Banner Health Suits Raise Significant Questions for Data Breach Class Actions

Banner Health recently announced that hackers may have gained “unauthorized access to patient information” and “payment card data” from approximately 3.7 million patients, health plan members, food and beverage customers, and physicians.  The breach has been reported as the largest for a hospital in 2016.

According to Banner Health, attackers obtained access to the “point-of-sale” systems at food and beverage outlets in its facilities, reminiscent of recent attack suffered by the hospitality industry.  Apparently, Banner Health failed to separate its systems and servers containing personally identifying information (“PII”) and protected health information (“PHI”) from those used for its point-of-sale system.  After the breach, Banner informed its employees and its patients that their data may have been compromised.

Banner Health’s patients and providers wasted little time in bring suit, with both having filed class action complaints in the District of Arizona.  Plaintiffs allege that Banner Health negligently maintained the security of Plaintiffs’ PII and PHI, failed to immediately notify them of the data breach, breached Banner Health’s representations concerning its data security, and violated Plaintiffs’ right to privacy.

Banner Health has not yet filed motions to dismiss or answers.  But given the allegations in the complaints, the district court will need to resolve a number of unsettled questions:

•  Standing: The named Plaintiffs do not know whether hackers accessed—let alone used—their data. Accordingly, they pled that they “live in fear of identity theft” and that they have spent “time and money safeguarding” their personal and private information.  Although the Seventh Circuit held that such allegations are sufficient for Article III standing, the Ninth Circuit has not weighed in on this issue.

•  Contractual Obligations: In other data breach class actions against health care providers and insurers, plaintiffs have claimed—with mixed success—that their contracts incorporated the entities’ PHI and PII privacy policies. In the Banner Health complaints, Plaintiffs have not asserted a claim for breach of contract, instead asserting a promissory estoppel claim.  It is unclear whether this tactic will prove successful.

•  Failure to Notify: Some courts have held that defendants who disclose data breaches or provide free fraud protection services admit—at least at the pleading stage—that plaintiffs were among those affected by a data breach. The complaints in Banner Health, in contrast, show that failure to promptly notify consumers of a breach raises its own set of problems.  Relying on Arizona law, Plaintiffs alleged that Banner Health is liable for not providing notice in the “most expedient manner possible and without unreasonable delay.”

•  Federal Trade Commission (“FTC”) Act Violations: The FTC has stepped up its enforcement efforts against companies that fail to protect consumers’ data. The Commission has concluded that lax cybersecurity practices are “unfair or deceptive acts” under the FTC Act.  That Act, though, does not provide a right of action for private parties.  So, Plaintiffs in Banner Health are bootstrapping recent FTC decisions, claiming that Banner Health acted negligently under Arizona law because it violated the FTC Act.  Plaintiffs may also argue that, in light of the FTC’s recent decisions, Banner Health violated the Arizona Consumer Fraud Act—which, like the FTC Act, prohibits “deceptive or unfair” acts and practices.  Rev. Stat. §44-1522; see Sellinger v. Freeway Mobile Home Sales, 110 Ariz. 573, 575 (1974) (implying a right of action).

These law suits are not the end of Banner Health’s problems.  It does not appear that the Department of Health and Human Services (“DHHS”) has initiated proceedings against Banner Health.  But if the past is a prologue, an enforcement action is a real possibility.  Banner Health owns and operates over 29 hospitals and various other health facilities.  As such, it is a covered entity under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and the Health Information Technology for Economic and Clinical Health Act (“HITECH”).  And the implementing regulations for those statutes require covered entities to properly secure electronic PII and PHI—or face monetary penalties.

The Banner Health breach shows the danger of not segregating point-of-sale systems from systems that store medical records.  Indeed, a 2012 study by Verizon showed that point-of-sale systems are responsible for 48% of assets compromised in health care data breaches.  Health care providers should make sure that attackers cannot use point-of-sale systems—especially if those systems are also used by third party vendors—as a jumping off point to access the company’s entire network.

Whatever the Arizona district court ultimately decides, this case should have a significant impact on future data breach class actions.  We will continue to monitor the case, so stay tuned for further updates.


DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Patterson Belknap Webb & Tyler LLP | Attorney Advertising

Written by:

more+
less-

Patterson Belknap Webb & Tyler LLP on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:

Sign up to create your digest using LinkedIn*

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.

Already signed up? Log in here

*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.
×
Loading...
×
×