The holdings in three recent cases brought as a result of healthcare industry data breaches provide some insight into what makes a data breach lawsuit successful or unsuccessful, according to a new article in the New York Law Journal.
1. Circumstantial evidence will be considered. In the case of C.E. v. Prairie Family Medicine P.C., the plaintiff sued a local medical clinic after an employee of the clinic allegedly disclosed the plaintiff's positive HIV test to a third party, thereby leading to the spread of news of her positive test results to the surrounding community.
At the trial court level, the court held the plaintiff could not produce any "competent evidence" illustrating the medical clinic or its agents were negligent in releasing the details of the positive HIV test, and thus there was no connection between the clinic and the plaintiff's request for damages.
In March, the Supreme Court of Nebraska overturned the lower court. The court held the plaintiff had shown by circumstantial evidence there was a possibility the clinic had caused the tortuous conduct alleged in the case.
2. More than speculation of exposed data is required. In the case of Polanco v. Omnicell, a patient brought a class-action lawsuit in
In December 2013, the presiding court ultimately held the plaintiff could not bring the suit because the provider had informed the plaintiff her confidential information was not located on the stolen laptop. The court further held a speculative increased risk of identity theft is insufficient to have standing to bring a negligence lawsuit resulting from a data breach.
3. There must be actual damages. In 2012, in Worix v. MedAssets, a plaintiff filed suit alleging the defendant was negligent in safe-guarding his personal and health information when a hard drive containing patients' information had been stolen from one of defendant's employee's vehicle.
In March 2012,The court held Illinois law requires an actual injury to sustain a negligence claim, and the plaintiff failed to allege he had actually suffered the loss of any money or property but rather had alleged only he was subject to an increased risk of identity theft.
More Articles on Data Breach Lawsuits:
Class-Action Lawsuit Filed Over Los Angeles County Data Breach
8 Recent Legislative and Legal Developments Involving Hospitals
Hospitals Not Always Liable for Employee Breach of Patient Data