In their predictions for 2023, the very first prediction by Mary T. Costigan, Jason C. Gavejian & Joseph J. Lazzarotti of JacksonLewis involved healthcare and medical data security and tracking:
2023 will see a significant increase in the number of lawsuits and perhaps OCR compliance reviews relating to medical information privacy and HIPAA, including new developments such as pixel and other tracking technologies. We will see more regulation of health apps and websites as the necessities and advantages of remote health care that were brought by the pandemic are considered further.
DataBreaches concurs in their prediction about a significant increase in the number of lawsuits. As to compliance reviews, they may increase, but DataBreaches is not optimistic that enforcement actions will actually increase, although we certainly hope they will.
But the lawsuits have already been increasing dramatically in the past few years, it seems. If memory hasn’t totally failed me, it used to take years before a lawsuit stemming from a healthcare entity data breach would settle. Nowadays, there seems to be a much shorter time frame from breach disclosure to lawsuit filed to settlement.
The following are just a few of the many potential class action lawsuits filed or settled recently. In most of these lawsuits, plaintiffs generally are not alleging any concrete harm such as identity theft or fraud. And of course, in all of the settlements, the defendants deny any and all allegations but state that they are settling to avoid the costs of litigation, etc.
But do these lawsuits promote better data security? Do entities actually think, “Whoa, we’d better invest more in protecting data and monitoring business associates or we’ll get sued like they did?” Or do they think that their insurance will cover most litigation expenses and that is still cheaper than the cost of developing and implementing better data security?
Read more about some of the lawsuits, below, and see what you think.
Katherine Shaw Bethea Hospital: $380k Settlement
Katherine Shaw Bethea Hospital agreed to pay $380,000 to resolve claims it failed to prevent a data breach in September 2021. If you do not remember that incident at all, it involved the disclosure of patient information to other patients via mailings and an online portal. Notifications were made by Magnet Solutions, and the incident was reported to HHS as affecting 1,553 patients. The case was Doe, et al. v. Katherine Shaw Bethea Hospital, et al., Case No. 2021L00026, in the Circuit Court of Illinois for the 15th Judicial Circuit, and the settlement site is KSBSettlement.com. It does not appear to include any provisions for any enhancements in security or monitoring or auditing of business associates or data protection. Read more at TopClassActions.
Logan Health Medical Center: $4.3m Settlement
Logan Health Medical Center settled claims stemming from a 2021 hacking incident that potentially affected 213,543 patients and employees. This was the second breach-related lawsuit settled by the Montana provider in less than three years. Prior to rebranding from Kalispell Regional Healthcare in May 2021, the health system reported an undetected phishing attack in 2019 that led to a monthslong data compromise for 130,000 patients.
This case is Tafelski, et al. v. Logan Health Medical Center, Case No. ADV-22-0108 in the Montana 8th Judicial District Court for Cascade County. The settlement site is loganhealthsettlement.com. Read more at TopClassActions.
Paragraph 68 of the settlement reads:
Business Practice Changes. Logan Health agrees to provide Class Counsel information concerning the remedial actions that it has taken, began or planned since the Data Security Incident as part of its ongoing efforts, to enhance, improve, and strengthen its cybersecurity training and awareness programs, data security policies, security measures, restrictions to accessing Personal Information, and its monitoring and response capabilities.
No other references were found in the settlement agreement to any specific improvements or changes in security measures.
San Andreas Regional Center: Undisclosed Amount
According to plaintiffs in the class action lawsuit, San Andreas Regional Center failed to protect consumer data through reasonable cybersecurity measures. The center reported experiencing a ransomware attack in July 2021 that affected more than 57,000 patients.
The case is Lopez, et al. v. San Andreas Regional Center, Case No. 21CV386748, in the California Superior Court for Santa Clara County. The settlement site is sarcdatasettlement.com. Read more at TopClassActions
Paragraph of the settlement agreement reads:
Remedial Measures/Security Enhancements. Plaintiffs have received assurances that SARC has implemented or will implement certain reasonable steps to adequately secure its systems and environments, including taking the steps listed in Exhibit 1 to Plaintiffs’ Unopposed
Motion for Preliminary Approval of Class Action Settlement (the confidential declaration agreed SARC will pay costs associated with these security-related measures separate and apart from the other settlement benefits described in this Settlement Agreement. Exhibit 1 will be filed under seal.
Well, that sounds a bit more hopeful.
As to the lawyers’ predictions about lawsuits stemming from Meta pixel tracking, a number of those have already been filed, and DataBreaches anticipates many more will be filed. A recent filing, Doe v. The Christ Hospital in Ohio is somewhat more detailed than many lawsuits as it includes images of highlighted source code showing the problems.