Share this article on:
Following any significant breach of protected health information HIPAA covered entities can expect breach victims to file lawsuits to recover damages. Last year’s 78.8 million-record data breach at Anthem Inc., is no exception. Over 100 lawsuits have been filed by plaintiffs to recover damages.
Some of the suits are speculative, with plaintiffs attempting to recover damages for the increased risk of harm now faced, although some breach victims are claiming to have suffered actual losses as a result of the Anthem data breach.
It is not surprising that the insurer’s legal team has attempted to determine whether the victims have actually suffered losses as a direct result of the Anthem breach. In 2015, over 113 million healthcare records were exposed or stolen. The majority of those records were stolen in the Anthem data breach, but it is conceivable that identity theft could have resulted from another healthcare – or non-healthcare – data breach, from a lack of basic security measures applied by the victims, or from the inadvertent installation of malware on victims’ devices.
In an unusual move, Anthem’s legal team has attempted to clarify this by requesting access to victims’ computers, smartphones, and tablets. Anthem filed a motion to access and take an image of victims’ computers to allow its analysts to determine how the alleged identity theft occurred.
U.S. District Judge Nathaniel Cousins gave an oral ruling rejecting the request, saying it was “ironic that the defense was seeking discovery of the plaintiff’s personal information when the core allegations of the plaintiffs is the defense failed to protect them from damage to their personal information.”
According to the Courthouse News Service, Eve Cervantez, the plaintiffs’ attorney, said “allowing Anthem access to computers, tablets and phones would place an unfair burden on the plaintiffs by forcing them to hand over personal information to a company they are suing for failing to protect their information.”
The request may be atypical for data breach lawsuits, although it is reasonable to expect an attempt to be made to determine whether harm was caused as a direct result of the actions or inaction of the defendant.
The judge has left it to both parties to arrive at a less invasive way to determine the extent to which the breach caused harm, and to find some common ground that would allow some discovery.