Share this article on:
Following any healthcare data breach there are likely to be numerous lawsuits filed by victims seeking damages for having their data exposed to criminals and Premera Blue Cross, which reported an 11M-patient HIPAA data breach earlier this month, has now had 5 class-action filed against it in the past few days.
The lawsuits argue that the insurer should be held financially responsible for the incident and must award damages and restitution, in addition to taking action to prevent future breaches and notifying all affected about the specific data that was compromised in the breach.
Class Action Lawsuits Resulting from HIPAA Data Breaches
It is almost a certainty that litigation will follow a data breach, although it is rare for class-action lawsuits to succeed. In order to successfully claim damages, there must be evidence of loss or damage caused as a result of the data breach. A victim may be placed at an increased risk of suffering medical or identity fraud, but it is unlikely that any damages will be awarded unless that individual can show that their identity has been stolen or that they have become a victim of fraud.
However, last year the Connecticut Supreme Court allowed a case to be filed on the grounds of professional negligence, if there has been a breach of generally accepted standards of care. It is therefore not surprising that the class-action lawsuits filed against Premera are of a similar nature.
The lawsuits have been filed in the Seattle District court by plaintiffs living in Washington, Nevada and Massachusetts and all claim that Premera Blue Cross was negligent and breached the contract it had with its customers. The lawsuits also claim that Premera Blue Cross violated HIPAA Privacy and Security Rules – in addition to the Washington Protection Act – and that notification letters were unnecessarily delayed.
Unnecessary Delay in Issuing HIPAA Breach Notifications
Premera first became aware of the breach on January 29, 2015; however the hackers first gained access to the insurer’s computer network on May 5, 2014. The insurer did not notify the media or its customers until March 17, which was 47 days after the discovery of the breach. According to the HIPAA Breach Notification Rule, Premera is allowed a maximum of 60 days to issue breach notification letters and make a media announcement about the incident, so there appears to be no breach of HIPAA rules regarding the issuing of notifications.
However, since the letters have only just been sent, it is probable that a percentage of victims will not receive the notification letters within this timeframe. According to a recent report on the Anthem Data breach, the insurer has yet to contact 50 million of its 78.8 million breach victims more than a month after the breach was reported. Both Murray and committee chairman Lamar Alexander, R-Tenn., have criticized the slow response and urged the insurer to “accelerate its pace of notifying customers”.
Premera too is being criticized for the delay in issuing notifications. Two investigations were launched following the HIPAA breach by Murray and Washington state insurance commissioner, Mike Kreidler, both of whom expressed their concern about the delay in the issuing of breach notification letters. According to the Seattle Times, one of the attorneys filing a class action lawsuit, Darrell Cochran, of Pfau Cochran Vertetis Amala, has also spoken out about the delay saying “Right now everyone is operating in the dark about what information has been taken and who might have taken it.”
The CEO of Premera, Jeffrey Roe, wrote a letter to Sen. Patty Murray last week responding to the Senator’s request for answers about the breach.
Murray had demanded answers, in particular, an explanation for the “failure to immediately inform current and former policy holders, including 6 million current or former Washington residents, that their information may have been compromised.” She also wrote that she was “seriously concerned about the pace of notification, as well as how impacted families and businesses are being informed and assisted.”
Roe’s response stated that it was not yet clear how the attack took place, and that Premera “waited to inform the public until after its information-technology systems were secure”. Roe also said that this response was based on the advice of Mandiant, the company it used to investigate its computer-security issues.
Breach Not Caused by Security Vulnerabilities Discovered by OPM Auditors
There is also the issue of the Office for Personnel Management Audit, which highlighted 10 security vulnerabilities just 3 weeks before the attack took place. This, it is argued, should have resulted in prompt action being taken, which could potentially have prevented the HIPAA breach. Some of the 10 security vulnerabilities could be exploited by hackers to gain access to the insurer’s computer systems. However, Mandiant conducted an investigation and determined that the data breach was in no way related to any of the points raised by the Office for Personnel Management audit.
According to the Seattle Times, Premera was “expecting litigation on the issue”, but, Eric Earling, vice president of corporate communications at Premera, has so far declined to comment on the lawsuits.