Health Data Breaches
Question: Are healthcare providers liable under the FCRA for patient health data breaches?
Response & Analysis:
Courts are starting to say no. As data breaches continue to compromise private consumer information at increasing rates, plaintiffs’ attorneys are developing creative methods and legal theories to hold healthcare providers liable when patient information is stolen. In a recent string of cases surfacing across the nation, patients are filing class-action lawsuits against healthcare providers under the Fair Credit Reporting Act (FCRA) when systems containing patient data are breached. The FCRA provides patients with some protections over their medical information, including a requirement that patients provide consent before their medical information can be disclosed.
Although lawsuits attacking healthcare data breaches under this theory have recently increased in popularity, it is unclear whether these suits will garner much success since healthcare providers do not fit the traditional definition of a “consumer reporting agency” under the FCRA. Nonetheless, some providers are choosing to settle the lawsuits early in the process in order to avoid a drawn-out litigation battle and the potential for increased liability.
In a lawsuit involving a major university medical center, a group of current and former patients filed a class action claiming that the university allowed unauthorized parties to access confidential patient records—including confidential personal health information—without having adequate security measures in place and without the patients’ knowledge or consent. The suit arose from a breach of a third-party’s information system that the university had contracted with to store patient information off-site. The plaintiffs alleged that the university violated its obligations as a consumer reporting agency under the FCRA by allowing the plaintiffs’ personal health information to be misused and intentionally disclosed to third parties for profit. The university promptly settled the lawsuit for over $100,000.
In a similar suit filed against a large hospital organization, five former patients are suing a group of hospitals on behalf of any current or former patient who may have been affected by an alleged data breach that compromised roughly 4.5 million patients’ personal information. The plaintiffs claim the hospitals are “consumer reporting agencies” under the FCRA and thus violated the FCRA when they failed to properly secure and encrypt patient information. The plaintiffs allege that the FCRA protects their medical information and restricts its dissemination to limited instances, and the hospitals failed to adopt and maintain procedures designed to protect and limit the dissemination of such information as required by the FCRA.
The alleged FCRA violation arose from an incident in which four desktop computers containing patient information were stolen from one of the health system’s offices. The court dismissed the claims, finding that the health system could not be considered a consumer reporting agency under the FCRA because it does not regularly engage in the practice of assembling information on consumers for the purpose of furnishing consumer reports to third parties. Further, the court stated that an allegation that computers containing personal information were stolen is not sufficient to support a finding that the health system furnished such information to a third party.
Although it may prove to be difficult for plaintiffs to succeed under the FCRA when their medical information is compromised, they can still bring actions under other state and federal statutes. Additionally, regardless of what statute is alleged to have been violated, defending against these lawsuits can be a very long and expensive endeavor. Thus, hospitals and other healthcare providers would be well-advised to properly store and secure patient information, making sure to encrypt all patient data and only allowing authorized personnel to access the systems containing such information.
All Rights Reserved © 2017 Certiphi Screening, Inc.
This document and/or presentation is provided as a service to our customers. Its contents are designed solely for informational purposes, and should not be inferred or understood as legal advice or binding case law, nor shared with any third parties. Persons in need of legal assistance should seek the advice of competent legal counsel. Although care has been taken in preparation of these materials, we cannot guarantee the accuracy, currency or completeness of the information contained within it. Anyone using this information does so at his or her own risk.