Warning: Don’t let up on breach prevention efforts.
Though a state appeals court in Michigan has ruled that unless a plaintiff can prove a “present, actual injury” in a data breach case, awarding damages will be highly unlikely, you need to stay ahead in your breach prevention efforts.
On Dec. 18, the Michigan Court of Appeals shot down a lower court’s ruling that sided with the patients, reported Bloomberg’s Bureau of National Affairs. The appellate court reversed and remanded the lower court’s opinion, ruling that the lower court should have granted summary judgment to Detroit-based Henry Ford Health System (HFHS) in a class action lawsuit.
Background: HFHS contracted with Perry Johnson and Associates Inc. (PJA) for transcription services, according to Bloomberg. PJA’s subcontractor made an error that caused patient records to become available on the Internet.
The online-accessible information included patient names, medical record numbers, and physician notes on patient visits. The named plaintiff in the class action lawsuit claimed her information posted online included diagnoses of alopecia and a sexually transmitted disease.
The lawsuit alleged negligence, breach of contract, and invasion of privacy, Bloomberg reported. The lower court denied HFHS’s and PJA’s summary judgment motions. HFHS and PJA appealed the decision.
Because the plaintiff’s only claim of losses stemmed from costs she incurred for identity theft protection services, the appeals court disagreed with the lower court’s ruling. The appeals court decided that the plaintiff failed to prove that the credit monitoring costs “relate to a present, actual injury.” Further, the plaintiff provided no evidence that anyone actually viewed her PHI on the Internet or used her information for an improper purpose.
Identity theft protection services that the named plaintiff initiated “are not cognizable damages in the absence of present injury,” the appeals court said. Many other courts have also decided that plaintiffs in data breach lawsuits cannot recover credit monitoring services as damages following a data breach where there is no evidence of actual identity theft.