Illinois Court Dismisses Plaintiffs Privacy Claims Arising from HIPAA Breach
On This summer 10, 2014, a Kane County, Illinois Circuit Court granted a motion to dismiss with prejudice in support of Advocate Health & Hospitals Corporation (Advocate) inside a class action lawsuit situation arising from a breach of patients’ protected health information (PHI). In August 2013, Advocate reported among the largest data breaches up to now underneath the Medical Health Insurance Portability and Accountability Act of 1996 (HIPAA) after four laptops that contains the unencrypted information well over 4 million patients were stolen from your Advocate medical group administrative building. Because of the breach, two patients filed a class action lawsuit suit alleging that Advocate unsuccessful to consider necessary steps to guard patients’ PHI. Plaintiffs’ claims include: negligence, breach from the Illinois Private Information Protection Act, breach from the Illinois Consumer Fraud Act and invasion of privacy. The Kane County Circuit Court granted Advocate’s Motion to Dismiss the complaint with prejudice for insufficient standing and failure to condition claims.
A Legal Court held the plaintiffs lacked standing because they couldn’t prove the information stolen have been utilized or used, and for that reason, they couldn’t prove that there was actual identify thievery or harm. A Legal Court mentioned that “there was no injuries with no alternation in the established order.” As the Court noted there was an elevated chance of harm because of the thievery from the laptops and also the potential ease of access from the unsecured PHI, there was no impending certainty of id theft. To ensure that the problem to become ripe, the thieves would really need to disclose, target other crooks or else misuse the PHI.
A Legal Court further ruled there were inadequate allegations of present injuries to sustain negligence and Illinois Consumer Fraud Act claims. With regards to the invasion of privacy claim, a legal court ruled there were inadequate allegations of intentional conduct.
This situation is a good example of the difficulties in getting claims under condition law for HIPAA data breaches. There’s no private reason for action under HIPAA so plaintiffs must depend on condition law theories. Since most, if not completely, states require that plaintiffs show actual injuries to condition an adequate claim, plaintiffs frequently must overcome a higher hurdle simply because they cannot reveal that their PHI was utilized to commit id theft or any other harm. Even when there’s an id theft, they frequently cannot prove the id theft evolved as the result from the HIPAA breach.
Despite the fact that condition reasons for action might be hard to prove, covered entities and work associates face penalties under HIPAA. Also, although difficult, condition reasons for action continue to be a danger. Therefore, HIPAA covered entities and work associates should do something to safeguard sensitive information, including encrypting PHI that’s stored on portable devices for example laptops, tablets and smartphones.