Last week, in a putative class action, the Eastern District of Wisconsin in Dusterhoft v. OneTouchPoint Corp., 2024 U.S. Dist. LEXIS 170993 (ED WI 2024), issued a decision denying a motion to dismiss, in part, that underscores the importance for healthcare entities of strong privacy compliance, including due diligence and auditing with respect to HIPAA-protected information provided to “business associates.”
OneTouchPoint provides brand management, marketing, printing, and supply chain logistics to healthcare providers. In connection with those services, “OneTouchPoint collects and maintains names, addresses, Social Security numbers (SSNs), member IDs, dates of birth, health insurance information, and other medical information provided during health assessments.” OneTouchPoint discovered that its servers had been improperly accessed causing a breach of 2.6 million individuals’ data, including patients of nearly 40 health insurers and healthcare service providers.
After receiving letters from OneTouchPoint advising them of the breach, nine named plaintiffs from Arizona, Georgia, Maine, Minnesota, South Carolina, and Wisconsin claimed that they provided information to OneTouchPoint clients, who in turn provided to OneTouchPoint their HIPAA-protected information that was disseminated in the breach. Pertinent to this article, the only injuries alleged by five of the named plaintiffs is spending time and money combatting the effects of the breach, such as calling banks, credit card companies, etc., and dimunition in the value of their information.
The Court held the dimunition in value claim was insufficient to establish standing, but he time the named plaintiffs spent mitigating the effects of the breach was an injury sufficient to establish standing. The Court further held that the complaint sufficiently alleged a claim for negligence because, as alleged damages, the mitigation efforts were not too speculative, and could be shown to be causally related to the breach.
Importantly, the Court rejected OneTouchPoint’s assertion that HIPAA and Section 5 of the FTC Act do not create a private right of action to assert a claim for negligence per se, i.e., a violation of those Acts’ requirements with respect to protected information, explaining that statutory intent should dictate whether a claim for negligence per se can be asserted, and the parties did not brief that issue sufficiently. This argument, held the Court, could be raised again on summary judgment.
That the named plaintiffs will be able to proceed on their negligence and negligence per se claims, at least until a dispositive motion is filed, highlights the importance of a “Covered Entity,” like a hospital or medical practice, sufficiently understanding how a Business Associate will secure protected information. OneTouchPoint may now have to incur the significant expense of class discovery, which could lead to a settlement-leveraging class certification motion. Given that a HIPAA “Covered Entity” can be liable under HIPAA for failing to properly diligence a Business Associate, one can envision negligence and negligence per se claims being brought against a Covered Entity for a Business Associate’s data breach. Consequently, a Covered Entity should be vigilant when it diligences a Business Associate, and insist on indemnification for any claims that result from the Business Associate’s data breach.
Duane Morris attorneys are experienced in advising clients with respect to HIPAA’s privacy and security requirements.