Data Breach Class Action Defense – Looking Beyond HIPAA
Reading Time: 4 minutes
In the modern, digitized world, data breaches are increasingly common. Motivated and sophisticated hacker collectives target everything from financial service providers to healthcare providers trying to find accessible, sensitive information. As cybersecurity advancements race to keep pace with evolving malware and hacking tools, sometimes hackers obtain a competitive edge, and sensitive data is compromised.
For healthcare providers, the stakes are high. Healthcare providers that have their data compromised often focus on the Health Insurance Portability and Accountability Act (“HIPAA”) reporting and compliance requirements. Healthcare providers are often well-versed in HIPAA and understand the statutory scheme. Many healthcare providers mistakenly believe that, when a data breach occurs, HIPAA compliance and reporting should be their main and only concern. Prudent healthcare providers understand that while HIPAA compliance is important, prospective civil liability and class action litigation pose significant problems. Where there’s a data breach, a threatened class action lawsuit is likely not far behind.
HIPAA Compliance is Important, but Not Exhaustive
Some healthcare providers mistakenly believe that, in the event of a data breach, HIPAA fully represents the legal landscape surrounding patient data security. HIPAA does specifically contemplate data breaches and contains notification requirements in the event unsecured protected health information is compromised. See 45 CFR §§ 164.400-414. HIPAA further presents a mechanism for individual patients to lodge written complaints with the Secretary of Health and Human Services, which is empowered to investigate the complaint and impose civil sanctions. See In re Mednax Servs., Inc., Customer Data Sec. Breach Litig., 603 F. Supp. 3d 1183, 1217 (S.D. Fla. 2022).
1. Negligence Per Se Claims Under HIPAA
Understanding the importance of HIPAA to healthcare data protection, some prospective class-action Plaintiffs have asserted that the failure to abide by HIPAA requirements provides the Plaintiff with an independent negligence per se claim against the healthcare provider under Florida law. Negligence per se claims generally require “a violation of a ‘statute which establishes a duty to take precautions to protect a particular class of persons from a particular injury or type of injury.”‘ DeJesus v. Seaboard Coast Line R. Co., 281 So. 2d 198,200 (Fla. 1973). Accordingly, HIPAA seemingly provides the basis for a negligence per se claim.
However, “Florida courts have refused to recognize a private right of action for negligence per se based on an alleged violation of a federal statute that does not provide for a private right of action.” Stevens v. Danek Medical, Inc., 1999 U.S. Dist. LEXIS 22397, 1999 WL 33217282, at *5-6 (S.D. Fla. 1999) (citing Jupiter Inlet Corp. v. Brocard, 546 So. 2d 1, 2-3 (Fla. 4th DCA 1998). Accordingly, HIPAA violations cannot form the basis for a private cause of action against a healthcare provider. See Sneed v. Pan Am. Hosp., 370 F. App’x 47, 50 (11th Cir. 2010). Florida courts have gone even further and found that as healthcare providers “are required by law to adhere to HIPAA without receiving any consideration,” HIPAA “cannot create contractual obligations” between patients and healthcare providers. Brush v. Miami Beach Healthcare Grp. Ltd., 238 F. Supp. 3d 1359, 1367 (S.D. Fla. 2017).
2. Claims Beyond HIPAA: Negligence
As Florida courts have explicitly found that HIPAA does not provide the basis for data breach claims against healthcare providers, Plaintiffs have turned to alternative bases for relief. Specifically, plaintiffs allege general negligence claims and argue that when a business “collect[s] sensitive, private data from consumers,” it has “a duty to protect that information.” Brush v. Miami Beach Healthcare Grp. Ltd., 238 F. Supp. 3d 1359, 1365 (S.D. Fla. 2017); see also In re Brinker Data Incident Litig., No. 3:18-CV-686-J-32MCR, 2020 WL 691848, at *8 (M.D. Fla. Jan. 27, 2020).
To maintain a claim for negligence, Plaintiffs must allege four elements: (1) a duty; (2) breach of that duty; (3) causation; and (4) damages. Williams v. Davis, 974 So. 2d 1052, 1056 (Fla. 2007) (citing Clay Elec. Coop., Inc. v. Johnson, 873 So. 2d 1182, 1185 (Fla. 2003)). While determining the viability of data breach negligence claims often requires a fact-intensive inquiry, one thing is clear; HIPAA compliance can be wholly unrelated to the core of data breach class action claims. Even where Plaintiffs do not allege that a HIPAA violation has occurred, class-action lawsuits can persist, and healthcare providers may be subject to considerable liability. See Farmer v. Humana, Inc., 582 F. Supp. 3d 1176, 1186 (M.D. Fla. 2022).
HIPAA Compliance Alone Is Not Enough
Healthcare providers must proactively address the inevitability of cybersecurity threats and data breaches. While HIPAA compliance is an integral part of a healthcare provider’s response to a data breach, HIPAA compliance alone will not minimize a healthcare provider’s resulting legal liabilities. Healthcare providers that have had patient data compromised should consult with experienced legal counsel to ensure that they are complying with all statutory requirements and acting to minimize their legal liabilities. Where a data breach occurs, a class action lawsuit is likely to follow.