Cybercriminals are not the only ones looking to make money from health data breaches.
In California, where a unique state law provides for damages of $1,000 per person per violation of the Confidentiality of Medical Information Act of 1981 (CMIA), plaintiff law firms are lining up to file privacy data breach class-action lawsuits against hospitals, medical service providers and health insurers that, if successful, could easily yield payouts in the multiple millions.
The San Francisco-based legal publication The Recorder reported April 6 that at least a half-dozen plaintiff firms had filed complaints for privacy breaches so far, seeing it as a lucrative new source of income.
Brian Kabateck of the Los Angeles plaintiffs firm Kabateck Brown Kellner told The Recorder, "There's an awful lot at stake here."
Indeed, a suit pending against St. Joseph Health System involves the exposure of medical information of about 31,800 patients. At $1,000 each, even if only one violation is involved, it is simple math to see that would yield damages of $31.8 million.
But there is considerable distance between that gleam in a law firm's eye and reality. The attorneys filing the complaints and the attorneys defending their targets agree that they are in untested legal waters. Filing privacy breach cases as class actions is new, and all those involved say new legal precedents will be made in the next several years.
The CMIA, now more than 30 years old, was obviously designed for an era when documents were secured in file cabinets, and the most a single thief could carry away would likely be less than 30. And, without having somebody on the inside, it would also take breaking locks, smashing windows and generally defeating all the physical security measures common to medical facilities.
Now, with patient records in digital form, "you could have a million records stolen in a couple of seconds," says Randy Sabett, an attorney with ZwillGen, a Washington, D.C.-based law firm specializing in legal issues involved in doing business on the Internet.
Sabett says health care companies could be vulnerable if they took no measures to protect data.
He says a colleague took part in a survey where 38 percent of companies in the medical and financial industries admitted to being knowingly out of security compliance.
But, he says, everybody knows, including judges, that 100 percent security on the Internet simply does not exist. Indeed, there are endless examples of breaches of companies that are in compliance, which makes it much more difficult to prove negligence.
"There is a requirement for reasonable security measures," he says, "but there is a difference in the nature of attacks between the physical and digital world. Today, they change daily, if not hourly. They can be very sophisticated."
Kabateck agrees with that much. "Im not pursuing cases where there isnt negligence," he says, "but there is disregard for security protocols in many cases. If there is an intervening criminal act, that is a different story."
There are other reasons these cases may not be the proverbial layup for the plaintiffs. The Oregon Supreme Court recently struck down a class-action suit against Providence Health Systems that had been settled six years ago, finding no evidence that any of 365,000 patients whose data had been on disks/tapes that were stolen from a Providence employee's car had suffered any financial loss or other adverse consequences.
That, Sabett says, may be a problem with the California law. "I'm not opining on whether this is good or bad," he says, "but there may be a flaw in the presumption that every single person has suffered $1,000 in damages."
He notes that virtually all companies offer mitigation to their customers. "I haven't worked on a breach case in more than four years where the company has not offered free credit monitoring," he says, "and banks and credit companies issue a new card for free."
Sasha Romanosky, of the Heinz College of Information Systems and Public Policy at Carnegie Mellon University, is a co-author of a paper published in February titled "Empirical Analysis of Data Breach Litigation," which found that the odds of a company being sued in federal court was six times lower when it offered free credit monitoring to customers whose information was breached.
"It tends to make them less angry, and also cuts the knees out of a legal claim of damages," he says.
There may be cases where embarrassment or even professional damage from the disclosure of things like names, height, weight, smoking history, blood pressure, patient account numbers, treatment dates, lab results, diagnosis codes and billing charges could cause damages of far more than $1,000.
"But are you going to presume that for everyone?" Sabett asks.
Not in the view of the Oregon Supreme Court, which said in the Providence case, "We are aware of no other jurisdiction that has allowed recovery for negligent infliction of emotional distress in circumstances where the alleged distress is based solely on concern over the increased risk that a plaintiff's personal information will, at some point in the future, be viewed or used in a manner that could cause the plaintiff harm."
Of course, the California law doesnt require proof of damages. It imposes the $1,000 simply for proof of violation of the CMIA. And Kabateck notes that the theft of digital data can be very damaging indeed. "If somebody broke into a building and stole records, thats one person looking at them," he says. "On the Internet, its the whole world. It can affect the ability of people to get jobs, insurance -- things like that."
Kabateck says he doesnt think such suits will become a long-term trend. "I dont think we will be doing this 10 years from now, because corporations will realize there is a cost to screwing up," he says.
Eric Cowperthwaite, CISO of Providence Health & Services, agrees, noting that the average cost per record breached so far has been about $150. "When it more than quintuples to $1,000, that is significant," he says. But he adds that the concern is not just monetary. "I know a lot of health-care security leaders, and every one of them is concerned with protecting patient data," he says.
Still, these cases will undoubtedly be watched closely in other states. An estimated 18 million confidential patient records have been breached in just the past two years, providing the potential for billions in damages. Cowperthwaite says a suit against Sutter Health is of particular interest, since the magnitude of the breach was 4.24 million people, with potential liability to Sutter at $4.5 billion, including attorney fees.
And Romanosky says plaintiffs are "trying everything," to succeed in data-breach suits. "We identified over 86 unique causes of action (from only 231 cases) for essentially the same event: the unauthorized disclosure of personal information," he says.