The Patient Who Cried “Data Breach”: Actual Data Breach Required, but End-of-Life Software Risk Remains
On Thursday, December 6, 2018, a federal court in Ohio dismissed a putative class action against Mercy Health brought by a patient claiming that the provider caused private protected patient information to be exposed to unauthorized third parties based on Mercy Health’s use of a software portal used to store patient information and allow patients to access such information. The court found that the mere possibility that a third party could have accessed the data without authorization was not sufficient to move the plaintiff’s case forward. However, the cost of litigation and mitigation as well as potential regulatory and public relations considerations provide an expensive lesson.
The complaint was originally filed in August 2016 with the patient seeking to represent a nationwide class of patients and included claims for breach of contract, unjust enrichment, breach of confidence, and violation of the Ohio Consumer Sales Protection Act based on Mercy Health’s alleged assumed duties to maintain the security and confidentiality of patient information through Mercy Health’s Notice of Privacy Practices, “Core Values” and “Corporate Responsibility” statements, the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), and industry standards.
The patient alleged that Mercy Health knew or should have known that the portal operated on an outdated Java-based computer server could be easily accessed, permitting patient information to be removed or deleted. The patient argued “[i]t is just a matter of time until a hacker discovers Mercy’s vulnerable system and further exposes patients’ private medical information.”
In granting Mercy Health’s request to dismiss the claim, the court explained that the patient only alleged that his personal information could have been accessed improperly, not that it actually was, and ultimately lacked standing. Citing the U.S. Supreme Court’s decision in Spokeo v. Robins (holding plaintiffs must allege a concrete injury to bring suit in federal court), the patient lacked standing to move forward with the claims in this case. The court also dismissed the patient’s argument that he suffered an economic injury because a portion of his payments to Mercy Health were for the data security measures that the provider allegedly failed to take.
While the case was ultimately dismissed, the provider incurred costs associated with defending the litigation, implementing security updates to remedy allegations brought against it, and harm to its reputation, including potential loss of patient trust. For example, the court explained that “[e]ven if [Mercy Health]’s approach to data security was clumsy, it also was harmless…” While Mercy Health was victorious in the dismissal, being called clumsy in its approach to data security is not an ideal message for patients or regulators.
The case has been sealed since it was filed in 2016 because of the court’s concerns that hackers would be able to exploit Mercy Health if the complaint was publicly disclosed before the provider had the chance to address the alleged vulnerabilities. Also, it is not clear whether Mercy Health has dealt with—or may be forced to deal with—state or federal regulators related to these allegations or the potential use of end-of-life, unsupported software to maintain protected health information.
This case is an example of the importance of maintaining policies and procedures on health information privacy and security as well as conducting periodic review of records of information system activity, including assessing particular risks posed by end-of-life, unsupported systems. The U.S. Department of Health and Human Services Office for Civil Rights (“OCR”) has entered into settlements with covered entities related—in part—to running outdated, unsupported software. In 2014, then OCR Director Jocelyn Samuels noted that successful HIPAA compliance “includes reviewing systems for unpatched vulnerabilities and unsupported software that can leave patient information susceptible to malware and other risks.” A provider’s vulnerabilities will not only be exploited by the more obvious cyberattacks but also by a provider’s own patients—even those patients who cried “data breach”—and may lead to regulatory, litigation, and public relations risks for covered entities.
For questions about this update or HIPAA compliance generally, please contact:
- Meghan O’Connor: (414) 277-5423 / meghan.oconnor@quarles.com
- Rachel Weiss: (414) 277-5829 / rachel.weiss@quarles.com
- Sarah Erdmann: (414) 277-5512 / sarah.erdmann@quarles.com