HIPAA Data Breach Lawsuits Are Increasing in Lockstep with the Skyrocketing Number of HIPAA Data Breaches in the United States
HIPAA Data Breach Lawsuit Opportunities for Lawyers – In this era of digital data proliferation, data breaches have increased in frequency, as have HIPAA fines and lawsuits brought by individuals as well as class action lawsuits brought by large groups of impacted individuals.
Hospitals, pharmacies, and any other entity that collects patient health information (PHI) are responsible to ensure their patient’s protected health information is secure. These entities face heavy fines from HIPAA for failure to secure PHI. They also face individual and class action lawsuits brought by individuals for damages resulting from the theft of their data.
Data breaches are increasing across all industries – but data breaches involving the theft or exposure of protected health information create opportunities for lawsuits that data breaches in other industries may not. Because the laws around PHI are strict, precise, and well established, defending lawsuits when an organization has failed to secure PHI is difficult because the laws are so clear and well established.
For law firms looking to increase their revenue and practice areas, pursuing individual or class action lawsuits against entities who must maintain HIPAA compliant data security and fail to do so, may be an excellent opportunity. It may also be a great opportunity for defense attorneys who represent clients being sued for failure to protect the protected health information (PHI) of their patients because these cases are challenging to defend.
As data breaches among organizations that fall under HIPAA continue to be a major problem, the demand for legal services related to data breach lawsuits will only increase. For law firms that are well-versed in this area of the law, data breach lawsuits represent an opportunity to expand their practice and generate more revenue.
As more companies turn to data breach insurance and lawsuits, legal services related to these matters will become an integral part of any healthcare organization’s risk management strategy.
Whether it’s protecting clients from financial losses due to data breaches or holding negligent companies accountable, law firms that specialize in data breach insurance, lawsuits, and bringing class action lawsuits, will be invaluable now, and in the future.
Data Breach Lawsuits
Data breach lawsuits are making headlines, highlighting the growing concern over data security and the consequences faced by companies that fail to protect sensitive information. Data breach lawsuits have become increasingly popular in recent years as the frequency and severity of data breaches have grown. The exact timeline of when data breach lawsuits became popular can vary, but they gained significant attention and traction in the early to mid-2000s.
The landmark case that brought data breach lawsuits into the public eye was the ChoicePoint data breach in 2005. ChoicePoint, a company that aggregated and sold consumer data, suffered a breach that exposed the personal information of over 163,000 individuals. This incident led to multiple class-action lawsuits and set a precedent for future legal action against companies responsible for data breaches.
Since then, there have been numerous high-profile data breaches that have resulted in significant lawsuits. In fact, as of 2023, nearly every company you have ever heard of, and most companies of any significant size has experienced one or multiple data breaches.
Because data breaches often impact thousands, and sometimes millions of people at a time, data breach class-action lawsuits have become more common. The settlements in these cases have often reached into the millions of dollars, highlighting the financial impact of data breaches on both individuals and organizations. And providing an excellent source of fees for the attorneys who bring these class action lawsuits on behalf of plaintiffs.
The prevalence of data breach lawsuits has grown alongside the increasing recognition of the importance of protecting personal information and the potential harm caused by data breaches. As data breaches continue to occur, it is likely that we will see further developments in data breach litigation and an ongoing focus on holding organizations accountable for safeguarding sensitive data.
Data Breaches are on the Rise – Which Will Increase the Number of Resulting Lawsuits
In 2023, a total of 1,393 data breaches occurred in the U.S., surpassing the yearly figures for every year from 2005 to 2020, except for 2017. According to Infosecurity Magazine, the U.S. is projected to exceed its previous record of 1,862 data breaches recorded in 2021.
The healthcare and financial services industries were reportedly the top industries affected by U.S. data breaches, although every sector reported a higher number of data breaches this year compared to the first half of 2022.
In the first half of 2023, U.S. data breaches affected over 156 million individuals, marking a significant surge of more than 150% compared to the reported number of victims in the same period of 2022, as per the ITRC’s findings.
