Consumer Fraud Laws Can Keep Data Breach Cases 'Alive,' Says Lawyer
HIPAA and other privacy regulations often don't help consumers make a monetary argument in court against health care firms that have experienced a data breach, said attorney Nick Palmieri in a blog post Tuesday. Unlike the Health Insurance Portability and Accountability Act (HIPAA), however, "consumer-fraud statutes can keep a case alive," he said.
Sign up for a free preview to unlock the rest of this article
Privacy Daily provides accurate coverage of newsworthy developments in data protection legislation, regulation, litigation, and enforcement for privacy professionals responsible for ensuring effective organizational data privacy compliance.
As a result, it's vitally important that health care entities ensure their privacy notices track closely with the organization's capabilities, thus avoiding deceptive-practice claims, the Baker Botts lawyer added.
For example, in Johnson v. Yuma Regional Medical Center, "fourteen patients sued the hospital after a ransomware incident exposed the data of roughly 700,000 individuals,” the blog said. The U.S. District Court for Arizona judge “dismissed four of the five causes of action -- negligence, breach of implied contract, unjust enrichment, and breach of fiduciary duty -- while allowing a single claim under the Arizona Consumer Fraud Act (ACFA) to proceed.”
Judge Susan Brnovich ruled the plaintiffs’ fraud-by-omission theory under the ACFA could stand. “Patients alleged they received the hospital’s Notice of Privacy Practices and Privacy Policy, relied on its assurances of confidentiality, and were never told about major security deficiencies,” Palmieri said. The suit “alleged enough detail to suggest [plaintiffs] would have acted differently had the hospital disclosed its security gaps, so the ACFA claim moves forward to discovery.”
In dismissing other claims, the judge ruled the hospital “owed no common-law duty” to protect patients from economic losses that resulted from the data breach, nor do hospitals as institutions owe fiduciary duties to patients automatically. Brnovich also decided that privacy policies pledging an entity is “’committed to protecting’ patient data” are too vague to sustain a claim.
The case “reinforces a growing trend: HIPAA violations, standing alone, seldom generate private negligence or contract liability, but plaintiffs can still gain traction by framing their case as a deceptive practice or fraud-by-omission claim where the underlying state laws support such claims,” Palmieri said in the blog. “Healthcare entities should view privacy notices as live documents -- not boilerplate -- and align them closely with the organization’s actual cyber-security capabilities.”