Concrete Damages Essential to Data Security Deficiency Cases
Can a person who suffered no damages as a result of an alleged HIPAA breach still sue a provider when electronic health records are potentially disclosed due to lax security?
Generally, the answer is no.
Williams-Diggins v. Mercy Health decided recently in the Northern District of Illinois, addressed the complexities of data security in the health care industry. At first blush, it is yet another easy case in which the plaintiff did not have standing to sue for alleged data security deficiencies. In Mercy Health, the plaintiff alleged that Mercy's electronic health record (EHR) system was not properly secured and that, as a result, Mercy caused "private and protected patient information to be exposed to unauthorized third parties." The plaintiff sought to represent a class of patients and asserted several theories of recovery under state consumer protection law, contract law and tort.
More important than what the plaintiff alleged, however, is what the plaintiff failed to allege: damages. Specifically, the plaintiff failed to claim that an actual breach had occurred. The court reasoned that "[e]ven if Defendant's approach to data security was clumsy, it also was harmless, and that is fatal to Plaintiff's claims."
In short, no concrete injury means no standing and no case. And the plaintiff's allegations concerning Mercy's failure to meet HIPAA security rule standards did nothing to change the matter because, as the court stated, "[a]ny HIPAA claim fails as HIPAA does not created a private right of action for alleged disclosures of confidential medical information."
Even still, the news is not all good for providers and payors. Although Mercy Health lacked facts with any potential for creating a cause of action—there was no data breach—other plaintiffs may be encouraged by some of Mercy Health's dicta. In considering and rejecting the plaintiff's "benefit of the bargain" contract claim, in which the plaintiff alleged that he overpaid for services because Mercy Health failed to make proper investments in data security, the court left a window open: "[Plaintiff] contends that he suffered an economic injury because some portion of his payments to Defendant for health services were for data security measures that Defendant should have (but did not) take. The problem … is that his allegations only show the Defendant did not take a specific action, and do not show Defendant failed to take sufficient action to prevent unauthorized disclosure."
This begs the question: What if such a showing could be made? That is, what if there was a breach? The court appears to imply that payment for services, plus a breach, may be enough to confer standing. If so, that would be a departure from the majority of courts that have addressed the issue, which have generally required a plaintiff to show a concrete injury from a breach.
To be sure, the court was not answering that question. And the cases cited by the plaintiff in support of a contractual "benefit of the bargain" theory of recovery predated the seminal case on the matter, Spokeo, Inc. v. Robins.
This much is clear: No breach means no damages, which means no standing. Speculative security harms are not enough and the failure to meet HIPAA standards does not give rise to private cause of action.