Last month, I blogged that AvMed was settling two lawsuits that sprung from the theft of laptop computers in 2009. I noted at the time that, other than AvMed admitting to nothing, there was nothing of note. But, details always come forth with time. It looks like AvMed will be paying $3 million for not using laptop encryption on two of their machines. That’s a stiff price to pay. Plus, the OCR at the Department of Health and Human Services may still slap them with $1.5 million fine, HIPAA’s maximum limit when it comes to monetary penalties.
Things of Note
The settlement, in the layman’s view, does not provide much comfort. As is usually the case in class action suits, the people that were affected are not really getting much of anything. Affected suit members can make a claim that is capped at $30. AvMed has also promised to:
implement security awareness and training programs for its employees, adopt new password protocols, upgrade security mechanisms on company laptops, adopt disc encryption technology on company computers, train employees on appropriate laptop use and install physical security upgrades at its facilities. [topclassactions.com]
However, there are a couple of things of note. First, as globalregulatoryenforcementlawblog.com notes (my emphasis):
Settlements for data breach class actions have traditionally not extended payments to class members who have not experienced any fraud or identity theft. Here, though, that is exactly what the sides agreed to, whereby payments will be made to all class members who purchased insurance, even absent any fraud or identity theft.
This is significant. Although AvMed is not admitting to anything, if you believe that actions speak louder than words, the implication here is that a data breach in of itself can be construed as a real harm.
Second, in something of a contradiction, we could be reading too much into this case. As AvMed noted in their defense:
class certification was inappropriate because many of the proposed Class Members cannot show they experienced identity theft in the wake of the data breach and therefore were not injured. Judge King refused to throw out the plaintiffs’ claims, finding that it was too early in the litigation process to make that determination. [topclassactions.com]
What really differentiates this particular HIPAA breach from other ones is that a subset of the affected was able to prove the elusive link between a data breach and actual, cognizable harm. Under the circumstances, one has to assume that whoever stole the laptop also has access, and the will, to use the information tied to the so-called “not injured” parties. I mean, it’s right there, no? It’s doesn’t take a genius to figure that out, and hence the decision by the appeals court that it was “too early.”
What’s the lesson for future lawsuits? I’m not a lawyer, but I’m guessing it means that nothing has changed. The courts have ruled time and again that plaintiffs must bring forward an identifiable injury. Because many plaintiffs who file suits are unable to do so, the courts have dismissed cases without even hearing them.
Of course, some might say the real lesson here is to encrypt PHI. Why go through all this drama when HIPAA and many laws give you safe harbor in the form of data encryption?
Related Articles and Sites: