Can a patient sue because a healthcare entity endured a HIPAA violation?
Within HIPAA, there’s no private cause of action. Therefore, it’s not possible for a patient to take legal action and sue for a HIPAA violation. Even if the HIPAA laws were clearly violated, and the patient suffered as a direct result, they can’t seek damages.
So if it's not possible to sue for a HIPAA violation, how is it possible for people to sue healthcare providers for exposing their Protected Health Information, or PHI? Does this mean someone can’t take legal action against a covered entity when it's clear they violated HIPAA?
While HIPAA does not have a private cause of action, it’s possible for patients to take legal action against healthcare providers. They can obtain damages for violations of state laws.
In some states, it’s possible to file a lawsuit against a HIPAA-covered entity if they can prove that the provider was negligent or there was a breach of an implied contract. For example, if a covered entity failed to protect medical records, a patient can claim that this was a breach of an implied contract.
In such cases, a plaintiff needs to prove that damage or harm happened as a result of negligence or the theft of unsecured personal information.
There are hundreds of data breaches every year. Many hackers target healthcare entities because they are easy targets. Hackers think healthcare practices are likely to pay a ransom to get back their systems.
Taking legal action against a covered entity can be expensive. There’s no guarantee of success. But, that doesn’t mean people don’t try.
Below are seven HIPAA violation lawsuits where covered entities settled lawsuits in relation to HIPAA violations and stolen PHI.
Table of Contents
Pires, et al. v. NuLife Med LLC
NuLife Med is a medical equipment company. Their equipment helps patients recover from surgeries and illnesses.
The company suffered a data breach in March of 2022. The breach compromised both PHI and PII such as…
Names
Contact information
Insurance data
Medical information
Birthdates
Social Security numbers
In the lawsuit, the affected patients claimed that NuLife could have justifiably prevented the breach by implementing reasonable cybersecurity measures. Although NuLife hasn’t admitted to any wrongdoing, they still agreed to pay an undisclosed sum to resolve the data breach.
Under the terms of the settlement, class members can receive either one year of free credit monitoring or a check worth $25. Claimants can only choose one of these benefits. The deadline for exclusion and objection is May 16, 2023.
The final approval hearing will happen on June 5, 2023.
Tafelski, et al. v. Logan Health Medical Center
Logan Health, formerly Kalispell Regional Medical Center, is a 622-bed health system based in Kalispell, MT. It operates six hospitals and more than 68 provider clinics in the state.
In February 2022, the healthcare entity announced it was the victim of a cyberattack that involved patient data.
Logan Health first detected the breach in November 2021. Investigations confirmed hackers were in their systems for at least four days. In January 2022, the healthcare entity learned the attackers accessed files containing patient information.
The data included information like…
Names
Addresses
Medical record numbers
Dates of birth
Telephone numbers
Email addresses
Insurance claim information
Dates of service
Treating/referring physician
Medical bill account number
Health insurance information
The healthcare entity soon learned that the breach affected more than 213,500 individuals. As a precaution, Logan Health offered complimentary credit monitoring services.
In the lawsuit filed against Logan Health, plaintiffs alleged that the company failed to implement reasonable and appropriate cybersecurity measures. Logan Health didn’t provide sufficient security awareness training to its workforce. The plaintiffs believe that if there was enough training, they could’ve avoided the whole breach.
The lawsuit alleged the plaintiffs and class members have suffered damages due to the exposed PHI and PII including…
The compromise, publication, theft and/or unauthorized use of their PII/PHI
Out-of-pocket costs from the prevention, detection, recovery, and remediation of identity theft or fraud
Lost opportunity costs and lost wages
Logan Health chose to settle the lawsuit and agreed to create a $4.3 million fund to cover claims.
Under the terms of the settlement, affected individuals can submit claims and receive a maximum of $25,000 to reimburse out-of-pocket expenses that are reasonably traceable back to the data breach. Claims can also include lost time, up to a maximum of $125 per class member.
The final approval hearing happened on March 9, 2023.
McCullough, et al. v. True Health New Mexico Inc.
Insurance provider True Health New Mexico faced three lawsuits after a security breach compromised medical and personal information.
These lawsuits are…
McCullough, et al. v. True Health New Mexico Inc.
Clement, et al. v. True Health New Mexico Inc.
Shanks, et al. v. True Health New Mexico Inc.
In March 2022, the courts consolidated the three lawsuits into a single class action lawsuit. True Health New Mexico proposed a settlement to resolve the claims in the lawsuits.
So what happened exactly?
True Health New Mexico discovered a security breach in October 2021 which ended up compromising information relating to over 62,900 members of its health plans. An investigation confirmed an unauthorized third party accessed its systems and exfiltrated files containing patient data.
Potentially compromised information includes…
Names
Dates of birth
Ages
Home addresses
Email addresses
Insurance information
Medical information
Social security numbers
Health account member IDs
Provider information
Dates of service
On the bright side, there’s no evidence that the hackers misused the data when True Health issued notification letters. Despite this, the healthcare entity offered complimentery credit monitoring and identity theft protection services to affected individuals as a precaution against fraud.
The lawsuits allege the health plan provider was negligent. They failed to take appropriate care to protect sensitive customer and employee data.
