Share this article on:
A proposed class-action lawsuit filed against two health plans for the exposure of members’ protected health information has been rejected by the Pennsylvania Supreme Court.
Avrum Baum filed a lawsuit against Keystone Mercy Health Plan and AmeriHealth Mercy Health Plan in 2010 following the loss of a flash drive containing the data of approximately 286,000 patients. One of the patients affected by the data breach was Baum’s special needs daughter.
Baum claimed in the suit that the loss of the device violated the privacy rights of patients. He also claimed the health plans had been negligent by failing to protect the data of patients, and the health plans had inaccurately told patients that their protected health information (PHI) was secured. Baum claimed that deceptive practices were used, which violated Uniform Trade Practices and Consumer Protection Law (UTPCPL).
In July 2013, the class-action lawsuit was denied by a trial judge as Baum could not show that his daughter’s PHI was stored on the device and that the case did not have standing because Baum had not purchased his daughter’s insurance policy, which had been provided through Medicaid and that an ascertainable loss had not been suffered. A private cause of action could therefore not be brought under UTPCPL.
In the recent Superior Court ruling Judge Correale F. Stevens said “As stated previously, on December 9, 2014, a panel of this Court affirmed the trial court’s denial of class certification on Appellant’s negligence claims but vacated its decision to deny class certification on the UTPCPL deceptive conduct claim.” The trial court had determined that the UTPCPL claim did not meet the commonality requirement of Rule 1702(2), as in order to file a private cause of action under UTPCPL the plaintiff must show reliance.
This ruling confirms how difficult it can be for plaintiffs to recover damages for the exposure of their protected health information, especially in cases where a plaintiff is unable to demonstrate actual harm or losses have been suffered as a direct result of the exposure of PHI.
Victims of healthcare data breaches may be exposed to an increased risk of suffering future harm or losses after their PHI has been exposed, but hypothetical harm is unlikely to be sufficient to obtain class certification. It is also difficult to obtain class-action certification on the grounds of negligence as this can be difficult to prove.
Previous cases have been filed by data breach victims on the grounds of negligence for a healthcare provider’s failure to implement more robust defenses to keep PHI secure. However, it can be difficult to determine whether breaches could realistically have been prevented had alternate data protection systems been implemented.