What Makes Hospitals Lose Data Breach Lawsuits? 3 Cases Provide Insight

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.beckershospitalreview.com/legal-regulatory-issues/what-makes-hospitals-lose-data-breach-lawsuits-3-cases-provide-insight.html

The holdings in three recent cases brought as a result of healthcare
industry data breaches provide some insight into what makes a data breach
lawsuit successful or unsuccessful, according to a new article in the New
York Law Journal.

1. Circumstantial evidence will be considered. In the case of C.E. v.
Prairie Family Medicine P.C., the plaintiff sued a local medical clinic
after an employee of the clinic allegedly disclosed the plaintiff's
positive HIV test to a third party, thereby leading to the spread of news
of her positive test results to the surrounding community.

At the trial court level, the court held the plaintiff could not produce
any "competent evidence" illustrating the medical clinic or its agents were
negligent in releasing the details of the positive HIV test, and thus there
was no connection between the clinic and the plaintiff's request for
damages.

In March, the Supreme Court of Nebraska overturned the lower court. The
court held the plaintiff had shown by circumstantial evidence there was a
possibility the clinic had caused the tortuous conduct alleged in the case.

2. More than speculation of exposed data is required. In the case of
Polanco v. Omnicell, a patient brought a class-action lawsuit in New Jersey
after a medical service provider's employee had a laptop containing
unencrypted personal medical information stolen from their car.

In December 2013, the presiding court ultimately held the plaintiff could
not bring the suit because the provider had informed the plaintiff her
confidential information was not located on the stolen laptop. The court
further held a speculative increased risk of identity theft is insufficient
to have standing to bring a negligence lawsuit resulting from a data breach.

3. There must be actual damages. In 2012, in Worix v. MedAssets, a
plaintiff filed suit alleging the defendant was negligent in safe-guarding
his personal and health information when a hard drive containing patients'
information had been stolen from one of defendant's employee's vehicle.

In March 2012,The court held Illinois law requires an actual injury to
sustain a negligence claim, and the plaintiff failed to allege he had
actually suffered the loss of any money or property but rather had alleged
only he was subject to an increased risk of identity theft.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!