April 16, 2012, 9:04 AM — Cybercriminals are not the only ones looking to make money from health data breaches.
In California, where a unique state law provides for damages of $1,000 per person per violation of the Confidentiality of Medical Information Act of 1981 (CMIA), plaintiff law firms are lining up to file privacy data breach class-action lawsuits against hospitals, medical service providers and health insurers that, if successful, could easily yield payouts in the multiple millions.
The San Francisco-based legal publication The Recorder reported April 6 that at least a half-dozen plaintiff firms had filed complaints for privacy breaches so far, seeing it as a lucrative new source of income.
Brian Kabateck of the Los Angeles plaintiffs firm Kabateck Brown Kellner told The Recorder, "There's an awful lot at stake here."
Indeed, a suit pending against St. Joseph Health System involves the exposure of medical information of about 31,800 patients. At $1,000 each, even if only one violation is involved, it is simple math to see that would yield damages of $31.8 million.
But there is considerable distance between that gleam in a law firm's eye and reality. The attorneys filing the complaints and the attorneys defending their targets agree that they are in untested legal waters. Filing privacy breach cases as class actions is new, and all those involved say new legal precedents will be made in the next several years.
The CMIA, now more than 30 years old, was obviously designed for an era when documents were secured in file cabinets, and the most a single thief could carry away would likely be less than 30. And, without having somebody on the inside, it would also take breaking locks, smashing windows and generally defeating all the physical security measures common to medical facilities.
Now, with patient records in digital form, "you could have a million records stolen in a couple of seconds," says Randy Sabett, an attorney with ZwillGen, a Washington, D.C.-based law firm specializing in legal issues involved in doing business on the Internet.
Sabett says health care companies could be vulnerable if they took no measures to protect data.