“I Might Be Injured, Someday…Maybe?” Courts Question Plaintiffs’ Standing in HIPAA Breach Suits Alleging Future Harm
Illinois courts have now dismissed two class action law suits against Advocate Health and Hospitals Corporation (“Advocate”), stemming from a July 2013 breach of personal health information (“PHI”) when four unencrypted laptop computers were stolen from Advocate’s administrative offices. The computers collectively contained the PHI, including names, addresses, dates of birth, Social Security Numbers, diagnoses, medical record numbers, the identity of treating physicians or departments, and health insurance data, of over 4 million Advocate consumers.
In both suits, the plaintiff class alleged the breach was a direct result of Advocate’s negligence, in violation of the Illinois Consumer Fraud and Deceptive Business Practices Act and the Illinois Personal Information Protection Act, as well as an invasion of privacy and an intentional infliction of emotional distress.
The plaintiff class in Veronica Vides, et al., v. Advocate Health and Hospital Corporation (“Vides”) alleged that Advocate’s breach led to an “increased risk of identity theft and/or fraud,” as well as the costs and time associated with mitigating such an increased risk. In Matias Maglio, et al., v. Advocate Health and Hospital Corporation (“Maglio”), the plaintiffs similarly alleged that there was an increased risk of harm due to an unknown third party possession of the data but did not provide proof, nor did they allege “that the information contained on the computers has been accessed or disseminated by the unknown third parties, or that plaintiffs have been actual victims of identity theft because of the misuse of the information.”
As with all other proceedings, before the merits of each claim is assessed, the court must determine whether the plaintiff class has standing to bring the matter before the court in the first place. Put simply, the court must decide whether the plaintiff party is the right dog in the fight.
To make this determination, the plaintiff must allege a concrete, demonstrable injury that is likely traced to the defendant’s actions. The plaintiff must also show that, should the court find in its favor, the plaintiff’s injury will either be prevented or the plaintiff will receive some sort of relief for the injury caused by the defendant’s actions. In both Maglio and Vides, the courts were faced with the issue of whether or not the increased risk of future harm can be, in fact, an injury for the purposes of standing. In each case, the courts determined it was not.
In Maglio, the judge pointed to federal cases similar in fact to the matter at the bar and found “that there has been no injury in fact and no change in the status quo. Yes, there is an increased risk of harm because it is unknown if, and when, the theft of the computers would transmute or ripen into identity theft. Such a transmutation would depend on the thieves actively disclosing, selling to other criminals, or otherwise misusing the data on the computers.” However, the court found that the increased risk of identity theft was not an impending certainty of identity theft.
Similarly, in Vides, the court relied heavily on a United States Supreme Court case, Clapper v. Amnesty International USA, et al., which asserted that “allegations of possible future injury are not sufficient to establish standing.” The plaintiffs’ risk of harm “is contingent on a chain of attenuated hypothetical events and actions by third parties independent” of Advocate; and while the plaintiff class is not required to “show that they are ‘literally certain’ they will be victims of identity theft and/or fraud, they have not alleged facts that would plausibly establish an ‘imminent’ or ‘certainly impending’ risk that they will be victimized.”
The fight for Advocate is far from over, however. While both Maglio and Vides were dismissed with prejudice, and therefore cannot be appealed or tried again, multiple class action suits against Advocate are still active in the Illinois court system. One such action, Alex Lozada v. Advocate Health and Hospital Corporation (“Lozada“), is attempting a different approach by alleging claims of breach of contract, breach of implied contract, unjust enrichment, and breach of fiduciary duty. Specifically, Lozada is relying upon HIPAA and industry-standard protections to form the basis of their various breach of contract and duty claims. The case, initiated in September, 2013, may still be dismissed; but, after dozens of motions and filings, it seems like this dog might just get into the ring.
The decisions in Maglio and Vides also don’t close the issue on whether plaintiffs in HIPAA breach cases may have standing under certain causes of action. Other states have addressed this same issue and found in favor of the plaintiffs. The Supreme Court of West Virginia, the state’s highest court, did grant class certification to plaintiffs in Larry Tabata, et al. v. Charleston Area Medical Center, Inc. (“Tabata”). In that case, PHI for 3,655 patients was accidentally placed on the internet. The plaintiffs asserted claims for breach of the duty of confidentiality, invasion of privacy, and negligence.
During discovery in Tabata, both the plaintiff class and Charleston Area Medical Center (“CAMC”) asserted that neither party was aware of any unauthorized and malicious users attempting to access or actually accessing their information, nor were they aware of any of the affected patients having any actual or attempted identity theft. In addition, the plaintiffs did not allege any property injuries or economic losses, or that they were aware of any other potential class members having sustained any such injuries. While the lower courts in West Virginia agreed with CAMC that the plaintiffs had not demonstrated an actual injury-in-fact, the Supreme Court of West Virginia disagreed. Interestingly, the Supreme Court of West Virginia agreed that there was no injury-in-fact for the risk of future identity theft but found that the plaintiffs’ had standing in regard to breach of confidentiality and invasion of privacy. The court held that patients “have a legal interest in having their medical information kept confidential. When a medical professional wrongfully violates this right, it is an invasion of the patient’s legally protected interest.” The court also found that, based upon West Virginia law pertaining to a person’s right to privacy, the plaintiff class did have a “concrete, particularized, and actual” injury when CAMC allowed patients’ PHI to be accessible on the internet.
Overall, there appears to be a consensus that putative class members lack standing where there is a possible future risk of harm and cannot show an injury-of-fact. What remains to be seen is whether other causes of action such as breach of contract, breach of fiduciary duty, or breach of confidentiality will confer standing and/or liability for entities involved in a HIPAA breach.