After a HIPAA breach, it’s possible a plaintiff will bring a class-action lawsuit against the healthcare organization where the breach occurred. Typically, a plaintiff will seek compensatory and punitive damages as a result of the breach of their personal information. The judge will be looking to see if the plaintiff can prove they were directly harmed as the result of the breach. If not, the case if often dismissed.
The Ponemon Institute estimates that a healthcare organization will spend $800,000 on lawsuits after a data breach. If you break that number down, Ponemon estimates that class-action lawsuits will cause a healthcare organization approximately $1,000 per affected patient. It’s important to note that this is for class-action lawsuits, not individual lawsuits which can cost a lot more.
After a breach, there are often three types of lawsuits that can affect your practice:
Celebrity Cases: A lawsuit involving a celebrity is an individual, often expensive, lawsuit. These lawsuits are high-profile and tend to played out in the media as well. In 2011, UCLA Health Systems agreed to pay $865,500 after two celebrities claimed their EHRs were viewed by hospital employees without authorization. In 2009, Kaiser Permanente was fined $250,000 when some employees illegally viewed the medical records of a celebrity.
Class-Action or Individual Lawsuits: Even without celebrity involvement, class-action and individual lawsuits can be expensive. Class-action lawsuits can actually be more expensive because the lawsuit includes a large number of affected patients. In 2012, St. Joseph Health System suffered a breach affecting 31,800 patients. Four years later in 2016, St. Joseph agreed to pay $7.5 million to the 31,074 plaintiffs who participated in the class-action lawsuit. Broken down, each plaintiff received approximately $241.
Dismissed Cases: Even if a judge dismisses a case against your practice, costs were still incurred. The healthcare practice would have invested time and money into the lawsuit and even potentially suffered from negative publicity. CareFirst suffered a breach in 2014 that affected 1.1 million patients. The case against CareFirst was dismissed in 2016 but a year of litigation had already been completed.