Oops, We Erred
A draft unedited article was attached to the end of our last issue. We apologize for the technical error and present the proper and edited version as our first article in this issue.
Suing for Damages After PHI Breach
As I reported earlier, Plaintiffs continue to file suit against providers and insurers who allow PHI information to be accessed by hackers.
In most of the early attempts to sue the insurer or provider, the hospital or insurance company sought to dismiss such complaints on the basis that even though the PHI had been accessed, stolen or lost, the people whose PHI had been leaked could not prove immediate, concrete damage. The breachers claimed the individual victims often were alleging merely that sometime in the future they might be harmed by the breach.
In many of the initial cases brought, this defense was found adequate and the Courts dismissed the cases. Increasingly though, Courts are beginning to find that the increased worry, and increased vigilance necessary by victims of such breaches make valid arguments for damages. In a recent case against Care First, the Appellate Court found that such injuries by the class of nearly one million customers of Care First subject to a breach could be the basis for the award of damages.
Care First computers were attacked by an intruder in 2014 who reached a database containing customers’ personal information, including PHI. Care First did not discover the breach until April 2015 and didn’t notify their customers until May 2015. Obviously, much damage could have occurred between June 2014 and May 2015. Without going into the many details leading to the Court’s decision, what stands out is the Court’s careful consideration and method of analyzing the increased risk of harm claim at the core of these suits. The Court found the complaint plausibly alleged the victims of the Care First breach face a substantial risk of identity theft. The Court found the fact that there had already been a breach satisfied much of the burden.
Care First claimed there is no reason to believe or they haven’t found any evidence yet of use of the breached personal information. In other words, the insurers argue that anybody could have breached the information for any number of reasons and it isn’t necessarily for wrongful purposes. Here the Circuit Court in DC quoted the 7th Circuit from another data breach case “Why else would hackers break into a ….database and steal consumers’ private information? Presumably, the purpose of the hack is, sooner or later, to make fraudulent changes or assume those customers’ identities.”
The Court dismissed the provider/insurer claim that the road from the breach to future harm of the customers and victims was so long and so tenuous that no damage claim should be allowed. The Court found that there is no long sequence of uncertain contingencies, the risks accrued immediately upon the breach and that experience from past computer breaches and hacks indicates the intention of the hackers to do harm to the consumers/victims.
Providers and insurers should take note of this development. The 7th Circuit (Indiana) and now the DC Circuit are moving to make hospitals, providers and insurers fully liable for allowing their patients’ information and PHI to be breached. It appears only a matter of time before there will be an extremely large dollar judgment imposed upon a hospital, provider or insurer.
Clear and Present Danger
Todd Graham, MD was shot and killed by the husband of a patient in northern Indiana. The shooter had brought his wife and asked the doctor to provide opioids for her pain. Dr. Graham apparently examined her and indicated he did not think opioids were appropriate. The killer came back to the clinic later that day shot Dr. Graham and shot himself.
Clearly a tragedy, and one that should make all physicians rethink how to deal with opioid requesting patients. Some suggestions:
- Simply refuse to prescribe opioids and make that clear up front to anyone seeking an appointment or walking in to your office.
- Refuse to give opioids on the first office visit and require they try other treatments or methods first.
- Take the time to explain to patients or relatives of patients why you do not think opioids are in the best interest of the patient.
- Have a plan in place and tested for dealing with patients with issues or patients or relatives with anger issues.
- Work with local police or security experts to learn how to lock down your office and summon help.
This newsletter is edited by Paul Wallace of Jones ∙ Wallace, LLC, a member of the American Bar Association Healthcare Law Section and the American Health Lawyers Association who has been representing physicians and healthcare practices for over 25 years. Mr. Wallace assists physicians in health practices in contract items, federal legal compliance, creation of practice entities, estate and wealth planning and similar issues. Please feel free to call if you have any questions on this newsletter or legal matters at (812) 402-1600 or firstname.lastname@example.org.