Michigan is the Second State to See a Data Breach Class Action; OCR Issues First Penalty under HITECH

As we predicted in an article in our December 2011 issue, actions stemming from data breaches have increased in the first quarter of 2012. So far this year we have seen an increase in class action litigation and enforcement activity from the Office of Civil Rights.

Class Action - Sutter Health

In our December issue, we discussed the class action filed in California against Sutter Health, Sutter Medical Foundation, Sutter Physician Services, and Does 1 - 100, in connection with an October 2011 data breach from the theft of a password-protected, unencrypted computer, alleging violations of California's Confidentiality of Medical Information Act and California's breach notification law. This computer contained data on over 4 million patients. Since the initial filing in December, an additional 12 class actions were filed in California as a result of this same incident. In an effort to conserve judicial resources, the Judicial Council of California combined the 13 class actions in February. Since then, we have seen little additional activity.

California's pro-consumer environment provides an attractive test bed for private lawsuits related to data security breaches. Although in December, we anticipated that these California actions would get further along before similar actions appeared in other states, so far, this has not been the case.

Class Action - Henry Ford Health System

In February, Michigan became the second state to have a data breach class action lawsuit filed when the Henry Ford Health System ("Henry Ford") was sued for an alleged data breach that occurred at a medical transcription provider. According to the complaint, Henry Ford mailed a breach notification letter to the "named" Plaintiff (as "Jane Doe") in January 2010. In the letter, attached as an exhibit to the complaint, Henry Ford explained that the affected patient's data was visible on the Internet. Henry Ford learned of the data breach on November 29, 2009, and had the Plaintiff's information removed from public display by December 4, 2009. Henry Ford explained that it "is unable to determine exactly how long the information was visible online, however there is no proof it was viewed or used inappropriately." Part of the information allegedly disclosed was that the Plaintiff had a sexually transmitted disease.

This lawsuit seeks damages for (i) invasion of privacy through a public disclosure of per se embarrassing private facts and (ii) negligence. In Michigan, a plaintiff must prove actual damages to recover under a negligence claim, but in a claim of public disclosure of private facts, emotional distress and mental anguish may be enough.

HHS/OCR HITECH Action - Blue Cross Blue Shield of Tennessee

Most recently, on March 13, 2012, the Department of Health and Human Services (HHS), Office of Civil Rights (OCR) issued its first enforcement action stemming from the HITECH Act Breach Notification Rule based on an incident in which protected health information of more than 1 million patients was disclosed. Blue Cross Blue Shield of Tennessee (BCBST) agreed to pay HHS $1.5 million to settle potential violations of the HIPAA Privacy and Security Rules. BCBST further agreed to a corrective action plan to address gaps in its HIPAA compliance program.

The OCR enforcement action stemmed from a Breach Notification Report submitted by BCBST on November 3, 2009. On October 5, 2009, BCBST employees discovered a theft of computer equipment from a network data closet located in Chattanooga, TN. The facility was managed by a third party management firm, but according to BCBST the closet was secured by both biometric and keycard scan security with a magnetic lock and an additional door with a keyed lock. BCBST's internal investigation found that the theft occurred on or about October 2, 2009. The stolen items included 57 hard drives containing encoded electronic data, consisting of over 300,000 video recordings and over 1 million audio recordings of customer service calls. The drives contained names of BCBST plan members, social security numbers, diagnosis codes, dates of birth, and health plan identification numbers.

OCR initiated its investigation on January 8, 2010. According to OCR, its investigation indicated BCBST failed to implement appropriate administrative safeguards to adequately protect information remaining at the leased facility by not performing the required security evaluation in response to operational changes. In addition, the investigation showed a failure to implement appropriate physical safeguards by not having adequate facility access controls; both of these safeguards are required by the HIPAA Security Rule.

The Resolution Agreement explicitly states that BCBST did not admit and expressly denies any liability as a result of the theft.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.