In the days after the disclosure of a healthcare data breach impacting a significant number of patients, a multitude of law firms quickly announce their own ongoing investigations into the incident with calls for potential victims.
Indeed, recent data from BakerHostetler confirms data breach lawsuits filed against hospitals in the wake of a breach are on the rise. Said BakerHostetler Partner Lynn Sessions in an interview with SC Media: “That's what we absolutely see happening.”
In some instances, entities may face multiple lawsuits filed in the same forum, or a combination of federal and state courts. As noted in the report, the “duplicative litigation trend” has created a race to file in court, while raising the cost of initial litigation defense and overall settlement fees due to the sheer number of plaintiffs’ attorneys involved.
The Health Insurance Portability and Accountability Act requires providers to report any breaches of protected health information impacting more than 500 patients to the Office of Civil Rights, which are then posted on its breach reporting tool.
This offers an incentive for lawyers to take on cases.
“Oftentimes it gets picked up from the plaintiff's attorney,” Sessions explained. But these attorney’s may actually be monitoring the OCR wall of shame to find breaches with a “significant number of impacted people.” And when a new one is reported that involves more than 100,000 patients, the attorney may then take to social media to find someone impacted by the incident.
The aim is to pull together a class-action lawsuit, said Sessions, who leads the Digital Assets and Data Management Practice Group’s healthcare privacy and compliance team and co-leads the healthcare industry group.
In the latest instance, Digital health company myNurse announced it had experienced a systems hack that resulted in the access of consumers’ personal and health data just this week. Not more than 24 hours after media outlets covered the story, a major law firm set up a website detailing the hack and the types of data accessed during the incident.
The site also describes whether patients are allowed to sue following a breach, based on whether the entity was “negligent and a data theft occurs” and the elements that could legally hold them liable, such as “improperly protecting data” or failing to train employees.
SC Media won’t name the law firm so as not to draw attention to the site, but will note that the language used to describe the incident leans on fear-based language to draw attention to potential harms, such as financial or emotional ruin, while stressing that the consumer is likely not the only victim.
To be clear, the concerns raised here do not include cases where victims have reported instances of fraud attempts, stolen identities, or other crimes. Not all data breach lawsuits are without merit. The issue at hand is how do these breach lawsuits, without evidence of harm, help victims or improve healthcare’s security posture?
The ethics behind the matter
Ambulance chasing refers to lawyers seeking out victims of accidents, preying on vulnerabilities to secure their business. It’s illegal in 21 states, but always seen as unethical by the American Bar Association.
When Sessions was still operating on that side of the aisle, there were lawyers who acted “particularly unsavory,” following an airplane crash to speak directly with family members for example.
But the term is typically confined to “accidents,” creating a possible gray area or loophole in these types of filings.
Still, Sessions stressed there are definite ethical questions raised by these increasingly common practices of “chasing” down breach victims. But change would come down to the “regulation of illegal practice,” or essentially, a private action.
“The process would have to begin with a complaint made against the lawyer and to their state bar, if that state prohibits the solicitation of clients in that fashion,” said Sessions. “Then, the lawyer essentially undergoes an ethical investigation with the state bar, and they're potentially penalized. They could lose their license, in the worst case scenario.”
More typically they might be sanctioned or have to undergo ethics training for a defined period of time, but it will vary on state bar ethics. Sessions added that “someone would have to turn them in.”
How then can providers protect themselves from these scenarios? The best case would be to not fall victim to cyberattacks or data breaches, but clearly that’s a pipedream.
“Nobody’s bulletproof,” said Sessions. Even the federal government has fallen victim to hacking by foreign actors, and “a health system doesn't even have those same resources.”
In healthcare, there’s regulatory compliance and state privacy laws to contend with, in addition to the potential risk of litigation, which “are not often the same thing.” A provider may have a reportable breach under HIPAA and could have done everything within their resources to secure their network and still fall victim to an attack, she explained.
There’s two possible paths: HIPAA compliance would impose that it’s a reportable breach, while an in-house or private legal team would defend against potential litigation filed by breach victims.
“We want to be transparent with our patients; that's something very much embraced by healthcare," Sessions said. "By the same token, if you're dealing with a large patient population that has to be notified, it's not hard for a plaintiff's lawyer to find somebody.”
Supreme Court ‘actual harm’ ruling
A Supreme Court decision in June 2021 established that only individuals “concretely harmed” by a breach violation have standing to seek damages against a breached entity, based on a case filed by Sergio Ramirez and 8,185 individuals against TransUnion.
In theory, this should have helped address the issue. The court’s decision outlined the areas of actual harm required for breach cases to proceed in court, placing the onus of proof squarely on the shoulders of breach victims. The decision detailed key areas of actual harm that could impact future data breach lawsuits, including those in healthcare.
Indeed, on its surface, the decision would reduce the number of potentially frivolous breach cases brought against providers, especially those without any evidence of actual harm. But on the contrary, healthcare breach lawsuits have become nearly as common as the breach notices themselves. Law firms offer their services, arguing legal merit with proper representation. Potential victims trust the legal advice.
“It takes $49 to file a complaint in any court. It’s a low threshold to get into the court system,” said Session. “What we find with these types of lawsuits, is that [the attorneys] find at least one person to serve as a member of the class.”
“It’s such an expensive proposition,” she added.
Ransomware driving rise in class action filings
After the initial targeting of healthcare by ransomware actors in early 2016, OCR expounded on the HIPAA rule to ensure providers knew that they held the burden of proof to demonstrate a hacker didn’t gain access to patient data during or before a ransomware attack.
