When a healthcare data breach occurs, lawsuits filed by affected individuals often follow. In fact, data breach lawsuits are on the rise across all industries, according to a 2024 report from law firm BakerHostetler.
In 2023, the firm handled more than 1,150 data privacy incidents, 58 of which resulted in one or more lawsuits. In 2022, just 42 incidents resulted in lawsuits, signifying an uptick in lawsuits in 2023. Nearly 40 of the 2023 lawsuits handled by BakerHostetler involved health information.
Given that thousands of individuals might be affected by a single data breach, the subsequent legal complaints often end up being filed or consolidated as class action lawsuits, meaning that the plaintiffs filed the suit on behalf of a larger group of affected individuals.
As healthcare organizations continue to face a high volume of data breaches, breach victims will likely continue to file lawsuits. Understanding what drives data breach lawsuits can help organizations prepare.
Consolidation in healthcare expands scope of breaches and lawsuits
The healthcare industry has seen a significant consolidation of providers and vendors in recent years, noted Matthew Green, partner at law firm Obermayer and deputy chair of its litigation department.
Healthcare providers need to keep their fingers on the pulse of what's happening in federal and state government in terms of regulation and defining duties.
Matthew GreenPartner, Obermayer
"Years ago, there were a lot more mom-and-pop providers, and they have joined forces, and now you have these huge conglomerates, you have private equity and massive amounts of consolidation, resulting in a smaller number of entities holding a larger amount of people's information. And that is just going to make the issue explode."
Consolidation in healthcare has natural data security implications. Most notably, if two merging entities integrate critical systems, a breach on those systems can have a larger footprint than a breach on just one of those entities.
What's more, a bigger breach could affect more individuals, resulting in a bigger class if a lawsuit were filed.
Healthcare organizations that are planning to merge with or acquire another organization should conduct thorough risk assessments, assess the organization's data protection practices, and establish a list of nonnegotiables to ensure that both organizations reach a certain standard of security, experts recommend.
"They have to allege these negligence claims because there isn't a private right of action on HIPAA," Green suggested.
According to the U.S. Chamber of Commerce Institute for Legal Reform, a private right of action "grants an individual or private party the authority to file a civil lawsuit against another party or a business for alleged harm. It outsources enforcement actions to private lawyers rather than state attorneys general or agency officials, turning plaintiffs' lawyers into unofficial enforcers of the law."
HIPAA does not have a private right of action, meaning patients cannot sue healthcare providers over HIPAA violations. However, patients can still sue under state laws for negligence or breach of contract.
"The main issues on the negligence claims, especially when you're filing up front, is the standing issue or the damage issue," Green noted. "In order to prove a negligence claim, you have to show that they had a duty to protect this information, and that there was damage resulting."
The standing piece is often fought upfront because it can be challenging for a patient to prove that a breach caused actual harm, especially without evidence that the breached data was misused.
This is due in part to the June 2021 Ramirez v. TransUnion ruling, in which the Supreme Court ruled that data breach victims must demonstrate actual injury and prove that the defendant's conduct caused the damage.
The ruling signified a shift in how data breaches are handled in federal courts, declaring that plaintiffs must prove that they suffered a concrete injury to claim Article III standing. The risk of future harm alone is not enough to establish standing in federal courts. But the risk of future harm along with concrete harm, such as financial losses, could establish standing.
Cases that have transpired since Ramirez v. TransUnion have challenged this notion. For example, in Clemens v. ExecuPharm, Inc. in 2022, the Third Circuit held that a plaintiff whose data had been stolen but who had not yet suffered any actual financial loss still could plead an "imminent injury" because there was a substantial risk of harm.
"Clemens is notable for distinguishing, if not overruling, circuit precedent seeming to require actual misuse of personal data," the Harvard Law Reviewstated. "But on a broader view, it is just the latest in a long string of data breach cases that have reached conflicting conclusions on standing under largely identical facts."
As these issues continue to be debated in and outside of court, organizations can expect standing arguments to vary on a case-by-case basis.
"The trend of defining what is needed for standing is going to continue to evolve throughout different states and also in the circuits," Green predicted, highlighting the variability in these cases.
Settlements are a typical result
Given the increasing number of lawsuits filed, healthcare stakeholders are no strangers to settlements.
"A lot of these cases are settled," Green added. "The question of whether there was a breach of duty often isn't definitively resolved, and then if it is definitively resolved, it's going to be case-specific."
For example, in January 2024, Massachusetts-based ReproSource Fertility Diagnostics reached a $1.25 million settlement to resolve claims of negligence tied to a 2021 data breach.
Healthcare organizations will likely continue to face class action lawsuits and allegations of negligence over their handling of data breaches. But the time and money it takes to see these cases through to the end might not be worth it, making settlements a reasonable resolution.
Best practices
As the legal landscape evolves, healthcare organizations can take proactive steps to prevent data breaches and put them in a better position to defend against lawsuits.
"Healthcare providers need to keep their fingers on the pulse of what's happening in federal and state government in terms of regulation and defining duties," Green recommended. "That is going to be an important piece as they go forward."
Green stressed the importance of engaging with the right vendors and maintaining contact with those vendors in the event of a breach. Additionally, having cyber insurance can help organizations reduce risk and cost when it comes to data breaches.
"It is hard to say exactly how you should handle these cases because each one is going to be different," Green added.
For example, a vendor of healthcare services that suffered a data breach due to an insider threat would handle a lawsuit differently than a healthcare provider that experienced a ransomware attack. The data involved and the entity type will guide an organization's legal strategy.
"With the amount of increased cyberattacks, with generative AI, with allowing plaintiffs to file class actions more easily and identify potential claimants more easily, the biggest trend is you're going to see a lot more of these cases," Green said. "So how they're dealt with is going to depend on whether there is coverage, the size of the class and whether people can prove actual monetary damages. And that is all going to evolve."
Jill McKeon has covered healthcare cybersecurity and privacy news since 2021.
