LA Hospital Data Breach Raises Questions as to Whether Consumers Can Sue for Risk of Identity Theft
As technology continues to advance, courts have been forced to establish grounds for litigation following a data breach. While current legal precedent causes many of these cases to be dismissed, U.S. organizations may soon be held liable for failing to protect the personal information of consumers.
According to the Financial Times, the recent data breach of a Los Angeles hospital forced officials to pay hackers a $17,000 bitcoin ransom to retrieve its medical records.
The hospital’s patients seemed to have escaped the ordeal without any their personal information being stolen, but the controversy prompted many legal experts to wonder how courts should respond to such situations.
In this instance, the hospital could have been unable to find a patient’s drug allergies in an emergency, which may have led to fatal consequences. Furthermore, many patients rushed to purchase credit monitoring services upon learning of the breach, costing them money.
In the 2013 case of Clapper v. Amnesty International USA, the U.S. Supreme Court ruled that legal action could not be brought against a government surveillance program because the plaintiffs could not prove that they were in immediate risk of financial injury.
“It’s difficult to show damage, particularly right away after a security breach,” said Matt Karlyn of the New York-based law firm Foley and Lardner. “And sometimes the damage might not impact a consumer base or shareholders until much later.”
However, courts then began applying this ruling to cases involving retailers, hospitals, and other private organizations. As data breaches become more common, courts have been forced to reevaluate their stance on this issue.
“Because of the prevalence of data breaches and the desire of courts not to leave individuals without remedy when their data have been compromised, we’ll be seeing courts getting more creative about how they define what an actual injury or a pending injury might be,” said Michael Whitener of the Washington-based firm VLP Law Group.
Current employees accounted for 35% of all data breaches in 2014, but outside hackers have found new ways to circumvent security protocol and steal customer identities. Since the parties responsible for the hack are rarely tracked down, consumers are now encouraged to sue the organization itself for damages in certain instances.
Just this week, Health IT Security reported that Wal-Mart’s online pharmacy underwent a 72-hour period in which patients could see the sensitive health information of other patients. The company has already announced that this was not an outside hacking job, so some patients may decide to file a class-action lawsuit in case their personal information was stolen.
Since cyber security defense is still fairly expensive, many companies are weighing this cost against the price they would be forced to pay in a class-action lawsuit.
“Companies are saying: ‘Is there really a risk I’m going to be subject to a class-action lawsuit?'” said Matt Karlyn of the New York-based law firm Foley and Lardner.
The courts’ stance on these cases is still quite fluid, so it will be interesting to see how consumers are compensated for data breaches in the future.