There is an epidemic of cyber security breaches of consumer’s personal information- no doubt about it. At a fast and furious pace, cyber attacks on hospitals are seemingly coming from anywhere and everywhere. With each breach, hackers’ show increasing boldness and sophistication. Health systems have become a one-stop shop for cybercriminals who not only steal valuable credit card information, but also access even more lucrative confidential patient information. Unlike a credit card that can be cancelled, when personal health information is stolen, the stolen information is at risk of being used illicitly for the rest of the victim’s life because it contains valuable identifying information (such as social security number, birth date, employment record, family member medical history, genetic information and personal health history).
How much information is being stolen? One recent example involves Banner Health. Over 3.7 million of Banner’s health plan members’ sensitive patient information and valuable payment card information was hijacked. Banner is only one of at least 13 reported health information data breaches that occurred in the single month of August, 2016. The numbers of patients’ personal information being hacked are staggering: For example, 655,000 Bon Secours patients were also exposed to a data breach within just days of the Banner breach.
The number of patient records violated by these recent breaches still pales in comparison to the potential number of overall health records that can be hacked in one fell swoop: In the largest healthcare breach to date, 80 million personal records were stolen from Anthem in 2013, occurring just shortly after the FBI warned that hackers are now targeting health care.
These health care providers are not alone: There have been four reported cyber-thefts of Kaiser Permanente members’ records in the last five years. Healthcare has taken the lead for the most frequently targeted industry for cyber attacks cyber attacks, (edging out even the banking industry.)
No one is immune: Every industry, person, company, and government is at risk for a cyber attack. Over half a billion personal records were stolen or lost in 2015, ransomware increased by 35%, and 9 mega-breaches occurred. Soberingly, most companies are still not reporting the full extent of their security breaches, likely due to commercial reasons. Cybercriminals function in a myriad of ways from infiltrating and paralyzing entire systems and holding them for ransom, to stealing personal data and selling it in an underground market. As economic and political opportunities continue to flourish around breached cybersecurity, so too have the opportunities in the healthcare setting.
What can a consumer whose information has been cyber-stolen do about it? For a long time, there was no remedy. Fortunately, times are changing and there are potential remedies available:
- California Medical Information Act
California has one of the more progressive state laws protecting consumers. California Medical Information Act (CMIA). California Civil Code Section 56 et seq. provides:
“No health care provider can disclose or release medical data about a patient without authorization.”
A $4.1 million dollar settlement was paid by Stanford Hospital after 20,000 patients’ bills with sensitive, private patient information was posted online. The data was posted by Stanford’s business partner it contracted with for purposes of the patients’ emergency room bills.
Settlements under the CMIA are not always a “slam dunk” when cyber hacking of patient records occurs. The California Court of Appeals has attempted to limit liability under the CMIA in the following ways in order for a consumer to win under the CMIA :
(a) Disclosure of “individually identifiable information” has been required, such as the patient’s medical history, (such as mental or physical condition) or treatment. Eisenhower Medical Center v. Superior Court (Riverside County) 226 Cal.App.4th 430 (2014).
(b) Negligence. While some courts have required proof of negligence, the CMIA does not expressly require this. The California Supreme Court could well find that based on the legislative history, this is a strict liability statute. In the mean time, negligence may not be difficult to prove. The U.S. Food and Drug Administration (FDA) has found that the most common causes of medical records being hacked include lax password distribution, disabled, weak and/or absent passwords, lack of updated security software and lack of encryption. Who can argue that such rookie moves in the handling of voluminous and sensitive patient information is not negligence? In fact, criminal recklessness comes to mind!
