Class Action Lawsuit Prepared for 20K-Record MML Data Breach

The dust has barely settled after the 20,000-record HIPAA data breach at Medical Management LLC (MML), but at least one attorney is poised for action and intends to sign up data breach victims to a new class action lawsuit even though it is too early to tell whether any of the victims have suffered identity fraud or any other damage or harm as a result of the breach.

Claims for data breaches tend to only succeed when the plaintiffs can demonstrate that they have suffered harm, damage or loss as a direct result of a breach. The courts are quick to throw out any speculative claims for unsubstantiated damages. At this stage, no hospital – nor MML – has reported that the stolen information has been used inappropriately.

Joseph Santoli, a class-action lawyer from Ridgewood, announced this week that he will be filing a suit naming six residents of Bergen County whose personally identifiable information and Social Security numbers were stolen and disclosed to a third party. This information was obtained without patient consent or the employer’s authorization: A clear breach of the HIPAA Privacy Rule.

The plaintiffs were patients of one of the three Bergen County hospitals affected by the data breach: Englewood Hospital and Medical Center and The Valley Hospital in Ridgewood, and Holy Name Medical Center in Teaneck.

The lawsuit is expected to be filed in Newark on the grounds of negligence. Santoli said “In my mind, the breach could have been easily avoided by the hospitals by having protections in place,” he went on to say “They should have been much more careful with who they hired as vendors.”

The hospitals affected by the data breach have confirmed in breach notices that the data stolen by the former MML employee only included a limited amount of information supplied to the Business Associate, and the hospital records were unaffected. Officials at the hospitals have also confirmed that they were not responsible for hiring the billing and coding service provider.

Class-action lawsuits have been filed on the grounds of negligence before. The Connecticut Supreme Court has allowed HIPAA breach damage claims to be filed on the grounds of negligence, but whether the lawsuit will get that far, or even succeed, will likely depend on whether any data is used to commit fraud.

The hospitals – and MML –responded to the breach in an appropriate manner, issuing breach notice letters to all affected individuals within the notice period stated in the HIPAA Breach Notification Rule, and credit monitoring services are being provided to all affected individuals for a period of 12 months without charge.

Santoli points out that monitoring credit history and checking for fraudulent activity “is not as easy as it sounds.” He said “They [patients] have to monitor their bills very closely.” While this is undoubtedly true, it is unlikely that a judge will deem that hardship to be sufficient grounds for a class action damages claim.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.