By: Raj Shah, Senior Regulatory Attorney & Policyholder Advisor, MagMutual Insurance Company (firstname.lastname@example.org) & Nicholas Forsyth, Risk Intern, MagMutual Insurance Company (email@example.com)
As malware and electronic hacking become more sophisticated and unidentifiable, healthcare organizations face an increasing risk of class action data breach lawsuits. Healthcare organizations store an abundance of protected health information relating to patients. As a result, healthcare organizations are attractive targets of sophisticated hackers. If a hacker is successfully able to breach a healthcare organization’s security measures, the hacker now has access to hundreds, if not thousands, of patients’ protected health information. This protected health information will often consist of individuals’ social security numbers, sensitive medical information, and credit card information. A hacker with this protected health information now has the potential to commit identity theft and cause significant harm to the healthcare organization’s patients.
In response to the data breach, plaintiffs will likely bring a negligence claim against the healthcare organization. The plaintiffs will assert that they suffered injuries such as identify theft, costs associated with mitigating the threat of identity theft, or even that they now suffer an increased risk of identity theft. The plaintiffs will attempt to show the healthcare organization owed the patients a duty to safely and securely store their protected health information. The claim will assert the healthcare organization failed to meet this duty by allowing the data to be stolen, and this failure to safely and securely store the information was the proximate cause of injuries. Due to the sheer volume of protected health information that may be stolen during a data breach, healthcare organizations will rarely find themselves facing single claimants individually. Patients, whose protected health information has been stolen, will seek class certification to increase their chances of a successful claim against a healthcare organization.
In addition to facing multiple claimants, healthcare organizations located in Georgia face a judicial landscape that seemingly varies on what allegations must be asserted to establish standing and satisfy the injury requirement of a negligence claim. However, the two leading cases on standing for bringing a data breach class action lawsuit for negligence, the state court case of Collins v. Athens Orthopedic Clinic, P.A. and the federal court case of Tsao v. CaptivaMVP Restaurant Partners, LLC demonstrate the apparent discrepancies between Georgia law and the 11th Circuit federal law depends more on the facts of the case, and less on the judicial posture of the court.[i]
In Collins, a hacker breached a large healthcare organization’s computer systems.[ii] The hacker obtained over 200,000 patients’ protected health information. After obtaining the patients protected health information stored by the healthcare organization, the hacker demanded a ransom for the protected health information.[iii] When those efforts were unsuccessful, the hacker offered the protected health information for sale on the dark web.[iv] As a result of the data breach, patients brought a negligence action against the clinic.[v]
The Georgia Supreme Court in Collins reinforced that a legally cognizable injury to an individual whose information has been stolen in a data breach, is more than the mere fear of future speculative harm.[vi] The Court reasoned that harm is mere speculation, and does not satisfy the injury element of negligence, when the circumstances that would lead to injury, based on the allegations, are too attenuated.[vii] Under Georgia law, cases that involve the exposure of personal information must show the data was actually obtained by a criminal actor and that the information was used for criminal purposes to the detriment of the individuals.[viii] The failure to allege both warrants a proper dismissal for failure to state a claim under OCGA § 9-11-12(b)(6).[ix] The reasoning is that, if a party fails to allege both assertions, there are no provable facts that warrant a grant of relief sought by the party.[x] Accordingly, a negligence claim requires an actual injury not merely speculative fear of an injury.[xi]
In Collins, the Court held that the complaint was sufficient to survive a motion to dismiss because the plaintiffs included specific references of actual misuse of patient’s protected health information.[xii] The plaintiffs asserted the hacker had actually obtained their protected health information.[xiii] In their complaint, the plaintiffs asserted the hacker’s attempt to ransom the protected health information and the hacker’s attempts to sell the protected health information on the dark web.[xiv] The plaintiffs’ allegation also asserted that several of the claimants had already experienced identity theft due to the data breach.[xv]
In Captiva, a large restaurant chain experienced a data breach of its point-of-sale system.[xvi] As a result of the data breach, customers’ personal information was potentially exposed to criminal third parties.[xvii] The personal information exposed contained the customers’ credit card and other financial information.[xviii] As a result of the data breach, the restaurant chain notified customers that their personal information may have been stolen.[xix] Following the notification, customers brought a negligence action against the restaurant.
