A new frontier in breach litigation is coming. Fueled by relaxed regulation necessitated by the Covid-19 pandemic, health providers have plunged headfirst into telehealth.
This plunge, particularly for telehealth providers using the potentially less secure technologies temporarily permitted during the pandemic, increases the opportunity for hackers to steal patients’ protected health information.
When breaches occur, a new genre of breach litigation is likely to arrive, including class actions.
Numerous types of litigation could be triggered by a telehealth breach:
- Enforcement actions from federal and state regulators;
- Contract, negligence, subrogation/indemnification, and unfair trade practices claims by telehealth providers against their vendors;
- Shareholder litigation;
- Product liability litigation;
- Insurance litigation, including those for malpractice, cybersecurity, directors and officers, business risk, and other policies; and
- Consumer class actions brought by patients whose information is compromised against their telehealth providers. This is the most expensive and the focus of the remainder of this article.
Litigation From Patients
Patients whose information is compromised in a telehealth breach are likely to initially bring a wide variety of claims, including:
- Negligence-based claims (direct or based in vicarious liability for service providers)
- Privacy-based tort claims
- Contract-based claims (express or implied; direct or based on third-party beneficiary theories)
- Breach of fiduciary duty
- Unjust enrichment
- Violations of state and federal consumer privacy and cybersecurity laws
- Violations of state unfair trade practices acts
- Violations of breach notification rules
Defenses Against Patients’ Claims
Relevant defenses are necessarily dependent on the claims raised by plaintiffs and the particular facts and jurisdictions at play in each case. Some defenses are useful as part of an early motion to dismiss, while others are inherently factual. Either way, the following will likely prove helpful for telehealth providers combating patients’ claims:
- Standing/no harm. Plaintiffs can only sue if harmed or facing a sufficiently imminent and concrete risk of harm. Decisions throughout the country disagree over when, if ever, plaintiffs whose information has been compromised, but not yet misused, can sue. The same issue is likely to arise in telehealth litigation.
- Speculative or otherwise inappropriate damages. Not all alleged harm is compensable, and jurisdictions vary on the types of harm they accept.
- No private right of action. Some statutes are only enforceable by regulators (not individuals). Data breach plaintiffs, however, frequently attempt to ignore this or otherwise argue for an implied private right of action.
- Challenges to causation, including contributory or comparative negligence. At least in theory, providers are only responsible for damages they have caused. Providers then will point to other causes to decrease their liability, including intervening illegality (e.g., a hacker), other breaches that have compromised the patients’ data, and the patients’ own negligence (e.g., their poor cybersecurity practices).
- Exempt entity. Many laws exempt entities covered by the Health Insurance Portability and Accountability Act (HIPAA) or the Gramm-Leach-Bliley Act (GLBA) from their reach or otherwise limit their application (e.g., limiting application to for-profit entities doing business within the state).
- Economic loss doctrine. The economic loss doctrine prohibits claims for negligence for purely economic losses, but its application and applicable exceptions vary widely among jurisdictions.
- No violation. Providers can challenge whether they acted negligently, breached contractual or statutory requirements, or made any alleged misrepresentations. Consideration may also be given to surrounding circumstances. For example, providers may argue that a decreased standard of care applied during the Covid-19 pandemic.
- Consent. Providers can raise what is essentially an assumption of risk defense that the patient understood the risks, consented to treatment, and had no reasonable expectation of privacy beyond what he or she received.
- No “disclosure” or “intent.” Some torts require the defendant to have wrongfully “disclosed” the information or acted with a particular intent. Providers can push back on such claims by arguing that it was the hacker, not them, who disclosed the information, and/or that any disclosure was not done with the requisite intent.
- The patient “got what they paid for.” It can be helpful to ask patients whether they read the privacy terms given to them by their provider before providing their information and what portion of their payment was allocated to data security. Such concepts have successfully trimmed prior data breach claims, particularly contract-based or unjust enrichment claims.
- Duplicative claims. Some claims cannot, unless based on different facts, be pled jointly. For example, some jurisdictions would not allow patients to bring both a breach of contract claim and either a breach of the implied covenant of good faith and fair dealing or unjust enrichment claim.
- Stretching too far. As plaintiffs test legal boundaries, they often make arguments that can only be described as “a stretch.” Providers can point out the incongruence between the legal elements asserted and the case facts. For example, courts generally dismiss data breach claims founded on bailment theories.
Preparing for Litigation
Time will tell which of these claims and defenses prove most pivotal to this new frontier in data breach litigation, but here are five things telehealth providers can do now to best position themselves for litigation:
- Invest in good cybersecurity and privacy practices and contractually require your partners to do so as well.
- Make sure you are complying with all relevant privacy and cybersecurity laws, from policy creation, and notice at collection, to breach notification; it is important to avoid “per se” violations.
- Regularly update your policies and representations to ensure they align with current standards and your actual practices.
- Document your privacy and cybersecurity efforts with an eye toward trial, including taking steps to maximize privilege.
- Obtain appropriate amounts of insurance.
This column does not necessarily reflect the opinion of The Bureau of National Affairs, Inc. or its owners.
Patricia Calhoun is a shareholder at Carlton Fields. She is a health-care attorney who assists hospitals, surgery centers, physicians, and other health-care-related businesses with privacy issues, HIPAA, risk management, licensing, Stark Law, and anti-kickback compliance.
Patricia Carreiro is a data privacy and cybersecurity litigation attorney at Carlton Fields.