According to the ITRC, there has been a 67% increase in the number of U.S. data breaches in 2023 where the root cause of the breach is unknown. Meaning, they have no idea how the data breach occurred, which seems to indicate more data breaches are likely until the source is discovered and the vulnerability resolved.
ForgeRock, a global digital identity company, just released a report that shows the United States as the most expensive country in the world to recover from a data breach. They estimate that the average cost of recovery is a whopping $9.5 million.
Why Are Data Breach Lawsuits Popular Among Lawyers?
Lawyers are often drawn to data breach lawsuits for several reasons:
- High-profile nature: Data breaches often involve large corporations and organizations that have significant resources. These high-profile cases can generate media attention and public interest, which can be advantageous for lawyers seeking exposure.
- Potential for significant damages: Data breaches can result in substantial financial losses for individuals and businesses. Lawyers recognize the potential for significant damages in these cases, which can translate into higher fees for their services.
- Increased understanding of data protection laws: As more countries and regions pass comprehensive data protection laws, there is an increased understanding of the legal implications of a data breach. Lawyers are better equipped to identify and argue violations under these new regulations, which can further their success in pursuing damages in court.
HIPPA Data Breach Lawsuits
In February 2021, Kroger informed patients that their data was part of the extensive Accellion data breach in 2020. Shortly after, breach victims swiftly filed a lawsuit. Remarkably, by June, a mere four months after the breach disclosure, Kroger reached a settlement of $5 million with the breach victims.
What’s more, these quick settlement actions are becoming increasingly common with breach litigation due to Because of the potentially high costs of a prolonged court battle, many defendants are willing to settle a case quickly and quietly. This is great news for plaintiff attorneys who specialize in data breach lawsuits.
Data breaches involving protected health information (PHI) can have serious consequences, including hefty fines, lawsuits, and even potential criminal charges. As such, it is not surprising that HIPPA data breach lawsuits are becoming increasingly common.
These cases often involve the violation of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), which sets standards for protecting PHI. A lawsuit may be pursued in cases where an organization fails to comply with these standards, such as failing to implement adequate security measures or notifying individuals of a data breach within the required timeframe.
HIPPA data breach lawsuits can take various forms, including class action suits and individual lawsuits. However, they all generally seek similar compensation, which may include damages for out-of-pocket costs, mental distress, and punitive damages for organizations that are found to have acted with gross negligence.
Given the severity of the consequences of a HIPPA data breach, it is important for companies and other organizations to take all necessary steps to protect PHI and comply with HIPAA regulations. Doing so can help prevent costly lawsuits in the future and ensure that individuals’ sensitive information is safe and secure.
2022 HIPAA Settlements
HIPAA-Regulated Entity | Reason | Individuals Impacted | Amount |
Health Specialists of Central Florida Inc | HIPAA Right of Access failure | 1 | $20,000 |
New Vision Dental | Impermissible disclosure of ePHI on Yelp, and notice of privacy practices failure | <20 | $23,000 |
Great Expressions Dental Center of Georgia, P.C. | HIPAA Right of Access failure (delay + fee) | 1 | $80,000 |
Family Dental Care, P.C. | HIPAA Right of Access failure | 1 | $30,000 |
B. Steven L. Hardy, D.D.S., LTD, dba Paradise Family Dental | HIPAA Right of Access failure | 1 | $25,000 |
New England Dermatology and Laser Center | Improper disposal of PHI, failure to maintain appropriate safeguards | 58,106 | $300,640 |
Memorial Hermann Health System | HIPAA Right of Access failure | 1 | $240,000 |
Southwest Surgical Associates | HIPAA Right of Access failure | 1 | $65,000 |
Hillcrest Nursing and Rehabilitation | HIPAA Right of Access failure | 1 | $55,000 |
MelroseWakefield Healthcare | HIPAA Right of Access failure | 1 | $55,000 |
Erie County Medical Center Corporation | HIPAA Right of Access failure | 1 | $50,000 |
Fallbrook Family Health Center | HIPAA Right of Access failure | 1 | $30,000 |
Associated Retina Specialists | HIPAA Right of Access failure | 1 | $22,500 |
Coastal Ear, Nose, and Throat | HIPAA Right of Access failure | 1 | $20,000 |
Lawrence Bell, Jr., DDS | HIPAA Right of Access failure | 1 | $5,000 |
Danbury Psychiatric Consultants | HIPAA Right of Access failure | 1 | $3,500 |
Oklahoma State University – Center for Health Sciences | Risk analysis, security incident response and reporting, evaluation, audit controls, breach notifications & an unauthorized disclosure | 279,865 | $875,000 |
Dr. Brockley | HIPAA Right of Access | 1 | $30,000 |
Jacob & Associates | HIPAA Right of Access, notice of privacy practices, HIPAA Privacy Officer | 1 | $28,000 |
Northcutt Dental-Fairhope | Impermissible Disclosure for Marketing, Notice of Privacy Practices, HIPAA Privacy Officer | 5,385 | $62,500 |
How Expensive Is A HIPAA Violation for Data Breach?
