Another HIPAA laptop theft lawsuit is showing why you could be safe from state lawsuits about health information, at least. Many states are holding fast to the idea that if the plaintiffs cannot prove actual harm from a data breach, they don’t have a leg to stand on.
Case in point: In August 2013, Advocate Health & Hospitals Corp. reported a large data breach after four laptops were stolen from an Advocate medical group administrative building. The laptops contained unencrypted protected health information (PHI) of more than 4 million patients.
Following the breach, two patients filed a class action lawsuit alleging negligence, violation of the Illinois Personal Information Protection Act, violation of the Illinois Consumer Fraud Act, invasion of privacy, and failure to take necessary steps to safeguard patients’ PHI, according to a Health Law Rx blog posting by attorney Carolyn Metnick for the law firm Akerman.
But the Kane County Circuit Court in Illinois has granted Advocate’s motion to dismiss the claims for lack of standing and failure to state a claim, Metnick reports. “The court held that the plaintiffs lacked standing because they could not prove that the information stolen had been accessed or used, and therefore, they could not prove that there had been actual identity theft or harm.”‑
Although the court conceded that an increased risk of harm existed due to the laptops’ theft and potential accessibility of the unsecured PHI, the thieves would actually need to disclose, sell or otherwise misuse the PHI for the lawsuit claims to be valid.
Caveat: “Even though state causes of action may be difficult to prove, covered entities and business associates face penalties under HIPAA,” Metnick warns. “Also, although difficult, state causes of action are still a risk.”