(c) Proof: Unauthorized person actually viewed the medical information: It is this proof that an unauthorized person actually viewed the information that has been most difficult for a consumer to establish. For example, in Regents of the University of California v. Superior Court, 220 Cal. App.4th 549 (2013), a UCLA physician’s laptop containing thousands of patients’ electronic charts was stolen. Because the patients couldn’t allege that the data was illegally “disclosed” after it was stolen, the case was kicked out. Left uncertain after the UCLA case was whether proof of disclosure was enough for a lawsuit to go forward. While the California Supreme Court has yet to rule on the issue, another Court of Appeal case holds that even disclosure alone isn’t sufficient: a plaintiff must prove that the “stolen medical information was actually viewed by an unauthorized person.” Sutter Health v The Superior Court of Sacramento County (Atkins), 227 Cal.App.4th 1546 (2014). The court held that mere possession of medical information or records by an unauthorized person was insufficient to establish a breach of confidentiality if the unauthorized person has not viewed the records.
All is not lost for consumers: There the California Supreme Court has yet to rule on these issue, and the California Supreme Court could well find that the legislative history imposed no such restrictions on recovery. Further, as outlined below, federal lawsuits have eased requirements for similar lawsuits.
- Federal Class Actions
Recently, there have been pro-consumer decisions rendered by multiple federal Courts of Appeal in consumer class actions.
For example, in September, 2016, the United States Court of Appeals held in Galaria v. Nationwide Mutual Insurance Co. __F.3d. __ (6th Cir. 2016) that where a data breach targets personal information, a reasonable inference can be drawn that the hackers will use the victims’ data for the fraudulent purposes alleged in Plaintiffs’ complaints. The court reasoned that where Plaintiffs already know that they have lost control of their data, it would be unreasonable to expect Plaintiffs to wait for actual misuse—a fraudulent charge on a credit card, for example—before taking steps to ensure their own personal and financial security….Where the Plaintiffs allege they and other putative class members must expend time and money to monitor their credit, check their bank statements, and modify their financial accounts, these costs are a concrete injury suffered to mitigate an imminent harm, and satisfy the injury requirement.
Similarly, the court in Remijas v. Neiman Marcus Group, LLC, 794 F.3d 688 (7th Cir. 2016) reasoned: “[w]hy else would hackers break into a store’s database and steal consumers’ private information? Presumably, the purpose of the hack is, sooner or later, to make a fraudulent charge or assume those consumers’ identities.” This is consistent with the Court of Appeal’s rationale in Lewert v. P.F. Chang’s China Bistro, Inc., 819 F.3d 963 (7th Cir. 2016), where restaurant customers’ credit-card data was stolen in a data breach, because a “primary incentive” for a breach is to commit fraud.
Closer to home, the Ninth Circuit (which includes California) similarly found standing in Krottner v. Starbucks Corp., 628 F.3d 1139 (9th Cir. 2010), where employees brought suit after a thief stole a company laptop containing their personal information.
Not all federal Court of Appeals decisions are in favor of consumers on this point. The Third Circuit reached a different conclusion in Reilly v. Ceridian Corp., 664 F.3d 38 (3d Cir. 2011). In Reilly, a hacker broke into a payroll processor’s network, but it was not clear “whether the hacker read, copied, or understood” the personal data stored on the system. The plaintiffs whose data was in the system alleged an increased risk of identity theft, but the court concluded that the injuries were too speculative because there would be an injury only, “if the hacker read, copied, and understood the hacked information, and if the hacker attempts to use the information, and if he does so successfully.” The Third Circuit also distinguished the case from data-breach cases where courts found standing: “Here, there is no evidence that the intrusion was intentional or malicious.”
The pro-consumer decisions in the federal courts may conceivably open the way for similar findings in class actions under the California statute, and the California statute provides for penalties of $1000 per person in addition to actual damages (such as costs associated with changing bank accounts, freezing credit etc.), and the defendant would have to pay all attorney’s fees.
Stay tuned as the state and federal courts scramble to keep up with the raging technological advances that allow cyber-thieves to remotely and repeatedly steal your most cherished private information with the click of a mouse.
If you or someone you know has had their personal medical information or other personal data stolen by a cyber attack in California, please contact us using the button at the bottom of this page, or call 619-238-8700.