The lawsuits also alleged…
Negligence per se
Invasion of privacy by intrusion
Breach of express contract
Breach of implied contract
Breach of fiduciary duty
Unjust enrichment
Violations of the New Mexico Unfair Practices Act
True Health New Mexico proposed a settlement to resolve claims related to the lawsuits. However, they didn’t admit to any wrongdoing. Under the terms of the proposed settlement, claimants can receive a maximum of $5,250 per person.
The final fairness hearing will happen May 10, 2023.
Bryan et al. v BioPlus Specialty Pharmacy
On December 10, 2022, BioPlus Specialty Pharmacy Services, LLC. placed a breach notification alert on its website. The notification described an event that occurred in October of “unauthorized access” to its systems.
The notification also mentioned that the unauthorized access impacted at least 350,000 individuals.
By January 2023, 2 patients affected filed a class action lawsuit with BioPlus Specialty Pharmacy Services over how it handled the data breach.
The lawsuit claimed that there was a discrepancy between how the organization presented what happened during the breach versus what actually happened. It alleges that the breach was much more severe than “unauthorized access” as it was caused by a ransomware attack placed on the organization by cybercriminals.
At the time of writing, the class action is still underway.
McHenry v. Advent Health Partners, Inc.
Advent Health Partners, a company in Nashville Tennessee, experienced a breach in early September 2021. Soon after discovering the breach, they launched an investigation.
The investigation confirmed hackers potentially stole PHI and PII such as…
Names
Social Security numbers
Drivers license information
Dates of birth
Health insurance
Medical treatment information
Financial account information
Affected individuals received notification of the breach in March 2022. Advent Health offers credit monitoring services to protect against fraud.
Soon after, Advent Health Partners faced a lawsuit over the breach. The lawsuit claimed the health system failed to implement reasonable and appropriate cybersecurity measures, despite being aware of the high risk of phishing attacks on healthcare entities.
The lawsuit also took issue with the length of time between discovering the breach and sending notifications to affected individuals. There was a five-month period between discovering the breach and when Advent Health partners announced the breach on their website. It took six months to notify patients.
The plaintiffs believe that this time gap violated Tennessee law. They also claim that the health system failed to comply with the federal standards of HIPAA and did not follow FTC guidelines for protecting federal standards.
The lawsuit alleged the notifications were “woefully deficient” and lacked basic details about the data breach. The plaintiffs believed that the credit monitoring services were insufficient.
Advent chose to settle the lawsuit but didn’t admit to any wrongdoing.
Under the terms of the settlement, they will create a $500,000 fund to cover claims and legal costs. Claimants can submit a claim of ordinary expenses for up to $750 per class member. If they experienced extraordinary losses that were not already reimbursed, they could get up to $5,000.
The final approval hearing will happen on April 14, 2023.
Lopez Morales, et al. v. Orlando Family Physicians LLC
In April of 2021, hackers allegedly gained access to a network belonging to Orlando Family Physicians. The healthcare company agreed to a class action lawsuit settlement to resolve claims that the beach was preventable.
Orlando Family Physicians is a group of medical centers in Orlando, Florida. They provide primary care services for thousands of patients.
Although we don’t know the specifics of the stolen information, we do know that it exposed both PHI and PII.
Under the terms of the agreement, class members who experienced out-of-pocket expenses due to the breach can receive up to $225 for documented expenses.
These payments could cover…
Bank fees
Communication costs
Credit-related expenses
Up to three hours of lost time at a rate of $25 per hour
The approval heating for the Orlando Family Settlement will happen on August 28, 2023.
Simmons v. AssistCare Home Health Services LLC
92,283 patients received a notification from AssistCare Home Health Services that their information was part of a data breach.
Unauthorized individuals gained access to AssistCare’s network in January 2021. The bad actor exfiltrated files containing patient data, among other things.
The hackers published the stolen information on its website, including…
Names
Personal information
Health information
Social security numbers
The lawsuit alleged the healthcare entity was negligent because it failed to implement reasonable cybersecurity measures to prodigy against ransomware attacks. As a result of that negligence, the lawsuit alleges that the victims had an imminent and elevated risk of identity theft and fraud.
AssistCare Home Health Services chose to settle the lawsuit but didn’t admit to any wrongdoing. The company agreed to accept claims from class members up to a maximum of $3900 per claimant. The total value of the settlement isn’t disclosed.
The company will accept Claims of up to $400 as compensation for ordinary losses such as bank fees, communication charges, and credit-related losses.
Regardless of claim submission status, class members are eligible for one year of three-bureau credit monitoring services.
The fairness hearing will happen on June 27, 2023.
Conclusion
HIPAA violation lawsuits happen all the time.
If you got a letter in the mail informing you that your PHI was part of a breach, you might be able to take legal action against the breached entity. You can try to recover damages for any harm or losses suffered as a result of the breach.
Can you sue for a HIPAA violation? Technically, no you can't. You cannot sue an individual for compromising your PHI.
However, you can sue a covered entity for the consequences and damages caused by the exposure of PHI and PII.
Lawsuits can take time and money to resolve. However, it can be worth it to have your privacy re-protected. It is also worth it to fix the damages done by losing your right to medical privacy.
On the organization side, you want to ensure that you’re implementing as many safeguards as possible to stay compliant with HIPAA. If a breach occurs, you’re now susceptible to both governmental fines and the potential for a class action lawsuit. One of the most effective ways to protect your organization from a lawsuit related to HIPAA and/or cybersecurity is to train your employees.
