Cost of a Healthcare Data Breach: Lawsuits
by Kira Caban, Director of Communications, Protenus on August 24, 2016
Imagine the following scenario: a celebrity is visiting your hospital after suffering a minor injury. One of your employees lets curiosity get the better of him and accesses the celebrity’s electronic health records (EHRs) without authorization. A protracted lawsuit follows, this cost of a healthcare data breach can cost months of time and hundreds of thousands of dollars. The media covers the scandal extensively, costing your organization even more by giving it bad publicity and driving customers away.
This is the world of healthcare data breach lawsuits, the topic of our next blog post in the series that examines and breaks down the cost of a hospital data breach. This type of lawsuit is a long and costly affair, regardless of whether the case involves a celebrity, a single plaintiff, or a group of plaintiffs. Even if the lawsuit is eventually dismissed, a healthcare organization will still have to pay significant attorney and legal fees. In short, without some kind of privacy program in place to detect and contain threats, a hospital or healthcare organization will be forced to spend an extensive amount of time and money in the courtroom rather than focusing on the much more important task of meeting the needs of its patients. Review our Cost of a Breach white paper to review the five other cost categories associated with a healthcare data breach.
In this post, we will discuss three types of lawsuits that could affect your institution:
- VIP- or Celebrity-related cases
- Class-action and Individual Lawsuits
- Dismissed Lawsuits
The Basics of Healthcare Data Breach Lawsuits
In most cases, data breach lawsuits consist of plaintiffs bringing a class-action lawsuit against an organization after a breach occurs. The plaintiffs normally seek compensatory and punitive damages as a result of the breach of their personal information. The key in these cases is whether the plaintiffs can prove that they were directly harmed by the loss of their information. If they cannot, the judge will often dismiss the case, although, as we will discuss later, this may be changing. Unfortunately, healthcare data breach lawsuits are expensive. The Ponemon Institute estimates that a healthcare organization will spend $880,000 on lawsuits after a data breach. Looking at the numbers in a different way, class-action lawsuits will cost an organization approximately $1,000 per affected patient, but this number does not include individual lawsuits, which will cost much more than that estimate, especially if the lawsuits involve a famous celebrity.
1. A Hollywood Affair
Lawsuits involving celebrities are examples of expensive, individual lawsuits. These lawsuits also tend to be high-profile and thus draw extra attention from the media. For example, in 2011, UCLA Health Systems came to a settlement with federal regulators after two celebrities claimed that their EHRs were viewed by hospital employees without authorization. UCLA Health Systems agreed to pay $865,500 as part of the settlement. Similarly, in 2009, Kaiser Permanente was fined $250,000 when some of its employees illegally viewed the records of Nadya Suleman, the mother of octuplets. And there are countless other examples of healthcare organizations terminating employees or being fined for failing to protect the privacy of celebrities visiting their hospital.
2. Class-Action & Individual Lawsuits Cost Healthcare Millions
Even if a lawsuit does not involve a celebrity, it can still be expensive and last for years. In many cases, such lawsuits are actually more expensive because they involve a large number of affected patients, as opposed to one or two celebrities. In 2012, St. Joseph Health System suffered a breach that affected 31,800 patients. In March 2016, St. Joseph agreed to pay $7.5 million to the 31,074 plaintiffs who participated in the class-action lawsuit, meaning that the St. Joseph paid approximately $241 per plaintiff. This does not include, however, the $7.4 million the organization paid in attorney fees and costs.
Anthem Inc. is currently engaged in a class-action lawsuit after suffering a breach that affected 80 million patients. Three class-action lawsuits were brought against Anthem less than 24 hours after the media reported the breach. Eventually, there would be a total of about 100 lawsuits brought against Anthem, so the judge consolidated them into one class-action lawsuit, and in May of this year, the case moved to the discovery phase. Another current lawsuit involves Aspen Valley Hospital District and a former employee. In this lawsuit, a former employee of Aspen Valley Hospital, who was also a patient there, alleged that his privacy was violated when employees of the hospital disclosed that he had HIV. The unidentified plaintiff is seeking an apology, compensatory damages, punitive damages, and attorney fees from the hospital. These are two examples of lawsuits that are going on right now, and only time will tell what the final cost of these breaches will be when all is said and done.
3. Dismissed Lawsuits Don’t Mean You’re Off the Hook
Even when a judge dismisses a lawsuit because there is not enough evidence that the plaintiff suffered direct harm as a result of the breach, the lawsuit still costs a healthcare organization precious time, money, and negative publicity. The health insurer CareFirst suffered a breach affecting 1.1 million patients in June 2014. The class-action lawsuit brought against CareFirst was dismissed in May 2016, but only after a year of litigation. Likewise, a case against Advocate Medical Group was dismissed in August 2015 after a breach that affected over 4 million patients. Despite the fact that both of these cases were dismissed, Advocate Medical Group and CareFirst must still consider the cost of the lawsuit, both in terms of money and negative public perception.
Moreover, Mary Chaput, the CFO of Clearwater Compliance, explains that the 2013 Adobe Systems breach case, in which the U.S. District Court found that “potential future harm is sufficient to allow a putative class of plaintiffs to proceed in federal court,” may have set a precedent. In other words, the tide may be turning in favor of the plaintiffs in data breach lawsuits and judges may be less willing to dismiss a lawsuit based on potential future harm.
Stay Out of the Headlines with Improved Privacy Posture
Now, contrast the opening scenario of a long, drawn-out celebrity lawsuit with the following scenario: a proactive privacy program notifies security officials of a potential threat right away. Acting rapidly, the officials move to contain and neutralize the threat. This is quickly followed up with a forensic investigation and with easy access to all the necessary information, the investigation is able to confirm exactly which EHRs were breached and by whom. The threat is neutralized before more damage can be done. Again and again, guides on how to deal with a data breach emphasize the need to act quickly in order to contain a threat. Thus, having a privacy program in place to detect and respond to threats is critically important.
Download our Cost of a Breach white paper to learn all of the potential costs associated with a healthcare data breach.