Are Labs Personally Liable to Data Breach Victims—CareFirst Case May Provide the Answer

While data breaches inside labs and other health care settings happen all the time, lawsuits for money damages by victims have been relatively unusual. But now the U.S. Supreme Court is being asked to rule on a case that could blow the doors off of private data breach litigation; or, it could go in completely the opposite direction and make those suits even harder for victims to win.

The Issue
The Fair Credit Reporting Act (FCRA) and other privacy laws give individuals the right to sue for actual and substantial risk of future harms they suffer as a result of data breaches. The question: Just how substantial must the risk of future harm be to trigger the right to sue? It is a question for which the federal district and appellate courts have failed to reach consensus. And now the Supreme Court is being asked to settle the issue once and for all.

The CareFirst Case
The case, not surprisingly, involves a data breach involving protected health information. It happened in 2014 when CareFirst BlueCross BlueShield was hit by a cyberattack which exposed protected health information of 1.1 million of its members, including names, email addresses, dates of birth, and subscriber ID numbers.

The victims brought an FCRA class action lawsuit for damages (Chantal Attias vs. Carefirst, Inc.) in federal court but the district court dismissed it on the grounds that the customers did not suffer actual harm as a result of the breach. But the appeals court disagreed and allowed the case to proceed. “At the very least, it is plausible to infer that [the cyber attacker] has both the intent and the ability to use that data for ill,” the court reasoned.

But CareFirst attorneys claim that the court’s reasoning on risks of future harm was too speculative and failed to establish that customers would, in fact, suffer impending injuries as a result of the breach. And now they are asking the Supreme Court to do something it has never done: decide a data breach case.

The Case for the Case
CareFirst contends that the case presents a “substantial question,” namely, what constitutes an “injury” giving rise to a legal claim for harm done as a result of a data breach under the FCRA. “The Supreme Court needs to address this area of the law to provide more guidance to federal district and appellate courts. . . . to clarify that an alleged future injury must be imminent to satisfy the substantial risk standard,” according to the CareFirst motion petitioning the Court to take the case.

What’s At Stake
The issue of an organization’s liability to victims of data breaches is certainly a compelling one for the health care industry, in which 30% of all data breaches in the U.S. occur. Breach Barometer Report: Mid-Year Review, published by Protenus, tallied 233 breach incidents reported to the Department of Health and Human Services from January to June 2017. This pace is expected to exceed the 2016 total of 450 breaches. In the first half of this year, 3.1 million patient records were affected.

Data breaches take place at hospitals, insurance companies, private provider offices and, of course, clinical labs. A notable example took place in December 2016, when Quest Diagnostics announced that “unauthorized third party” had gained access to personal client data through the MyQuest Internet application compromising the personal health information (including name, date of birth, lab results, and some telephone numbers) of approximately 34,000 individuals.

Takeaway: Preventing and responding effectively to data breaches is already an obligation under HIPAA, FCRA and other privacy laws. And while the threat of civil lawsuits for money damages by victims is not new, such litigation has been relatively rare due to the uncertainty over and difficulty of showing harm necessary to bring such suits. But a Supreme Court ruling on the question, one way or the other, would have a significant impact on future liability and litigation risks labs face for data breaches. So labs need to keep a close eye on the CareFirst suit—assuming the Court agrees to take it.