Breach Class Action Suit AdvancesAppellate Court Ruling Paves Way for AvMed Case to Proceed
A recent appellate court ruling in Florida might pave the way for the first U.S. class action lawsuit involving a health data breach to move forward to trial.
See Also: Threat Intelligence - Hype or Hope?
The case involves the December 2009 theft of unencrypted laptop computers from the Gainsville, Florida corporate offices of AvMed, a health plan. The laptops contained personal information on 1.2 million current and former AvMed health plan members (see: AvMed Breach Now Affects 1.2 Million).
Among the members whose information was contained on the stolen laptops were Juana Curry and William Moore, plaintiffs in the case that was filed on their behalf by the Chicago law firm Edelson McGuire LLC.
The suit alleges that both Curry and Moore became victims of identity theft, respectively, about 10 months and 14 months after the AvMed laptops were stolen. The case alleges that Curry's sensitive information was used to open a Bank of America account and change her address with the United States Post Office, and Moore's sensitive information was used to open an E*Trade Financial account in his name.
Appellate Court's Decision
The U.S. Court of Appeals Eleventh Circuit decision reversed an earlier district court decision that dismissed the case, in part, due to failure to state a cognizable injury, says Ari Scharg, an Edelson McGuire attorney representing the plaintiffs. The appellate court remanded the case back to district court for further proceedings. (Download a PDF of the ruling.)
As a result of the appellate court ruling, the case will return to a southern Florida district court and enter the discovery phase. Then that court will decide whether to certify the suit as a class action, Scharg explains.
Plaintiffs can now seek repayment for a portion of the monthly premiums they paid for their health plan coverage that AvMed used for the distractive cost of data security, Scharg notes. He does not know yet how much those costs may be, or what portion of member premiums are used by AvMed to pay for data security.
Despite the possibility of recovering those costs for plaintiffs, Scharg says "First and foremost, we want AvMed to bolster their [data] security and management, and bring it in line with HIPAA regulations," including encrypting data. "If the company would've followed HIPAA regulations, this mess would've never happened."
In a statement about the latest development in the case, AvMed said: "We provided identity protection to everyone affected for a period of two years. To date, we have not had any reports of identity thefts directly related to the theft of the laptops. We feel we will prevail in this case."
If the case is certified by court as a class action and is not settled before going to trial, it could be the first U.S. class action health data breach suit that goes to trial, Scharg says. The class action could involve the 1.2 million individuals whose data was contained on AvMed's stolen computers.
"I do not know of any health-related [breach class action] cases that have gone to trial," adds Ron Raether, an attorney at Faruki Ireland & Cox P.L.L. who's not involved in this case, but who has expertise in breach-related legal issues.
A handful of other class actions suits involving health data breaches have been settled or dismissed.
Among those cases was a suit against Providence Health & Services following a 2005 data breach. That case was dismissed in February (see: Providence Breach Case Dismissed.)
The Providence lawsuit was dismissed on summary judgment at the trial court, and an appellate court as well as the Oregon Supreme Court affirmed the dismissal, says Adam Greene, a partner at law firm Davis, Wright Tremaine, which represented Providence. "So I have seen class actions progress pretty far, albeit without any success," says Greene, who formerly worked at the Department of Health and Human Services' Office for Civil Rights.
The lawsuit against Providence was filed on behalf of the 365,000 individuals affected by a breach that involved stolen unencrypted computer disks and tapes. Plaintiffs had sought $73 million for certain costs as well as distress suffered when the patients learned of the theft. In a unanimous opinion, the state supreme court ruled that the plaintiffs "failed to state claims on which they could recover damages either for negligence or for violation of Oregon's Unfair Trade Practices Act," a report from Greene's firm states. The court based its decision on the absence of any claim that the information stolen "was viewed by the thief or other third parties, let alone misused to cause damage to credit or identity theft."