Ever wonder how much it costs a company if they violate HIPAA Regulations and a patient’s personal information is divulged?
HIPAA violations fines:
- Tier 1: A violation that the covered entity was unaware of and could not have realistically avoided, had a reasonable amount of care been taken to abide by HIPAA Rules
- Tier 2: A violation that the covered entity should have been aware of but could not have avoided even with a reasonable amount of care. (but falling short of willful neglect of HIPAA Rules)
- Tier 3: A violation suffered as a direct result of “willful neglect” of HIPAA Rules, in cases where an attempt has been made to correct the violation
- Tier 4: A violation of HIPAA Rules constituting willful neglect, where no attempt has been made to correct the violation within 30 days
But it isn’t as simple as just that – multiple violations in a single calendar year could result in fines as high as $1,806,757 per violation.
Source: https://www.hipaajournal.com/what-are-the-penalties-for-hipaa-violations-7096/
Lawsuit Settlements Resulting From HIPAA Data Breaches
A data breach cost Cancer Care Group $750,000 in 2016.
Cornell Prescription Pharmacy was fined $125,000 for HIPAA Violations because they failed to execute data destruction on some paper documents with hundreds of patients’ information divulged.
Another healthcare system was fined $850,000 when a laptop that was left in storage was stolen.
Dominion National Insurance Company settled a data breach case for $2,000,000 in 2021.
Kroger settled a data breach lawsuit for $5,000,000.
February 21, 2023 – Advent Health Partners has agreed to pay a $500,000 settlement to resolve a class-action lawsuit stemming from a 2021 healthcare data breach that affected more than 60,000 patients.
What Law Firms Need to Know – According to HIPAA Law, Securing Patient Data is The Health Care Provider’s Responsibility
Failing to comply with HIPAA Rules cannot be excused by ignorance. It is the responsibility of every entity that handles protected health information (PHI) to comprehend and adhere to HIPAA rules. In instances where an entity is found to have willfully violated HIPAA laws, they may be subject to hefty fines. And beyond fines, individual and class action lawsuits are being brought against healthcare entities who fail to secure their patient’s personal and health information because their responsibilities have been so clearly defined by law.
In a nutshell what HIPAA says is this:
Any organization that collects PHI must make sure they do whatever they have to do to make sure they don’t divulge PHI. This may include, but is not limited to:
- How computers are disposed of
- How portable drives are disposed of
- How networks are secured
- How networks prevent being hacked
This is a real challenge because HIPAA does not provide guidelines, suggestions, recommendations or in any way mandate methods or procedures by which data security can be achieved. In fact, if you read the Physical Security Standards Section of the HIPAA rules, you will see clearly that they do not in any way advise on how to protect data – only that you must do so and make sure you do whatever you have to do to make sure data is secure.
What they do say is that anyone who falls under HIPAA – must protect their patients’ PHI (Protected Health Information) and they must have a detailed plan in place, outlining how they intend to achieve and maintain data security.
