At the beginning of August, the D.C. Circuit found that the fact that a data breach has occurred and individual consumer information has been lost may constitute sufficient injury to confer standing on those individual victims at the pleading stage–irrespective of whether any stolen information has been misused. Specifically, Attias, et al. v. CareFirst, Inc., et al., No. 16-7108, 2017 WL 3254941 (D.C. Cir. Aug. 1, 2017) ruled that a class of health insurance policyholders could maintain their suit against CareFirst, due to a cyberattack on the insurance provider’s servers. The court found that “a heightened risk of future identity theft” was enough to confer standing. Id. at *4 n.2. The court based its decision on the fact of the breach and the associated heightened risk rather than on whether any of the policy holders’ identities had actually been stolen. Relying on a prior decision by the Seventh Circuit, the court observed, “Why else would hackers break into a . . . database and steal consumers’ private information?” Id. at *6 (quoting Remijas v. Neiman Marcus Grp., 794 F.3d 688, 693 (7th Cir. 2015)).

Despite the clarity with which the D.C. Circuit reached its decision, the circuits have split over what exactly an individual whose data has been stolen must show to establish standing in federal court. Article III requires a plaintiff to demonstrate an “injury in fact” that is “fairly traceable” to the defendant’s challenged conduct and is “likely to be redressed by a favorable judicial decision.” Spokeo, Inc. v. Robins, 136 S. Ct. 1540, 1540 (2016) (quoting Lujan v. Defenders of Wildlife, 504 U.S. 555, 560-61). Some circuits have ruled that the theft of data, without more, does not constitute such an injury. See, e.g., Beck et al. v. McDonald et al., 848 F.3d 262 (4th Cir. 2017). The CareFirst court joined a growing list of circuits ruling to the contrary.

CareFirst also serves as an independent reminder that the theft of medical data can have significant ramifications for victims. Armed with information such as insurance identifiers, a fraudster may “impersonate[] the victim and obtain medical services” in the victim’s name, leading to potentially inaccurate medical records, improper health care, depletion of insurance, ineligibility for health or life insurance, and disqualification from jobs. CareFirst, 2017 WL 3254941, at *6.

Implications for Digital Health Technologies:

CareFirst also highlights the importance of managing data security risks in designing digital health technologies, both because of the potential ease with which a prospective plaintiff may have standing to bring suit and because of the sensitive nature of medical information.  Digital health companies should take steps to manage this risk whether they are building their digital solutions themselves or working with business partners and service providers.  Very often working with business partners and service providers is the quickest and most efficient way to market with a digital solution, but this does mean relying on the data security practices of a third party.  In view of this, appropriate due diligence and contractual terms with respect to data security are essential in digital health agreements.  In addition, the processes and procedures governing a data security incident and any associated plaintiffs’ claims should be addressed in the agreement.  The healthcare industry has been a particular target for ransomware attacks, so contractual commitments with regard to back up and restoration of end user data is important.  The promise of digital health is partly premised on companies being methodical and careful in their commercial contracting and business partner/service provider management.

Tags: data breach, Health IT
Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Lily Katharine Hines Lily Katharine Hines

Lily Hines focuses her practice on licensing and other commercial transactions related to intellectual property and technology. She also has considerable background providing intellectual property counsel and support in connection with large mergers and acquisitions, which continues to inform her approach to commercial…

Lily Hines focuses her practice on licensing and other commercial transactions related to intellectual property and technology. She also has considerable background providing intellectual property counsel and support in connection with large mergers and acquisitions, which continues to inform her approach to commercial matters. Prior to entering law practice, Ms. Hines clerked for a federal district court judge.

Email
Show more Show less
Photo of Nigel Howard Nigel Howard

Nigel Howard’s practice focuses on technology, outsourcing, and intellectual property issues. He represents clients in complex technology transactions, including outsourcing, licensing, corporate partnering, and strategic alliance transactions. Mr. Howard also has experience representing clients during IP property purchases and sales, and in reviews…

Nigel Howard’s practice focuses on technology, outsourcing, and intellectual property issues. He represents clients in complex technology transactions, including outsourcing, licensing, corporate partnering, and strategic alliance transactions. Mr. Howard also has experience representing clients during IP property purchases and sales, and in reviews of IP portfolios in relation to corporate financing and merger and acquisition transactions. His experience includes cross-border technology transfers, development and testing arrangements, distribution channels, technology deployment, and electronic commerce as well as privacy laws with regard to electronic databases and online services.

Read more about Nigel HowardEmail
Show more Show less