Healthcare , HIPAA/HITECH , Industry Specific
Could HIPAA Security Update Mean Bigger Lawsuit Payouts?
Experts Expect Breach Lawsuits to Multiply, Bolstered by New Compliance StandardsTampa General Hospital is the latest healthcare organization that has settled a breach lawsuit. The hospital agreed to pay $6.8 million to settle with plaintiffs over a 2023 data theft incident that affected 2.1 million people.
See Also: Enterprise Browser Supporting Healthcare, Cyber Resilience
Proposed federal class actions lawsuits are all too common in virtually any breach in healthcare, and while HIPAA does not provide for a right of private action, many of these lawsuits allege failures of the defendant in complying with guidelines such as the HIPAA rules – saying that's part of their obligations to plaintiffs and class members.
And the bar to proving the plaintiff's case could be lowering with the release in late December by Health and Human Services' Office for Civil Rights of a notice of proposed rulemaking to strengthen the HIPAA security rule requirements (see: What's in HHS' Proposed HIPAA Security Rule Overhaul).
Among the proposed requirements for regulated entities are enhanced monitoring, multifactor authentication, network segmentation and encryption.
While the fate of the proposed rulemaking is uncertain with a new Presidential administration - and new HHS leadership soon coming into office - if a proposed update to the HIPAA security rule is eventually finalized, plaintiff class action lawsuits filed against HIPAA regulated organizations in the wake of major breaches could get a potential boost, some experts predict.
"The proposed Security Rule modifications would require HIPAA-regulated entities to meet specific, much higher compliance standards bolstering claims that defendants neglected to protect PHI required by lawful standards of care," said regulatory attorney Paul Hales of the Hales Law Group.
"Regardless of the outcome of the rulemaking process, class action health data breach lawsuits will continue to multiply," he added.
Plaintiffs in a consolidated amended lawsuit complaint filed in August 2023 alleged that Tampa General Hospital was negligent in failing to protect their sensitive information. The lawsuit also alleged breach of implied contract, unjust enrichment and violations of the Florida Deceptive and Unfair Trade Practices Act.
TGH in a July 2023 breach notice said it had detected unusual activity on its systems on May 31, 2023, and had thwarted an attempt by attackers to encrypt the organization's IT systems (see: Lawsuits Mounting Against Florida in Wake of Breach).
Despite TGH stopping the ransomware encryption, its investigation into the incident determined that certain files from the hospital's systems had been accessed and obtained by attackers over three weeks, between May 12 and May 30.
Information compromised in the incident included names, addresses, telephone numbers, dates of birth, Social Security numbers, health insurance information, medical record numbers, patient account numbers, dates of service, and/or limited treatment information used by defendant for its business operations.
As part of the settlement, TGH denies the allegations and any wrongdoing or liability.
Under the settlement, class members are eligible for payment of documented unreimbursed ordinary losses fairly traceable to the data security incident up to a total of $1,500 per person; compensation for documented extraordinary losses up to a total of $7,500; or a $125 cash payment.
In addition, settlement class members may also elect to receive one year of free credit monitoring.
The deadline to file claims is Jan. 12 and a final approval hearing by the court is slated for Feb. 3.
The five class representatives are expected to receive service awards of $2,500 each. Plaintiffs' attorneys are expected to receive up to one-third of the settlement fund, or about $2.26 million.
Plaintiffs' attorneys did not immediately respond to Information Security Media Group's request for comment on the settlement.
TGH in a statement to ISMG said, "We are pleased to have reached a settlement that TGH believes is beneficial to those who may have been affected."
"Since the data incident, TGH has notified impacted parties, conducted a full investigation, and implemented a variety of additional safeguards to help reduce the likelihood of a similar incident occurring again," the statement said.
"The hospital is continuously updating and hardening systems to help prevent events such as this from occurring and has implemented additional defensive tools and increased monitoring."
HIPAA Under the Next Administration
The HIPAA Security Rule updates will transition to a new administration after President-Elect Donald Trump is sworn in Jan. 20. Hales predicted the rule will be modified during the Trump administration.
"The need to strengthen cybersecurity has bipartisan support. It is difficult to predict the final content of the modified Security Rule," Hales said.
How the HIPAA security rule might eventually be updated could also be greatly influenced by the type of public comment HHS receives in respond to the proposed rulemaking, he said.
"The 60-day comment period may unleash a firestorm of objections. We already note complaints by affected organizations of all sizes that some proposed modifications are unrealistic, overly burdensome, and too expensive."