Litigation over data breaches is on the rise, with affected individuals quick to sue and smaller incidents increasingly yielding class-action lawsuits, a new analysis of data breach responses found.
The 2022 report from BakerHostetler, Digital Assets and Data Management – Resilience and Perseverance, quantified litigation trends surrounding data breaches in all industries, including health care.[1]
“In 2021, there was a trend of multiple lawsuits being filed in the same venue within weeks following incident notification, even for smaller incidents,” the report said. “Previously, there was always a risk of multidistrict litigation following large data incidents. However, now we are seeing multiple lawsuits following an incident notification in the same federal forum. Or, in the alternative, we see a handful of cases in one federal forum and another handful of cases in a state venue.”
This is “increasing the ‘race to the courthouse’ filings and increasing the initial litigation defense costs and the ultimate cost of settlement, due to the number of plaintiffs’ attorneys involved,” the report said. BakerHostetler clients were involved in 536 breach notifications in 2021, and 23 of those incidents resulted in lawsuits.
SuperCare Sued Within Weeks
Two recent large breaches demonstrate the trend of fast lawsuits.
In-home respiratory care provider SuperCare Health was sued April 12 in the U.S. District Court for the Central District of California over a breach involving information for 318,400 patients that was disclosed on March 25.[2] Based in California with operations there and in Arizona, Nevada, New Mexico and Texas, SuperCare said in its “Notice of Data Security Incident” that it discovered unauthorized activity in its systems July 27, 2021.[3] The forensic investigation revealed that an unknown party had access to “certain systems on our network from July 23, 2021 to July 27, 2021.”
On Feb. 4, SuperCare determined that affected files included names, addresses, dates of birth, hospital or medical groups, patient account numbers, medical record numbers, health insurance information, testing/diagnostic/treatment information, other health-related information and claim information. For a small subset of individuals, the information impacted included Social Security numbers and/or driver’s license numbers.
“The Data Breach was a direct result of Defendant’s failure to implement adequate and reasonable cyber-security procedures and protocols necessary to protect Plaintiff’s and the Class members’ Private Information despite the fact that data breach attacks against medical systems and healthcare providers are at an all-time high,” the lawsuit stated. In addition, the lawsuit noted that SuperCare “has not offered to provide affected individuals with adequate credit monitoring service or compensation for the damages they have suffered as a result of the Breach.”
Meanwhile, Logan Health Medical Center in Kalispell, Montana, was sued in Flathead County District Court over a 2021 breach that compromised the personal information of more than 200,000 patients.[4] The lawsuit, filed by two former patients, claims that the plaintiffs are facing more phishing attempts and decreased credit scores since their data was breached, and are at heightened risk of tax fraud and identity theft.
The suit alleges the medical center lacked adequate cybersecurity to prevent the breach of patient names, phone numbers and insurance information. According to the medical center, the breach did not involve medical records. Patients were offered one year of free credit and identity protection services.
This is Logan’s second data breach lawsuit in three years. In late 2020, Logan—then Kalispell Regional Health—agreed to pay more than $4 million in a settlement with patients for a breach of medical records that occurred in 2019.