Evolving litigation of data breach claims

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.lexology.com/library/detail.aspx?g=52dd1ee9-3cf6-4874-b398-e769cdeae41b

An Illinois circuit court judge has dismissed five of six claims in a
consolidated class action against Advocate Health and Hospital Corporation
arising from a data breach in July 2013. The judge’s dismissal with
prejudice leaves only a negligence claim, based on a duty to reasonably
safeguard information, pending against Advocate. The complaint included
allegations that the hospital’s written policies, which referenced
compliance with data privacy laws, formed part of Advocate’s promise to
plaintiffs. The plaintiffs argued that Advocate’s failure to follow its own
policies and procedures, and adequately protect patient information, was a
breach of contract. However, the circuit court’s order dismissed the claims
based on breach of express contract, implied contract, fiduciary duty and
unjust enrichment.

The dismissal order in the consolidated case represented a new episode in a
series of suits filed against Advocate stemming from its announcement that
four unencrypted laptop computers were stolen from an administrative office
in July 2013. In August 2015, in a federal court case arising from the
Advocate data breach, the Seventh Circuit Court of Appeals affirmed a lower
court’s decision that Advocate was not a “consumer reporting agency” under
the Fair Credit Reporting Act (“FCRA”). Tierney v. Advocate Health and
Hospitals Corporation. In part, the federal law defines a consumer
reporting agency as a person collecting and furnishing consumer information
to third parties in exchange for payment. In affirming dismissal of the
FCRA claims, the court determined Advocate was not paid by Medicare and
insurance companies for collecting and transmitting patient information,
rather, payments received by Advocate were for healthcare services provided
by its physicians.

Two other state court cases that raised claims of negligence and violations
of state data breach laws against Advocate were dismissed earlier this year
for lack of standing. On appeal, the Second District Illinois Appellate
Court consolidated both cases and affirmed the dismissal orders. Maglio v.
Advocate Health and Hospitals Corporation. The Appellate Court held that
plaintiffs’ allegations of injury based only on an increased risk for
identity theft were speculative and conclusory.

As the Advocate cases demonstrate, data breaches will continue to generate
claims under both federal and state laws. The federal privacy law, HIPAA,
has provided a compliance cornerstone for healthcare providers to safeguard
patient information. While HIPAA litigation is alive and well, a developing
caveat is that state laws – through data breach and negligence claims – are
becoming litigation pressure points for healthcare providers. Additionally,
the enactment of new and amended state laws aimed at further protecting the
consumer and medical information may provide fertile grounds for data
breach claims under state law.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!