Like the Georgia Supreme Court, the 11th Circuit in Captiva held that allegations of an increased risk of future potential harm alone do not satisfy the injury-in-fact requirement to confer standing.[xx] The 11th Circuit restated the U.S. Supreme Court’s ruling that plaintiffs must plausibly and clearly allege a concrete injury that is actual or imminent.[xxi] When plaintiffs’ allegations are merely conclusory statements, the allegations are not concrete.[xxii] Additionally, plaintiffs do not create a concrete injury by incurring costs to mitigate conjectural and hypothetical risks.[xxiii]
In Captiva, the 11th Circuit held the complaint was not sufficient to survive a motion to dismiss because the plaintiffs did not include specific instances of misuse of the patient’s personal information.[xxiv] The plaintiffs failed to assert a criminal party had actually obtained any personal information.[xxv] Similarly, the plaintiffs failed to allege that any customer had actually suffered identity theft due to the data breach.[xxvi]
The Georgia Supreme Court and the 11th Circuit both agree that the mere allegation of an increased risk of future potential harm does not satisfy the injury requirement of a negligence claim. The risk of future potential harm becomes a more concrete injury when the allegations in the complaint identify specific instances of data falling into criminal hands and the criminal uses the data to the detriment of the individuals. The patients in Collins succeeded in surviving a motion to dismiss because the allegations they asserted contained specific references to how the hacker had actually obtained data.[xxvii] Their allegations also asserted specific instances where the hacker attempted to ransom the data and sell the information on the dark web.[xxviii]
In Captiva, the plaintiffs did not allege either assertion. The plaintiffs only made conclusory statements that because their data may have been stolen, they faced an increased risk of future potential harm.[xxix] The plaintiffs alleged they had to proactively cancel their credit cards, and as a result, lost out on accruing valuable credit card points.[xxx] As a result, the complaint was dismissed for lack of standing.[xxxi] Collins and Captiva illustrate that Georgia law and 11th Circuit federal law are in agreement and outcomes will be determined by the underlying facts of the case.
What This Means for Counsel of Healthcare Organizations in Georgia
Defense counsel for healthcare organizations face a challenging battle in curbing class action lawsuits against their clients. Initially, it may be enough to file a motion to dismiss for failure to state a claim or challenge the standing of the plaintiffs. If the data breach is recent, it is unlikely that sufficient time has passed for the criminal to misuse the patient’s protected health information and commit identify theft. However, as time passes, it becomes more likely the criminal has begun engaging in criminal activity at the detriment of the patients. If plaintiffs allege that the criminal is engaging in activity detrimental to them such as actually misusing their protected health information to commit identity theft, plaintiffs will likely establish standing and have asserted a legally cognizable injury.
Because Collins provides plaintiffs a framework to survive a motion to dismiss, settlement negotiations will likely become a more prominent aspect of large-scale data breach cases. Additionally, the positive outcome for class action plaintiffs in Collins will likely lead to forum shopping among plaintiffs. When bringing a suit, plaintiffs’ attorneys will try to remain in state court instead of federal court.
Best Practices to Avoid Class Action Data Breach Cases Avoiding a class action suit following a data breach begins with the healthcare organization. Healthcare organizations should routinely monitor and update their information technology that stores and protects protected health information. As a best practice, healthcare organizations should utilize multi-factor authentication software when accessing protected health information. Further, healthcare organizations should actively train and educate their employees about responsibly handling, storing, and transmitting protected health information. Importantly, healthcare organizations that implement these proactive measures will significantly reduce the likelihood of a large-scale data breach and therefore, reduce the risk
[i] Collins v. Athens Orthopedic Clinic, P.A., 307 Ga. 555 (2019); Tsao v. Captiva MVP Restaurant Partners, LLC, 986 F.3d 1332 (11th Cir. 2021)
[ii] Collins at 556.
[vi] Id. at 564
[vii] Id. at 560
[viii] Id. at 555
[ix] Id. at 557
[xii] Id. at 563
[xvi] Tsao v. Captiva MVP Restaurant Partners, LLC, 986 F.3d 1332 (11th Cir. 2021)
[xvii] Id. at 1335
[xx] Id. at 1337
[xxiii] Id. at 1335
[xxiv] Id. at 1343
[xxvii] Collins v. Athens Orthopedic Clinic, P.A., 307 Ga. 555, 563 (2019)
[xxix] Tsao at 1344