Kroger reached a $5 million lawsuit settlement with individuals impacted by a breach reported in February. The settlement was the third legal action tied to a health care data breach this week, shedding light on the rise in breach-related lawsuit trends in the sector in the last few years.
Meanwhile, the June 21 Supreme Court decision on a case filed by Sergio Ramirez and 8,185 individuals against TransUnion concluded only individuals “concretely harmed” by a breach violation have standing to seek damages against an entity.
For Ron Raether, partner of Troutman Pepper, the settlement and Supreme Court decision shine a light on the challenge regulators face in addressing remediation of threats, breaches, and the ongoing ransomware crisis.
“Regulators have struggled with whether a carrot or stick will address these issues,” said Raether. “However, the stick approach will not move the needle. Instead, regulators and companies need to join together to fight this common enemy.”
Specifically, companies should be incentivized to invest more in information security through such tactics as tax breaks, while government and regulators should focus on greater access to tools and education, and eliminating the financial motives of the threat actors.
Kroger settlement, at a glance
As it stands, health care entities are regulated by the Department of Health and Human Services for compliance with the Health Insurance Portability and Accountability Act rule. The regulation carves out requirements for privacy and security programs, for which the majority of providers comply.
But compliance is often seen as a checklist and one in need of improvement as the rule was enacted in 2009 – long before the age of digital health and an increasingly sophisticated threat landscape. And even with the best security processes and tech, sometimes threat actors are still successful in their exploits.
A key example of this can be seen with the Kroger incident. The pharmacy and supermarket chain was among the hundreds of victims affected by the supply-chain attack against Accellion’s File Transfer Application in December.
Hackers exploited several zero-day vulnerabilities in combination with a new web shell, which gave them access to at least 100 companies through its FTA service. The actors were able to steal troves of related data during the incident, including customer and employee information from Kroger.
The attack was led by the Clop ransomware group, with many Accellion clients reporting the actors contacted them directly and threatened to expose data stolen in the attack.
About 1% of Kroger Health and Money customers were affected, including its pharmacy and health clinic patients. The data included health benefits information, Social Security numbers, prescription details, and contact information, among other sensitive data.
Kroger promptly discontinued use of Accellion’s services and reported the incident to law enforcement. But the 1.5 million customers impacted by the incident soon began filing lawsuits against Kroger, in addition to at least 15 lawsuits directed at Accellion for its role in the incident. About 3.8 million individuals, including employees, were affected by the Kroger incident, overall.
The Kroger lawsuit accused the pharmacy chain of failing to implement and maintain data security practices able to safeguard client information and to detect the security vulnerabilities behind the breach, as well as inadequate security practices for personally identifiable information.
Kroger continually refuted these claims, as it worked to respond and remediate the impact of the breach, including providing those impacted with two years of credit monitoring and ID theft insurance. Kroger also worked closely with the FBI during its recovery and investigation, while retrieving the stolen data from the attackers with confirmation it would be destroyed.
Further, Accellion never informed Kroger of the vulnerabilities in its legacy FTA service, Kroger claimed.
Throughout the last several months, Kroger sought to consolidate some of the lawsuits. The settlement will resolve all claims in the Ohio actions. During that time, attorneys for both sides were able to reach an agreement to settle the litigation.
The settlement will cover all US residents impacted by the Kroger incident and establish a $5 million settlement fund, or about 1% to 3% per impacted person. Those individuals with documented losses may file a claim for a reimbursement of up to $5,000.
Kroger is also required to implement significant remedial measures as part of the settlement, as well, including confirmation that it will no longer use the Accellion FTA service and will migrate to another secure file transfer solution.
In addition, Kroger must undertake measures to secure and destroy the data stolen or accessed during the security incident. Kroger is also require to enhance its existing third-party vendor risk management program and conduct periodic reviews of all file transfer services or other software used to transfer customers’ personally identifiable information.
Kroger is also required to monitor the dark web for indications of fraudulent activity, stemming from the data stolen during the Accellion hack.
The settlement shares similarities with other health care breach lawsuits settled in the last two years, such as the June 2020 settlement for $2.8 million between UnityPoint Health and the millions of patients impacted by two phishing-related breaches in 2017 and 2018.
The most recent health care-related settlement was reached between breach victims of a nine-year breach of insurance giant Dominion National for $2 million.
“The value of a class settlement depends on numerous factors, many of which have no ties to the risk or the economic realities of the situation at hand,” said Raether. “But more to the point, class actions do even less to incentivize aggregate change than regulatory actions.”
“Our current system of using the stick to cause change is not working,” he added.
Supreme Court defines "actual harm"
Many of these lawsuits vary widely in terms of financial restitution and for how judges define “actual harm.” To Raether, the Supreme Court decision in TransUnion vs. Ramirez in 2021 shines a light on some of these gray areas and how the onus of proof falls to the victims.
Ramirez sued TransUnion after a dealership declined to sell him a vehicle as his name appeared on a “terrorist list.” TransUnion implemented the measure to help companies prevent doing business with suspected criminals.
However, the list in question compares consumer names with the Office of Foreign Assets Control’s list and then places an alert on the credit reports of consumers with possible matches. At the time, TransUnion only compared data against first and last names.