As such, ransomware is presumed to be a breach, unless forensics can confirm the PHI on the affected system wasn’t acquired or accessed, Sessions explained. “Unfortunately, what we find in these situations, is that once the bad guys get in … if the evidence is not available to prove they didn't access or acquire certain PHI, we have to notify the entire master patient index.”
This can lead to breach notices sent to up to millions of patients, depending on the entity.
In the last year, as spotlighted in the BakerHostetler report, a number of healthcare entities were primarily targeted by ransomware attacks and vulnerability exploits, particularly those with legacy protocols in use, or those without multi-factor authentication on email. Ransomware was among the driving cause of class action lawsuits last year.
Particularly with ransomware attacks, “it’s a very low threshold under which an entity has to report the incident,” said Sessions. The rule is unlike state data breach laws, which talk about acquisition or access to personally identifiable information.
For Sessions, the scenario is the perfect storm: a large notification group, a low threshold for notifying patients. "Then the federal government puts it out on a website that a plaintiff's lawyer… and the whole world has access to.”
Sessions described one instance where a healthcare entity was impacted by a ransomware attack, and within one week of notifying patients on their website, individuals began contacting the entity to let them know they were being contacted by various law firms on social media about the breach.
“It’s very common that we see those advertisements going out,” she added. “There may be some ethical issues with that, as attorneys for the solicitation of clients and whatnot. But that will probably depend on the particular state bar rules, or the ethics rules around the chain of events.”
Choose your own extortion party
Outside of a handful of cases dismissed due to lack of evidence outlining harm, many of these filed lawsuits remain in debate between the breached entity and the law firm representing victims, or have been settled in swift action outside of the court.
In one of the quickest examples, Kroger informed patients in February 2021 that its data was included in the massive Accellion data breach in 2020. During the incident, Clop actors gained access to personal and health data tied to 1% of Kroger’s clients, or approximately 1.5 million individuals.
Within weeks, breach victims had filed a lawsuit. And by June, just four months after the breach disclosure, Kroger settled with the breach victims for $5 million. Meanwhile, the class action lawsuit filed against Accellion itself is still being litigated more than a year later.
What’s more, these quick settlement actions are becoming increasingly common with breach litigation due to the potentially staggering costs incurred for prolonging litigation – even when the suit does not show evidence of harm.
In one instance detailed by Sessions, a party received an initial complaint filed with the court. The unnamed entity was advised that they could speak with the plaintiff’s lawyers with a detailed strategy, including a hefty price tag for defending against the allegations. Whereas, a motion to dismiss will cost about $200,000.
On the other hand, should an entity pursue a defense, settlement, or even a dismissal in federal court to defend their reputation, these legal actions can see a far greater price tag “even if they win.” Sessions noted that the plaintiff’s lawyers can use this time to argue their case and further delay the legal procedures, thus further running up the fees.
The plaintiff’s lawyers can choose to appeal, and the case will go into the discovery portion, including depositions of the entity’s chief information security officer, the privacy officer and others involved with the forensics. With each step of the process, the entity is “incurring legal expenses.”
“A lot of times, the company says, ‘Look, we want to count our losses here. We’re going to go ahead and settle this.’ Or the insurance company says, ‘We better settle this’, because sometimes it’s the insurance company’s money being paid in these instances,” said Sessions.
“It becomes a business decision, just like most litigation. But who makes all the money? The plaintiff’s lawyers,” Sessions continued. “When they have a class action settlement, they take on millions of dollars, and the named plaintiff gets a small portion.”
The rest is divvied up between the class members, often equating to just a few hundreds of dollars for their efforts.
In fact, Sessions said “very few of the clients are going to choose to make it through the end of the litigation because it's going to cost them millions of dollars.”
She herself has helped clients receive some very good results through creative means to settle matters, because the company wanted to cut their losses and use the cheapest way possible to get out of the situation.
“But it unfortunately perpetuates the process,” she added. A company can be “extorted by the threat actor that's involved in the ransomware, and then you get extorted by the plaintiff's lawyer and the class action lawsuit… But that's what the process looks like.”
“You never get to that point of having to prove actual damages, nor do you have to prove causation,” Sessions stressed. “So there might be people who have terrible identity theft going on, but there's no way to link it back to this ransomware attack that happened six months ago.”
So although the Supreme Court ruling appeared to give hope that the number of lawsuits against health systems would wane, true change will require companies willing to spend more money to take these suits to the finish line and clear their name. That would establish needed precedent to improve the current state of things.
Sessions is confident the Supreme Court’s ruling will ultimately have teeth if the tides turn, and some of these cases without actual damages are tried with strong case law, rather than settled out of court.
But even then, precedent will differ by each jurisdiction. And in the meantime, there will be “bad law made” as courts may be more “plaintiff friendly.” However, her firm has “made some very good case law for healthcare organizations relative to the California statutes” and other parts of the country.
As it stands, many of these breach lawsuits are resolved outside of court. Sessions noted that in one situation, a case has been pending for 10 years yet to go to trial.
“These are lengthy matters,” said Sessions.
For providers, the contention should center on standard of care, "because at the end of the day, it's most likely going to be some type of negligence claim that may withstand any type of motion to dismiss and motions for summary judgment,” she explained.
The reasonable and prudent approach for healthcare providers under these situations is to address the required elements in HIPAA around the basis of minimum standard of care, which can build a “pretty decent argument.”
