Emory Healthcare has been sued for $200 Million over the loss of ten discs that contained patient data. Anyone who argues that using data encryption software is too hard, time consuming, and expensive ought to consider what it takes to successfully defend against a multimillion class-action lawsuit.
Reaction to April Breach
Earlier this year, I had blogged how Emory Healthcare, in Atlanta, Georgia, had lost 10 discs containing PHI on over 300,000 patients and SSNs on over 220,000. The information, if you’ll recall, was not protected with encryption software because the system Emory was using was too old. The same limitation was trumpeted as a sort-of-defense because it wouldn’t be easy to read the data…because the system was too old: finding a system to read the data on the discs would entail, one is lead to believe, in some dumpster diving.
The lawsuit seeks $1,000 for each person affected who joins the suit, and at least 200,000 are expected to become part of the class. The suit is asking Emory to pay for “identity theft and credit insurance…for at least three years,” according to beckershospitalreview.com.
I’m guessing that Emory will settle the lawsuit. Not that the medical establishment doesn’t have a fighting chance.
The Emory data breach is one in a long line of data breaches that I’ve been tracking since 2007. In all those years, the number of lawsuits that plaintiffs have won can be counted in one hand — and even then, the “win” tends to leave something to be desired. Why do plaintiffs face an uphill battle when going after organizations that have had a data breach?
Shows Us the Harm, We’ll Show You the Money
Basically, the courts appear to be in agreement that, for reparations to be made, those who are suing need to show harm: if you were harmed, the courts will make you whole after identifying those culpable in making you “less than whole.”
The problem with a data breach is that, most times, you can’t tell whether there was harm or not. A breach in of itself is not viewed as a “harm.” It’s harmful — as in capable of causing harm — but until you’re actually harmed, the courts can’t make you whole. After all, you weren’t harmed.
The fact that you may become a victim in the future is not grounds for a court hearing. Such “future-oriented harm” is theoretical — after all, nothing could come out of the loss of the 10 Emory discs — and hence speculative. I picked two such stories at random here and here. There’s more where those came from (I’d have a gazillion of such posts if I had the time to comment on them all).
The good news for those whose data is breached is that the courts seem to be shifting their viewpoints. Plus, laws are being passed to protect consumers, seeing how old legislation can’t catch up to today’s realities. However, for the time being, it’s still an uphill battle who are most affected by the loss of data.