HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Data Breach Class-Action Lawsuit Denied by Penn. Superior Court

A proposed class-action lawsuit filed against two health plans for the exposure of members’ protected health information has been rejected by the Pennsylvania Supreme Court.

Avrum Baum filed a lawsuit against Keystone Mercy Health Plan and AmeriHealth Mercy Health Plan in 2010 following the loss of a flash drive containing the data of approximately 286,000 patients. One of the patients affected by the data breach was Baum’s special needs daughter.

Baum claimed in the suit that the loss of the device violated the privacy rights of patients. He also claimed the health plans had been negligent by failing to protect the data of patients, and the health plans had inaccurately told patients that their protected health information (PHI) was secured. Baum claimed that deceptive practices were used, which violated Uniform Trade Practices and Consumer Protection Law (UTPCPL).

In July 2013, the class-action lawsuit was denied by a trial judge as Baum could not show that his daughter’s PHI was stored on the device and that the case did not have standing because Baum had not purchased his daughter’s insurance policy, which had been provided through Medicaid and that an ascertainable loss had not been suffered. A private cause of action could therefore not be brought under UTPCPL.

Please see the HIPAA Journal Privacy Policy

3 Steps To HIPAA Compliance

Please see HIPAA Journal
privacy policy

  • Step 1 : Download Checklist.
  • Step 2 : Review Your Business.
  • Step 3 : Get Compliant!

The HIPAA Journal compliance checklist provides the top priorities for your organization to become fully HIPAA compliant.

In the recent Superior Court ruling Judge Correale F. Stevens said “As stated previously, on December 9, 2014, a panel of this Court affirmed the trial court’s denial of class certification on Appellant’s negligence claims but vacated its decision to deny class certification on the UTPCPL deceptive conduct claim.” The trial court had determined that the UTPCPL claim did not meet the commonality requirement of Rule 1702(2), as in order to file a private cause of action under UTPCPL the plaintiff must show reliance.

This ruling confirms how difficult it can be for plaintiffs to recover damages for the exposure of their protected health information, especially in cases where a plaintiff is unable to demonstrate actual harm or losses have been suffered as a direct result of the exposure of PHI.

Victims of healthcare data breaches may be exposed to an increased risk of suffering future harm or losses after their PHI has been exposed, but hypothetical harm is unlikely to be sufficient to obtain class certification. It is also difficult to obtain class-action certification on the grounds of negligence as this can be difficult to prove.

Previous cases have been filed by data breach victims on the grounds of negligence for a healthcare provider’s failure to implement more robust defenses to keep PHI secure. However, it can be difficult to determine whether breaches could realistically have been prevented had alternate data protection systems been implemented.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.