A recent class action brought against the University of Miami (“University”) previews what could become an emerging trend among plaintiffs’ class action attorneys to seek damages for the unauthorized disclosure of personal health information under the Fair Credit Reporting Act (“FCRA” or the “Act”). Enforcement actions for data breaches involving the unauthorized disclosure of personal health information (“PHI”) by health care systems or hospitals typically fall under the purview of the Department of Health and Human Services pursuant to the Health Insurance Portability and Accountability Act (“HIPAA”). However, recent class action plaintiffs’ attorneys have advanced unique arguments in an attempt to bring data breaches involving PHI under the protections afforded by the FCRA.
The FCRA governs Credit Reporting Agencies (“CRAs”) and was enacted to ensure that CRAs accurately and fairly assemble personal information on consumers while maintaining the privacy of their personal information. 15 U.S.C. § 1681a(f). Typically, CRAs assemble and sell “consumer reports” for businesses, such as credit card companies and banks, to use in evaluating a consumer’s eligibility for credit, insurance or employment purposes. 15 U.S.C. § 1681a(d). The FCRA requires that CRAs follow reasonable procedures to protect the information. 15 U.S.C. § 1681e(a). Well known CRAs include Experian, TransUnion and Equifax. Notably, the FCRA provides for statutory damages of up to $1,000 and punitive damages for willful noncompliance with the Act. 15 U.S.C. § 1681n(b). Attorney’s fees may also be collected under the Act. 15 U.S.C. §§ 1681n(c) & 1681o(b).
Class Action Claims Against the University of Miami Health System
In February, current and former patients (“Patients”) filed a class action complaint in the U.S. District Court for the Southern District of Florida against the University of Miami (“University”) alleging that the University allowed the unauthorized access of confidential records of putative class members, including PHI, held by a third-party offsite records vendor without their knowledge or consent and without sufficient security.
Patients asserted, among other things, that the hospital violated the FCRA by failing to implement adequate safeguards to protect their personally identifiable information and PHI from a data breach suffered by the third party vendors. The Patients argued that the hospital was a CRA that created “consumer reports” containing sensitive information including names, dates of birth, social security numbers, billing information and confidential health records, and disseminated this information to medical service providers affiliated with the University. Patients alleged that the University allowed employees of the outside vendor and others to gain unrestricted access to the patients’ personally identifiable information and PHI, which was allegedly misused and intentionally disclosed to third parties for profit.
The University settled these claims last week for just over $100,000, before the court could consider the viability of plaintiffs’ arguments under the FCRA. Nonetheless, there is a class action currently pending in the U.S. District Court for the Middle District of Alabama where hospital patients advanced similar arguments regarding the disclosure of medical and personal information by a hospital under the FCRA. In light of the settlement by the University, the outcome of this case in Alabama may reveal how courts will consider these arguments under the FCRA.
Fair Credit Reporting Act
Plaintiffs’ theory of liability under the FCRA is likely based on the fact that the Act specifically restricts the reporting of medical information to limited purposes and only if the patient has specifically consented to the disclosure. 15 U.S.C. § 1681b(g). The Act also allows for the distribution of consumer reports for “any legitimate business need.” 15 U.S.C. § 1681b(3)(e). However, it is questionable whether hospitals and healthcare systems are CRAs that engage in the business of “regularly assembling or evaluating consumer credit information or other information on consumers for the purpose of furnishing consumer reports to third parties.” Hospitals have not traditionally been considered CRAs. Further, hospitals typically collect personal identity information and PHI for their own business and record keeping purposes, not for the purpose of creating and furnishing “consumer reports” to third parties as is required under the FCRA.
Emerging Cause of Action for Data Breach Involving Private Health Information
Importantly, the claims asserted by class plaintiffs in these cases illustrate a novel use of the FCRA in the context of private health data. Plaintiffs have traditionally utilized HIPAA to redress data breaches involving PHI. However, should courts accept the argument that hospitals and medical providers are CRAs subject to the requirements of the FCRA, it will enable plaintiffs to assert claims for statutory and punitive damages, rather than enlisting the HHS to institute enforcement actions under HIPAA when data breaches occur. As the recent data breach of 4.5 million patient records at Community Health Systems, Inc. illustrates, the number of patient records that may be involved in a particular incident can produce very substantial and potentially crippling statutory damages. If plaintiffs’ claims under the FCRA find traction, hospitals, medical providers and healthcare systems can certainly expect these types of private patient actions to follow.