An Illinois a class action lawsuit that arose from the Massive HIPAA breach affecting the healthcare provider last August has been thrown out by circuit court in Kane County.
The incident possibly exposed the data of almost 4 million patients when four unencrypted computers were stolen from its Park Ridge offices.
The class action lawsuit was taken by two plaintiffs who claimed Advocate Health acted with negligence by failing to put in place the appropriate safeguards to protect their data. The lawsuit also alleges Advocate Health violated both the Illinois Personal Information Protection Act and the Illinois Consumer Fraud Act in addition to the incident causing an invasion of privacy.
The court found in favor of Advocate Health & Hospitals because the case lacked standing or basis. While there was no doubt that the PHI of the patients had been potentially exposed, the plaintiffs were unable to provide adequate proof to confirm that the data had actually been viewed by an unauthorized person. Without this proof it was not possible to establish whether any harm had actually been inflicted.
If there is no injury or damage there can be no claim, and while the court did find that the probability of identity theft happening had increased, there was not no certainty that the data would be accessed or used inappropriately. In order for a case to be ruled in favor of the plaintiffs the thieves would have to have sold or used the data for personal profit, and some proof that would need to be provided.
Furthermore, claims of injury had been made but again insufficient evidence was provided to support claims for negligence or fraud under the Illinois Consumer Fraud Act. The claim that there had been an invasion of privacy was also thrown out due to there being “insufficient allegations of intentional conduct.”
Although class action lawsuits can be taken for personal injuries and damage caused due to a HIPAA security breach they can be difficult for plaintiffs to win. There is no private cause of action under HIPAA so in order for a case to be won it must be established and proven that the actions of a HIPAA-covered entity actually breached state law theories.
It is unlikely that any case will be successful if proof of harm or injury cannot be supplied, and while evidence of data exposure may exist, without that data being used, sold on or otherwise causing demonstrable harm, plaintiffs are unlikely to be awarded damages. This does not let healthcare companies off the hook, as the Department of Health and Human Services reviews reported breaches and can apply heavy financial fines to institutions that fail to adhere to HIPAA regulations, regardless of whether data has been seen, accessed or used by unauthorized people.