Horizon Class Action Claim for HIPAA Breach Tossed

According to a report in the New Jersey Law Journal, a class-action claim for a HIPAA breach has been thrown out by a NJ judge. The claim was filed by four plaintiffs against New Jersey’s largest health insurer, Horizon Blue Cross Blue Shield (HBCBS).

The incident that triggered the lawsuit was a breach of HIPAA data caused by the theft of two unencrypted laptop computers from the Newark office of the HBCBS back in November 2013. The breach exposed the data of approximately 840,000 of the insurer’s members in one of the largest data breaches to be reported that year.

The quartet alleged that as a result of the breach they – and more than 830,000 other members – were placed at an elevated risk of suffering identity fraud because PHI had been obtained by thieves along with their Social Security numbers.

There is no private right of action under HIPAA; however the Connecticut Supreme Court made the decision to allow individuals affected by data breaches to sue the organizations after data breaches, provided there is evidence of negligence. A class action lawsuit for a breach of HIPAA data can therefore be made.

In this case, U.S. District Judge Claire Cecchi ruled on March 31, 2015 that the class action lawsuit against Horizon Blue Cross Blue Shield had no standing because there was no data to suggest that the PHI of those filing the lawsuit or any of the other plaintiffs had actually been used, and that individuals had suffered no apparent harm. Without any proof that the data had been used by thieves for fraudulent purposes there was no valid claim.

Three of the plaintiffs also made a claim for economic injury, as they had paid for their private and confidential information to be protected by security measures that were not implemented by the insurer. While a proportion of their premiums should have covered security to protect their data, this claim was also thrown out since the plaintiffs were unable to show sufficient evidence of having suffered economic harm as a result of the data breach.

As with a number of recent “speculative” class-action lawsuits following breaches of PHI, there must be some evidence of harm, damage or loss as a result of the unauthorized disclosure for damages to be awarded. Cases made on the grounds of negligence must show evidence of such and if PHI is alleged to be in the hands of thieves, this must be backed up with some evidence to suggest this is actually the case.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.