Supreme Court May Take on Its First Health Care Data Breach Case

In a case to watch, CareFirst BlueCross BlueShield will ask the U.S. Supreme Court to consider its first health care data breach case. CareFirst is arguing that the case presents a “substantial question” about whether the prospect of future harm resulting from a data breach warrants legal action. CareFirst’s attorneys argue that the court has yet to decide on the definition of an injury in relation to a data breach.

“The Supreme Court needs to address this area of the law to provide more guidance to federal district and appellate courts, especially given that federal courts have struggled to reach consensus as to when the prospect of future injury resulting from stolen information truly presents a ‘substantial risk’ of actual harm,” the September CareFirst motion reads.

The case stems from a 2015 cyberattack against CareFirst, which exposed protected health information, including names, email addresses, dates of birth, and subscriber ID numbers, for 1.1 million of members. The class action suit, Chantal Attias vs. Carefirst, Inc., was dismissed by a district court, but the U.S. District Court for the District of Columbia overturned the ruling and allowed the case to proceed, even though there was not a concrete injury to plaintiffs, according to HIPAA Journal.

Experts say that district and appellate courts have struggled to reach consensus about when the prospect of future injury resulting from a data breach constitutes a substantial risk of actual harm. Given the continuing quantity of annual data breaches, health-related entities experience annually, this is a case to watch.

Data breaches are nothing new for the health care industry, which accounts for 30 percent of all U.S. data breaches. Hospitals, insurers, and private provider offices have all been hit. Breach Barometer Report: Mid-Year Review, published by Protenus, tallied 233 breach incidents reported to the Department of Health and Human Services January to June 2017. This pace is expected to exceed the 2016 total of 450 breaches. In the first half of the year, 3.1 million patient records were affected in 2017.

The laboratory industry is not immune from data breaches. Back in December 2016, Quest Diagnostics announced client data had been compromised through an “unauthorized third party” accessing the MyQuest Internet application. Protected health information (including name, date of birth, lab results, and some telephone numbers) was compromised for approximately 34,000 individuals.

Takeaway: Laboratories, like the rest of the health care industry, are watching to see whether the Supreme Court will hear a case that could define an injury, as it relates to a data breach. In the meantime, health care entities are urged to protect protected health care information from cyberattack.