Also, it is important to know that it isn’t just hacking or virus programs that cause HIPAA data breaches. Employee theft of old laptops, computers, thumb drives, printers, and other media is one of the most common ways patients’ personal and health information data is breached. Old equipment that has been placed in back rooms, or in storage, and employees, thinking these devices are just collecting dust, take them home, and sometimes resell them online.
Unfortunately, many of these devices still contain huge data files with patients’ PHI on them and if discovered, the health care system is 100% responsible for this violation for failure to properly secure a patient’s PHI.
All devices and media storage tools must be disposed of using methods that ensure no data can be recovered from them, which unfortunately is not easy to accomplish. As an example, there are some forms of media storage that the only way you can know there is zero recoverable data left on them is to shred them down to pieces smaller than two millimeters.
HIPAA requires policies and procedures that address the disposition of protected health information (PHI) and the hardware that it’s stored on can be found HERE.
These stringent laws and guidelines are what make data breaches related to protected health information an excellent practice area for lawyers. The laws are clear; the responsibility to protect the protected health information of individuals falls entirely on the health care entity. They are required to do whatever it takes to make sure protected health information is not stolen or somehow recovered from media or devices.
Because of this, when healthcare organizations fail in their charge to prevent protected health information data breaches, they don’t have a lot of great defense strategies in court. This makes bringing lawsuits against these organizations a great practice area for law firms looking to increase their revenues by adding practice areas to their firms.
Why Law Firms Might Consider Adding HIPAA Data Breach as a Practice Area
Strong legal framework: Many jurisdictions have established laws and regulations surrounding data protection and privacy, providing a solid legal foundation for pursuing data breach cases. This framework allows lawyers to leverage existing statutes and regulations to build strong arguments on behalf of their clients.
Class action opportunities: Data breaches often affect many individuals simultaneously, making them well-suited for class action lawsuits. Lawyers can represent a group of affected individuals, pooling their resources and increasing the chances of a successful outcome.
Class action suits can provide a more efficient and cost-effective approach to legal action, as they require the resources of fewer lawyers. They also increase the likelihood that damages awarded to plaintiffs will be greater than those available through individual lawsuits.
In addition to traditional class action opportunities, there are other forms of mass litigation such as multi-district litigation (MDL) and coordinated state court proceedings. These are similar to class actions but involve a larger number of cases consolidated into one legal action. This can be beneficial for lawyers as it allows them to represent a greater number of clients in a more efficient manner.
Data breach lawsuits offer significant potential for lawyers due to the prevalence of class action opportunities. By participating in these cases, lawyers can provide much-needed legal support and advocacy to affected individuals while simultaneously increasing their own exposure and potential for success.
Evolving landscape: The field of data breaches is continually evolving, with new breaches and security vulnerabilities emerging regularly. This constant stream of cases ensures a steady flow of potential clients seeking legal representation.
Lawyers must stay up-to-date on the latest developments in order to effectively represent their clients. This requires an understanding of the current laws and regulations, as well as emerging trends and best practices related to data security. Law firms wishing to add HIPAA data breach lawsuits as a practice area should keep up to date about technological advances and cybersecurity measures is essential for any lawyer looking to specialize in data breach cases.
Examples of Large Data Breach Lawsuits Involving Exposure of HIPAA Patient Information
Lawsuits following large healthcare data breaches are becoming increasingly common. Many major organizations, including providers, payers, vendors, and others, are finding themselves reporting incidents involving the personal and health information of millions of their customers. For instance, take Community Health Systems, another major Tennessee provider network that’s been sued after a breach exposed the data of about one million of its patients.
HCA Healthcare: HCA Healthcare, a major healthcare provider, has been sued for a recent data breach. Plaintiffs allege that the breach resulted in the theft of identity and other sensitive information.
Just one week after HCA Healthcare reported a data theft that affected more than 170 of its hospitals and could impact more than 11 million of its patients, the sprawling Nashville-based health system is facing a class action lawsuit for the breach.
The Plaintiffs in the HCA case are seeking monetary damages and other relief because HCA failed to protect their personal and health information. According to the lawsuit, since data thieves often target healthcare industry entities, HCA “should have known” about the risk of a cyberattack.
