Share this article on:
An Illinois circuit court in Kane County has dismissed a class action lawsuit that arose from the Massive HIPAA breach affecting the healthcare provider last August. The incident potentially exposed the data of approximately 4 million patients when four unencrypted computers were stolen from its Park Ridge facilities.
The class action lawsuit was filed by two plaintiffs who alleged Advocate Health acted with negligence by failing to implement the appropriate safeguards to protect their data. The lawsuit also claims Advocate Health violated both the Illinois Personal Information Protection Act and the Illinois Consumer Fraud Act in addition to the incident causing an invasion of privacy.
The court ruled in favor of Advocate Health & Hospitals because the case lacked standing. While there was no doubt that the PHI of the patients had been potentially exposed, the plaintiffs were unable to offer enough evidence to confirm that the data had actually been viewed by an unauthorized individual. Without this proof it was not possible to establish whether any harm or damage had actually been caused.
If there is no injury or damage there can be no claim, and while the court did accept that the probability of identity theft occurring had increased, there was not no certainty that the data would be accessed or used inappropriately. In order for a case to be ruled in favor of the plaintiffs the thieves would have to have sold or used the data, and some evidence of that would need to be provided.
Furthermore, allegations of injury had been made but again insufficient evidence was submitted to support claims for negligence or fraud under the Illinois Consumer Fraud Act. The claim that there had been an invasion of privacy was also dismissed due to there being “insufficient allegations of intentional conduct.”
Although class action lawsuits can be filed for personal injuries and damage caused as a result of a HIPAA security breach they can be difficult for plaintiffs to win. There is no private cause of action under HIPAA so in order for a case to be successful it must be established and proven that the actions of a HIPAA-covered entity actually violated state law theories.
It is unlikely that any claim will be successful if proof of harm or injury cannot be provided, and while evidence of data exposure may exist, without that data being used, sold on or otherwise causing demonstrable harm, plaintiffs are unlikely to receive compensation. This does not let healthcare companies off the hook, as the Department of Health and Human Services investigates reported breaches and can apply heavy financial penalties to institutions that fail to comply with HIPAA regulations, regardless of whether data has been seen, accessed or used by unauthorized individuals.