Data breaches that compromise the protected health information (PHI) of massive numbers of patients have become all too common. In addition to steep HIPAA fines and horrible public relations, such breaches have spawned a new nasty consequence: threat of a class action lawsuit. The case against Ambry Genetics is a notable example and one that also illustrates why it’s so hard for victims to win these lawsuits. The Ambry Genetics Data Breach In January 2020, Ambry Genetics was the victim of a hacking incident that compromised the personal data of up to 230,000 individuals, including patients’ names, dates of birth, health insurance and medical information, and in some cases, Social Security numbers. The good news is that unlike many organizations that get hacked, the California genetic testing lab did what HIPPA required it to do in responding to the incident. It investigated the matter, reported the breach to authorities and the victims and promised to implement corrective actions to ensure something like this would never happen again. It even offered affected patients complementary identity monitoring services. But like so many other providers that suffer cybersecurity data breaches these days, Ambry faced the liability nightmare of a class action suit. A […]
Data breaches that compromise the protected health information (PHI) of massive numbers of patients have become all too common. In addition to steep HIPAA fines and horrible public relations, such breaches have spawned a new nasty consequence: threat of a class action lawsuit. The case against Ambry Genetics is a notable example and one that also illustrates why it’s so hard for victims to win these lawsuits.
The Ambry Genetics Data Breach
In January 2020, Ambry Genetics was the victim of a hacking incident that compromised the personal data of up to 230,000 individuals, including patients’ names, dates of birth, health insurance and medical information, and in some cases, Social Security numbers. The good news is that unlike many organizations that get hacked, the California genetic testing lab did what HIPPA required it to do in responding to the incident. It investigated the matter, reported the breach to authorities and the victims and promised to implement corrective actions to ensure something like this would never happen again. It even offered affected patients complementary identity monitoring services.
But like so many other providers that suffer cybersecurity data breaches these days, Ambry faced the liability nightmare of a class action suit. A group of 24 victims from 15 states sued, claiming that the provider of more than 300 different genetic tests committed negligence, invasion of privacy, breach of contract and violation of state privacy and business laws, among other things. The data breach, they contended, was a “direct result” of Ambry’s failure to implement “adequate and reasonable” cybersecurity systems and protocols in violation of its HIPAA duties to protect the sensitive personal data of its patients. “Had [Ambry] remedied the deficiencies in its data security systems and adopted security measures recommended by experts in the field,” the breach wouldn’t have happened.
California Court Dismisses the Class Action
Of course, it’s one thing to make allegations and quite another to prove them. The US District Court for the Central District of California emphasized this point in dismissing the class action on April 7, 2021, finding that the patients “failed to plausibly allege that their injuries were caused by” Ambry’s actions. “The problem,” the judge continued, is that the alleged harm “is not fairly traceable—at least not plausibly so—to the conduct they complain of.” For example, the patients alleged that unauthorized third parties obtained their passwords but don’t allege that their passwords were actually stolen in the breach.
Still, what Ambry won was only a temporary reprieve. The basis of the ruling isn’t about the truth and substance of the charges so much as the way the patients expressed them. Thus, the judge gave the patients two weeks to fix their pleadings.
What Happens Next
If and when they take advantage of the opportunity to restate their allegations, the patients will face the same obstacles that have caused so many other HIPAA data breach class actions: traceability. Specifically, they’ll need to come up with evidence of exactly what personal data the hackers stole, something that’s difficult even for breach victims. They’ll then have to trace how the hackers used that information. Moreover, there’s also the risk that the court will break up the class action and require the patients to sue individually based on their own personal losses.
All of this sets up for what is likely to prove the decisive round in the litigation: the motion to dismiss on the merits. Ambry will probably claim that the patients don’t have a valid legal claim and ask the judge to dismiss it without a trial. If they win the motion to dismiss, the patients will be hard pressed to continue the lawsuit. However, if they survive the motion and get the right to go to trial, the leverage will shift and the patients will be in the position to obtain a six- or seven-figure settlement. Of course, Ambry could always call their bluff and force them to prove their claims at trial.
Takeaway
The Ambry case is fascinating not only because of its size and the fact that it involves a clinical lab but also because its dynamics are so typical of HIPAA data breach class actions. The bottom line is that these lawsuits fail more often than they succeed, with a favorable settlement representing the best possible outcome for the plaintiffs. On the other hand, the stakes are extremely high and there’s always the risk/hope for—depending on your perspective—a finding of liability resulting in a huge damages award.
