ALM Properties, Inc.
Page printed from: Corporate Counsel
Select 'Print' in your browser menu to print this document.
Health Data Privacy Driving New Type of Class Action Litigation
In January, Deanna DeBaeke plugged her name into Google and was shocked at what she found.
Right there online were three reports containing the Sonoma County resident's confidential medical information relating to her treatment at Santa Rosa Memorial Hospital a year earlier. Her height and weight, smoking history, blood pressure and patient account number and treatment dates were available for friends, neighbors, even potential employers, to see.
DeBaeke decided to take legal action in a way that puts her at the vanguard of a new strain of litigation. She's a name plaintiff in a proposed class action against the hospital system for violating California's strict medical information privacy laws. Her attorneys, San Francisco plaintiffs shop Keller Grover, filed the complaint in Sonoma County Superior Court a week ago.
The potentially multimillion-dollar case is the latest in a flurry of privacy data breach actions targeting hospitals, medical services providers and at least one health insurance company across California. Recent pro-business court decisions have made certain consumer class actions less attractive, and plaintiffs lawyers are on the lookout for other lines of business. The combination of a state-law specified damages figure of $1,000 per person per violation and the massive scale of potential breaches has plaintiffs lawyers salivating and potential defendants bracing for a fierce fight.
"There's an awful lot at stake here," said Brian Kabateck, of Los Angeles plaintiffs firm Kabateck Brown Kellner, who's not involved in the case.
With hospitals pushing to put patient records into electronic form, all it takes is one lost laptop or a single data security lapse and the personal information of tens of thousands of people is exposed to a vast audience. According to the Department of Health and Human Services, the personal medical data for more than 11 million people have been improperly exposed during the past two years.
Still, filing health-related privacy cases as class actions is untested territory, and attorneys say new law will be made in the next few years. That means attorneys and the courts will be dealing with issues of first impression.
"The privacy data breach area offers some new opportunities to expand the types of cases that we're handling," said Eric Grover, whose seven-lawyer firm has been known for employment and nonhealth-related consumer protection cases. "When we saw the scope of what was happening, and the number of breaches that have occurred across the country in recent years, we saw that this was not a unique circumstance, and we should educate ourselves about the subject matter."
A month after DeBaeke's Internet search, the hospital and its parent, St. Joseph Health System, confirmed that her personal information, including lab results, had been freely available online for months.
It turns out DeBaeke was one of roughly 31,800 patients whose information St. Joseph left unprotected. The hospital offered a year of free credit monitoring services to cover the risk of identity theft, but no monetary relief.
DeBaeke was hardly the only patient who took her outrage to the courts: St. Joseph is facing three other proposed class actions filed in the past two months for the same security lapse.
Keller Grover has made class actions over such data security breaches one of its new specialty areas. A number of other California plaintiffs firms see the potential for big money in the health care arena, including San Francisco's 22-attorney Girard Gibbs; five-attorney Ram, Olson, Cereghino & Kopczynski; and 16-lawyer Los Angeles firm Kabateck Brown Kellner. The firms are behind class actions filed against Health Net of California, Sutter Health and Stanford University Hospital all brought within the past year under California's Confidentiality of Medical Information Act of 1981 and involving the mishandling of personal data.
Plaintiffs powerhouse Lieff Cabraser Heimann & Bernstein has also been looking into the medical privacy breach that led to the public online posting in September 2010 of 20,000 Stanford Hospital emergency room patients' data over the course of nearly a year. Among the information exposed: names, diagnosis codes, discharge dates and billing charges.
It's clear the health care industry views the CMIA as a serious risk. Kabateck, who's also the president-elect of Consumer Attorneys of California, said McKesson Corp. lobbied Sacramento legislators about a year ago to remove the $1,000 damages clause from the law. The health care information technology provider pushed to make the changes retroactive, Kabateck said, which killed any potential deal. "I don't think that any of these medical providers will go quietly into the night," Kabateck said. "I think they'll fight this any way they can, but I think the statute is clear on its face about what it was intended to do about statutory damages."
"Patient privacy is not a new area," Pillsbury Winthrop Shaw Pittman partner Sarah Flanagan said. "What's new is class actions directed at security breaches that potentially involve thousands of patients."
Flanagan, who represents Stanford Hospital in a data breach case filed in September, said health care privacy litigation used to come in the form of individual actions against a hospital or medical services provider. But CMIA's $1,000-per-instance clause opens the doors to potentially multimillion-dollar awards if a hospital's entire patient roster is leaked online, she and other attorneys say. If the disclosure is done willfully or negligently, the fines and penalties can run up to $250,000 per violation for licensed health care professionals who leak information for financial gain.
"You've seen these cases in the commercial setting," Flanagan said. "There have been plenty of credit card and other commercial cases in which privacy has been an issue." The law in those cases is further along, Flanagan said. Now the plaintiffs bar has trained its eyes on the health care industry, which offers a unique regulatory scheme, she said.
Flanagan says the courts will have to answer a number of new questions about the language in the law and its application.
For one thing, Flanagan says the law was not written with class actions in mind. One of the issues being challenged now is what plaintiffs have to prove to establish a negligent violation, which she said is necessary to qualify for the $1,000-per-breach award. Flanagan also questions how appropriate it is to aggregate what she said was intended to be nominal damages into a multimillion number that she calls "disproportionate to any harm to the plaintiffs and to the violation." The court of appeals hasn't yet ruled on these issues under the CMIA.
Plaintiffs lawyers concede the economic valuation of these cases is still a big unknown, said Jeffrey Cereghino of Ram, Olson, Cereghino & Kopczynski, co-lead counsel in the Health Net and Sutter cases.
"The damages component and how the statute might be perceived is a significant unknown," Cereghino said. Still, he pointed to a case he said shows how seriously medical privacy is being taken in other parts of the country: The Connecticut attorney general's office slapped a $370,000 fine on Health Net of Connecticut Inc. two years ago for a massive security breach involving the personal data of about 1.5 million customers.
"We can learn two things there: Health Net has had this problem before, that there's a pattern of behavior that's always going to resonate with a jury and second, there was sufficient basis for the Connecticut AG's office to assess a penalty," Cereghino said.
Cereghino isn't worried about proving negligence, given the wide availability of encryption tools and the ability to create security protocols. "Servers don't walk off by themselves and computers with unencrypted data do not suddenly disappear," Cereghino said. "Defendants have a duty to protect this information and fail to do so, and that is negligence pure and simple."
And other plaintiffs lawyers don't seem concerned about getting class certification. Grover said there's really not any individualized issue in these cases. "This is about as common as it gets. St. Joseph, for example, admits that this set of data for 30,000 or so patients was found on the Internet because they said, 'We made a mistake,'" he said, quoting a February notification letter his clients received.
Grover says case law is on the plaintiffs' side regardless of whether the Legislature intended its statute to allow for class actions. "There's nothing in the labor code that authorizes a class action for not paying overtime, yet there've been thousands of overtime class actions filed in California over the last 10 years," he added.
This article originally appeared in The Recorder.