If the name of the consumer matched with the name of an individual on the OFAC list, TransUnion would place an alert on the consumer’s credit report to indicate the individual was a potential match to a name on the OFAC list.
The decision established key areas of actual harm that could impact future data breach lawsuits in the future, including those in health care. In particular, the federal judiciary power is confined to resolve cases and controversies when plaintiffs have a personal stake to sue the entity accused of a violation.
“Ramirez is a potentially far-reaching opinion, with impact well-beyond the Fair Credit Reporting Act,” explained Raether. “The implications of which are sure to be debated in the coming months in the lower courts.”
“It is clear plaintiffs need more than a statutorily created right (public or private) and fear of future misconduct to make their way into federal court,” he added. “Whether that statutory right can find a sufficient common law foundation to create a concrete injury, or whether an informational right can be established, will be debated by litigants by reference to Ramirez and the Supreme Court’s many other standing decisions.”
As such, the case concretely makes the case that it’s the judiciary and not Congress charged with determining whether actual harm exists, based on historical injury. Raether explained that given the facts presented in Ramirez, the assertions fall short of the “concrete harm” standard.
Further, Congress cannot rewrite HIPAA to create a private right of action able to confer standing. Raether stressed that the Ramirez decision clearly shifts Congressional power in this area to the judiciary. The full extent of the decision will likely be seen in the future.
As it stands, Raether explained that Ramirez establishes the definition of actual harm. Individuals filing lawsuits against companies that breach their data and claims for damages must have an analogue to a common law tradition; or “factual evidence” of some type of materialized actual harm, which could be in the form of emotional distress, out of pocket loss, “downstream consequences” in the form of altered conduct or a denial of a credit opportunity, etc.
Further, it appears the Ramirez decision has made the “risk of harm” a dead letter issue, outside of claims for injunctive relief that must demonstrate that the risk of harm in the future is both imminent and substantial.
“That is potentially significant for data breach cases, as risk of harm is the traditional rubric by which such cases are litigated from a standing perspective,” said Raether. “In some jurisdictions, where mitigation costs have already not been deemed sufficient for standing, some other form of concrete harm is required.”
“But, in other jurisdictions, mitigation costs may be regarded as sufficient even after Ramirez,” he added. “At the very least, however, these requirements will impose an impediment to class certification, as such damages are generally not subject to common proof.”
The decision also dealt informational injury claims a significant blow, as it held there can be “no standing based on a claim of informational injury absent individual proof of downstream consequences due to the lack of information.
For data breach cases that challenge an entity’s failure to provide timely notice in the wake of the breach, the decision will have significant ramifications, explained Raether.
“In cases where no statutory claim exists, like HIPAA, it creates further challenges on claims that the loss of the data to the hacker somehow diminished the value of the data,” he added.
Indeed, we should see an increased emphasis on the nature of the data at issue, creating further individual issues that defeat class certification.”
Overall, the Ramirez decision underscored that breach victims must provide actual, factual proof of standing or harm to satisfy legal requirements. The decision emphasized the Court’s assertion that victims must present evidence of factually established harm.
The Supreme Court further instructed that courts can’t simply presume concrete harm. Raether stressed that’s a high bar that will “likely alter how class actions are litigated from a discovery perspective moving forward."
Although Ramirez has been decided, Raether believes there will be a continued battle around both sides of the question of proof given difficulties in finding individuals who’ve been an immediate victim of an attacker. And nearly all consumers have been involved in data security incidents, which will further fuel the challenge the tracing of alleged harm.
Raether believes it’s the time to rethink whether using courts to fight these battles are the best for the country’s overall economic interests.
“Dismissals for lack of standing are not on the merits. For that reason, Justice Clarence Thomas also warned that Ramirez may be a ‘pyrrhic victory’ for TransUnion because it does not prohibit Congress from creating statutory rights, but only holds that federal courts lack jurisdiction to enforce them absent a concrete harm,” explained Raether.
“In other words, state courts, unbounded by Article III, may now be the ‘sole forum’ for such cases,” he added.
As for whether Congress or a federal agency will mandate specific security standards to better enforce data protection measures, Raether believes it's doubtful. Security practices and needs vary by entity and require consideration of key elements specific to the organization.
Addressing the current ransomware crisis, particularly in the health care space, is and will continue to be complicated. Raether noted that threat actors have learned how to exploit the economy of scale central to efficient IT operations to get the most out of a single compromise.
Instead of relying on Congress or federal action, entities across all sectors should move toward a collective response and beyond sharing known threats. Instead, Raether believes that defense-in-depth measures must be present across all sectors.
Further, all organizations need to shift away from audit-based standards and look toward NIST, Mitre Att@ck, and other relevant frameworks.
“We need to make a move past looking at information security as a secondary consideration and realize that the threat is real for every organization, making it time to build security into every aspect of IT from dev to ops,” said Raether.
“The stick approach… used by the regulators is so ineffective,” he continued. “It will not generate change in individual companies (except those under immediate scrutiny) and thus will not incentivize global efforts which is what is needed to stop these organized criminals.”