAA covered entities and business associates because of the potential unanticipated costs which may come to light months or even years after the initial breach if the response to the breach is not handled properly. Although the upfront costs of a breach may be significant, these investments may prevent, or at least limit, future exposure if the breached information finds its way into the wrong hands.