The plaintiffs claim that HCA didn’t take proper security measures for the sensitive information they had, like encrypting the data or getting rid of it when it wasn’t necessary anymore.
Rite Aid: Rite Aid, a pharmacy chain, experienced a data breach that compromised customer information. As a result, the company is facing a class-action lawsuit.
Harvard Pilgrim Health Plan’s parent company, Point32Health, is currently dealing with several class action lawsuits due to a recent ransomware attack.
Johns Hopkins has been hit with multiple lawsuits caused by ransomware attacks after hackers exposed a vulnerability in a MOVEit MFT tool.
Lehigh Valley Health Network, based in Pennsylvania, is dealing with a class action lawsuit.
Law Firms Must Avoid “Ambulance Chasing” HIPAA Cases
There are over twenty states that have laws about “ambulance chasing” by lawyers. Every bar association considers this behavior unethical. One attractive thing about HIPAA violations for law firms is that when a violation has happened, the healthcare entity is required by law to report the data breach. Those data breach reports are posted publicly on a single government website, which makes it easy for law firm marketing departments to know a data breach has occurred and begin trying to contact potential plaintiffs.
It is important to make sure your law firm’s marketing department or marketing companies who handle marketing for your firm are marketing to these individuals in a manner that does not violate any state law or cause your firm to be reported to the Bar Association for ethical violations. You will need to check in your own state to remain up to date on their laws regarding how lawyers may market to potential plaintiffs.
Summary – HIPAA Data Breach Lawsuits – and Opportunity for Law Firms
Data breach cases are skyrocketing across the United States (and around the world). Health Care providers, pharmacies, and any other entity that handles PHI (Protected Health Information) are responsible to ensure the security of the personal and health information of their patients.
When these entities fail to do so, they are subject to HIPAA fines, civil and criminal penalties. They are also subject to lawsuits brought by individuals or groups of individuals who are granted a “class” for a class action lawsuit to be brought seeking damages.
The laws around PHI are clear and well established. This makes attempting to defend these types of lawsuits difficult for corporate attorneys, and excellent cases for plaintiff attorneys.
Often data breaches involve thousands and even millions of individuals. The lawsuits that result often run into the hundreds of thousands and even multi-million-dollar range, which can result in a lot of contingency fees for plaintiff attorneys and billable hours for the lawyers who defend their clients in these cases.
This makes data breach cases where PHI has exposed an excellent potential practice area for law firms seeking to increase revenues and specialty practice areas within their firms.
About The Authors – Balanced Bridge Funding
Balanced Bridge Funding offers legal funding solutions for plaintiffs, plaintiff attorneys, attorneys, and law firms. To talk to one of our legal funding specialists about getting help managing your law firm cash flow, please call (267) 457-4540 or email info@balancedbridge.com. To apply online, simply CLICK HERE and fill out our short, quick application.
About Legal Funding with Balanced Bridge Funding
Does Balanced Bridge Funding Offer Pre-Settlement Lawsuit Funding?
Balanced Bridge Funding does not offer pre-settlement funding at this time. We do offer post-settlement funding options for attorneys as well as plaintiffs whose potential settlements qualify (which many do).
A Post Settlement Advance is a Non-Recourse Transaction: We Accept All the Risk
Post Settlement funding is a non-recourse transaction. This means you don’t need to worry about what might happen if the defendant suddenly can’t pay your settlement award — we accept all risk of non-payment, meaning that you will still get to keep the money from your settlement advance if the defendant goes bankrupt or is unable to pay for whatever reason.
Fast, Hassle-Free Application
In most cases, we can get your money in your hands in one week or less. Our application is simple, straightforward, and easy to complete. Remember, this isn’t a loan, so there isn’t as much paperwork to go through. In most cases, we can approve your application and have your money deposited into your checking account in a matter of days.
To talk to one of our legal funding specialists about post settlement funding, please call (267) 457-4540 or email info@balancedbridge.com.
Or to apply online, simply CLICK HERE and fill out our short, quick application.