In April 2019, Health Recovery Services in Ohio disclosed a breach that had begun in November 2018 and had continued until February 5, 2019 when the intrusion was detected. In April, they claimed that although they had no evidence that any protected health information had been obtained, they couldn’t definitively rule it out. Now Conor Morris reports that there is a class-action lawsuit against the non-profit agency for placing class members at “grave risk” of identity theft.
Troy Foster said in the suit – filed this month in the Southern District of Ohio U.S. District Court – that he was a recipient of HRS services, and he along with potentially “thousands” of other patients had their data compromised in the data breach, information that could include Social Security numbers.
Interestingly (to me, anyway), this is the second suit I’ve read about this week where plaintiffs are complaining that it took defendants 60 days to notify them of detected or discovered breaches. When did 60 days become unacceptable? Yes, HIPAA says no later than 60 days, suggesting that notification should be made sooner if possible, but these suits seem to suggest that as soon as entities discover a breach, they should be notifying people — despite the fact that date of discovery of “something happened” is not the same as date of discovering that PHI may have been accessed, and it’s not the same date as figuring out whom you may have to notify. Are plaintiffs becoming unrealistic or unreasonable?
In this case, Health Recovery Services says that nothing has changed since their April disclosure, i.e., they still have no evidence that any ePHI was actually accessed. So the lawsuit seems based on what might have have happened and what might happen if the what might have happened did happen. It seems like possibility building on possibility with no actual demonstration of concrete harm.
Here’s a thought — maybe the laws and courts shouldn’t lower the bar for standing in terms of demonstrating actual harm or injury but the laws should also extend the statute of limitations for filing suit so that if criminals hang on to databases for two years and then sell them to others who use them for ID theft, then individuals can file suit if the entity’s offer of monitoring or restoration services had expired. Just a thought to play with…