Exposure of PHI Grounds to Sue for Damages, Rules Mass. Judge

A data breach that exposes sensitive Protected Health Information may not necessarily result in patients coming to harm, or suffering an injury or loss. However, breach victims do face an elevated risk of suffering harm and losses. Many will even incur costs as a result of actions taken to reduce the risk of losses being suffered.

It is not uncommon for data breach victims to attempt to recover damages from healthcare providers who have exposed their sensitive health data, but it is rare for those lawsuits to succeed or even be heard. In order to successfully sue a healthcare provider or health insurer for a data breach, the plaintiff must be able to produce evidence that losses have been suffered, or at the very least, that data have actually been viewed by unauthorized individuals.

However, a Mass. Superior Court judge has recently ruled that a plaintiff does actually have grounds to sue for damages, even if evidence of harm or loss cannot be produced. The exposure of PHI alone can be grounds to claim damages.

The ruling came on the case of Walker et al v. Boston Medical Center Corp., with the court concluding that even though plaintiffs could not demonstrate that an unauthorized individual had gained access to their PHI, the case still had standing. The plaintiffs claimed “real and immediate risk” of injury as a result of a data breach suffered by Boston Medical Center Corp.

15,000 patients were affected by the breach, which was caused by a Business Associate (BA) of the medical center: MDF Transcription Services. PHI was posted on the BA’s website, yet the information was not protected by a password and could potentially have been viewed by any number of external third parties unauthorized to view the data. No Social Security numbers were exposed in the breach, although confidential health data, including medical diagnoses and prescription details were uploaded to an unsecure website along with patient names and addresses.

Attorneys for Boston Medical Center attempted to have the case thrown out as no evidence of harm or loss could be provided to substantiate the claim, citing the court’s decision in the Clapper v. Amnesty International USA case.

The breach notice sent to patients inferred that plaintiffs’ medical records were actually accessible by the public, and that they had been for a considerable period of time. As a consequence of the exposure, patients faced a serious risk of those records having been viewed by an unauthorized individual.

The court decided that based on the information provided to patients in the breach notification letters, patients’ medical records “either were accessed or likely to be accessed by an unauthorized person.” Consequently, the claim for damages had standing.

Federal courts have a different attitude to standing than the Mass. Trial courts, so the decision may not set a legal precedent outside of the state of Massachusetts. There is also far from any guarantee that the case will be successful. There are many other obstacles that could get in the way of a favorable decision for the plaintiffs.

The case will now move to the discovery phase and it will be necessary for evidence to be submitted to demonstrate the extent of the breach, whether data was accessed, or the probability of data being accessed. It will also be necessary for the risk of harm or loss being suffered to be established.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.