BioPlus Specialty Pharmacy Faces Lawsuit Over Healthcare Data Breach -

"Florida-based BioPlus Specialty Pharmacy allegedly failed to safeguard PII and notify patients of a healthcare data breach that impacted 350K, the lawsuit claimed."

Why this is important: Another day, another data breach of a healthcare provider that resulted in the unauthorized access of patients' personally identifiable information ("PII") and protected health information ("PHI"). In this case, BioPlus Specialty Pharmacy in Florida suffered a data breach between October 25, 2021 and November 11, 2021 that impacted approximately 350,000 BioPlus customers. BioPlus is now embroiled in a class action lawsuit related to the breach. This is a common result of a healthcare related data breach, large or small. What is interesting about this case are the claims the putative class are asserting and the damages they are seeking. In addition to claiming that BioPlus was negligent in allowing its computer system to be breached, the putative class is also arguing that BioPlus failed to timely notify the affected customers of the breach. It is unlikely that the putative class will be able to recover on this claim because BioPlus notified the affected customers within 29-days of the discovery of the breach, which is well within the HIPAA mandated 60-day notification deadline. In addition to seeking the usual data breach damages of costs, expenses, and lost time related to protect themselves against the breach, the putative class is also seeking to recover possible future damages, including for "fraudulent charges, medical procedures ordered in patients’ names without their permission, and targeted advertising without patient consent.” Because these possible future events are speculative, it is unlikely that the putative class will be able to recover these damages. But, those are not the most creative damages the putative class is seeking. They are also requesting an award of damages for the diminished value of their PII and PHI due to the breach and believed sale of this private information on the black market. This is an interesting argument to make because these damages will be incredibly difficult to prove. They would first be required to prove that their PII and PHI were subsequently sold on the black market following the breach. After proving that the information was sold by the bad actors, the plaintiffs then have to show that their PII and PHI suffered a diminishment in value. If there is no legitimate market, or if the members of the putative class are not intending to ever sell their PII and PHI, then there can be no diminishment in value because the PII and PHI had no intrinsic value in the first place. If there is a legitimate market for this information, the putative class would have to prove that this market even cares about where else this information may have been sold. Only then does the actual calculation of the diminishment in value of the PII and PHI become relevant. How you calculate the diminishment in the legitimate value of information that is intrinsically private and for which there may be no legitimate market is a thought-provoking problem that would require expert testimony. At this time, based on the limited information we have on the putative class' argument in favor of these damages, it would appear that the putative class would not be able to recover damages on the alleged diminished value of their PII and PHI because there would be no way to quantify what the value of that information is pre- and post-breach. What this case shows is that class action plaintiffs' counsel are getting creative and advancing new arguments and damages claims in an attempt to increase their recoveries, either through settlement or trial, in data breach cases. Whether these creative arguments will pay off has yet to be seen.