For trial lawyers, future litigation might not focus so heavily on auto accident, slip-and-fall and medical malpractice cases. Plaintiffs attorneys are finding new business by taking on lawsuits in which clients claim to have been hurt – financially or otherwise – through data breaches.
With hospitals pushing to put patient records into electronic form, all it takes is one lost laptop or a single data security lapse – and the personal information of tens of thousands of people is exposed to a vast audience. According to the federal Department of Health and Human Services, the personal medical data for more than 11 million people may have been exposed improperly during the past two years.
One of those exposures happened in Connecticut in 2009, when Health Net failed to safeguard personal health information for 1.5 million members in the state. The company was fined $375,000 by the state Attorney General’s Office, even though Health Net officials insisted none of the information was used for ill gotten gains.
Some financial institutions have had similar problems. Attorney Michael A. Stratton, of New Haven’s Stratton Faxon, is involved in two class actions filed in New Haven seeking damages from banks accused of mishandling banking and personal information of customers. One case involves the Bank of New York Mellon, which lost data tapes containing account information for about 4.5 million people, including 500,000 customers of People’s United Bank of Bridgeport.
Lawsuits are certain to follow when private health or financial information gets lost or stolen. But in Connecticut and other states, plaintiffs lawyers concede that valuation of these cases is still a big unknown. "Unless someone had done something sloppy, I just don’t know what the damages would be," said attorney Ira Grudberg, of New Haven.
While health-related privacy cases as class actions is untested territory, attorneys say new law will be made in the next few years. That means attorneys and the courts will be dealing with issues of first impression. "You read about this all the time, where there are concerns about a breach of information," said attorney Chris Benard, at Koskoff Koskoff & Bieder in Stamford. He has not seen a case of that nature yet, "through the grapevine," but he and others are watching.
Across the country, in California, a flurry of privacy data breach actions have been filed targeting hospitals, medical services and a health insurance company. One proposed class action against Santa Rosa Memorial Hospital, in Santa Rosa, Calif., and its parent, St. Joseph Health System, accuses the hospital system of violating California’s strict medical information privacy laws.
Deanna DeBaeke, a named plaintiff in the case, claims she is one of 31,800 patients whose information was left unprotected by St. Joseph Health System. The hospital confirmed that DeBaeke’s personal information, including lab results, was available to anyone who wanted to look at it for months. The hospital offered a year of free credit monitoring services, but no monetary relief. Since then, law firms have responded.
"The privacy data breach area offers some new opportunities to expand the types of cases that we’re handling," said Eric Grover, partner at the seven-lawyer California law firm Keller Grover. "When we saw the scope of what was happening, and the number of breaches that have occurred across the country in recent years, we saw that this was not a unique circumstance, and we should educate ourselves about the subject matter."
A number of other California plaintiffs firms see the potential for big money in the health care arena. Several firms are behind class actions filed against Health Net of California, Sutter Health and Stanford University Hospital – all involving the mishandling of personal data.
The right to confidentiality of medical records and information is governed by state and federal laws. The federal Health Insurance Portability and Accountability Act of 1996 (HIPAA) governs the protection and release of health care information by most hospitals and health care providers.
The case against Health Net of Connecticut, in which the fine was levied in a settlement with the Connecticut Insurance Commission, is still being discussed in relation to the California cases. "We can learn two things there," said attorney Jeffrey Cereghino, of Ram, Olson, Cereghino & Kopcyznski, who is co-lead counsel in the Health Net and Sutter cases in California. "Health Net had this problem before, and there’s a pattern of behavior – that’s always going to resonate with a jury – and second, there was a sufficient basis for the Connecticut AG’s office to assess a penalty."
The Recorder, a San Francisco-based legal newspaper with the same corporate parent as the Connecticut Law Tribune, contributed to this report.