Health-care patients have filed nearly a dozen proposed class actions following the largest medical information cyberattack reported so far this year, forecasting the legal stakes for providers when hackers target such sensitive data.
Regal Medical Group disclosed last month that over 3.3 million patients had their personal and health information exposed in a December 2022 ransomware cyberattack. The US Department of Health and Human Services says the breach is currently the biggest reported to it in 2023. The agency’s Office for Civil Rights is also investigating it.
At least 11 lawsuits, all in California, were filed in the three weeks following Regal’s February disclosure, according to a Bloomberg Law analysis of court dockets. They seek monetary damages ranging between $100 and $3,000 per class member, and several want Regal and its affiliates to ensure they will prevent similar incidents from happening again.
The litigation comes amid other recent, high-profile health breaches. Last week, hundreds of congressional members staffers who use DC Health Link insurance potentially had their data exposed in a breach. Earlier this month, digital mental health care provider Cerebral Inc. reported inadvertently sharing the data of nearly 3.2 million people through advertising tracking technology with third parties, including Meta Platforms Inc. and Alphabet Inc.'s Google.
Given the liability risks from private lawsuits and government enforcement, attorneys stressed the importance of safeguarding against cyberattacks on health information.
“Part of the compliance mandate is when something goes wrong, you investigate it, you evaluate, and you figure out why it happened, and you learn lessons from it to improve your program,” said Kirk Nahra, a partner at Wilmer Cutler Pickering Hale and Dorr LLP and co-chair of the firm’s privacy and big data practices.
Regal declined to comment.
Information exfiltrated by the hackers includes patients’ names, contacts, Social Security numbers, diagnosis details, prescription data, laboratory test results, and health plan member numbers, according to Regal’s disclosure.
About a third of the Regal lawsuits were filed in the US District Court for the Central District of California, with the rest in state court.
They accuse Regal and its affiliates of acting negligently in failing to prevent the cyberattack, breaching implied contracts, and violating several state statutes including the California Confidentiality of Medical Information Act and California Consumer Privacy Act.
“California as a jurisdiction is very friendly for this kind of litigation, and California is one of those states that does provide remedies to affected individuals even if they can’t show harm,” said Dianne Bourque, a member practicing in health care law at Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C.
Plaintiffs suing in California could recover damages simply by having their class certified, so any entity facing litigation would first want to prevent that from happening, Polsinelli P.C. shareholder Iliana Peters said. Peters advises clients on health information privacy at Polsinelli.
If a lawsuit survives a motion to dismiss from the defendant, most medical providers choose to settle, she said.
“Litigation is very expensive, and it requires lots of time. It’s just easier, quicker and more efficient to settle, and unfortunately, that results in more cases being filed. But if you’re doing a cost-benefit analysis, again, sometimes it is more effective, efficient and cheaper to settle,” Peters said.
Regal’s failure to prevent a data breach constitutes violation of the federal health privacy law, the Health Insurance Portability and Accountability Act, all but one of the lawsuits allege. However, HIPAA lacks a private right of action.
As a workaround to suing under HIPAA directly, plaintiffs are seeking to establish the law as the relevant standard of care to support other claims like negligence, Nahra said.
“There’s no way to certify HIPAA compliance, so it makes it hard as a referential standard, because yes, it includes very specific requirements,” Peters said, who enforced HIPAA regulations as the acting deputy director of the HHS Office for Civil Rights prior to joining Polsinelli. “But determining whether or not a particular regulated entity correctly implemented all of those requirements is up to the federal government and the state attorneys general.”
Whether a health law with no private right of action should even be cited in civil litigation is an open question that various jurisdictions have treated differently, attorneys said.
Only the Office for Civil Rights can determine a violation of HIPAA, they said.
Once notified of a data breach, the office typically sends a letter requesting more information about security assessments, company policies, and breach response, attorneys said.
“They effectively have carte blanche to ask for anything and everything that relates to the privacy and security of the data, especially within the context of the facts of the incident,” said Brad Rostolsky, a partner at Reed Smith LLP practicing in health-care regulation.
Other factors the agency considers when investigating data breaches are prior cyber incidents and previous enforcement actions, Nahra said.
Whether the attack involved ransomware demands is also a point of consideration. Some forensic work required to identify the exposed data in order to provide timely notice to the government and those affected can be made impossible by encryption of files and other ransomware methods, Rostolsky said.
“As a general rule here, I would say, I’ve seen the government become more and more appreciative of that and not hold that against the regulated entity,” Rostolsky said.
Office for Civil Rights investigations typically take over a year to conclude, Peters said. If a voluntary agreement isn’t reached, the agency can refer a case to the Justice Department for litigation.
The findings produced in HHS’ investigations can have a material impact on separate civil litigation filed by private plaintiffs, Bourque said.
“When you have that sort of information out in the wild—that the government has found you lacking—then it’s going to make things harder for you when the inevitable class action lawsuit starts to say that you weren’t negligent or you met the standard of care,” she said.
To contact the reporter on this story:
To contact the editors responsible for this story: