Putative Class Action Underscores Need for HIPAA Covered Entities to Diligence Business Associates

Seth Goldberg
Seth Goldberg

Last week, in a putative class action, the Eastern District of Wisconsin in Dusterhoft v. OneTouchPoint Corp., 2024 U.S. Dist. LEXIS 170993 (ED WI 2024), issued a decision denying a motion to dismiss, in part, that underscores the importance for healthcare entities of strong privacy compliance, including due diligence and auditing with respect to HIPAA-protected information provided to “business associates.”

OneTouchPoint provides brand management, marketing, printing, and supply chain logistics to healthcare providers. In connection with those services, “OneTouchPoint collects and maintains names, addresses, Social Security numbers (SSNs), member IDs, dates of birth, health insurance information, and other medical information provided during health assessments.” OneTouchPoint discovered that its servers had been improperly accessed causing a breach of 2.6 million individuals’ data, including patients of nearly 40 health insurers and healthcare service providers.

After receiving letters from OneTouchPoint advising them of the breach, nine named plaintiffs from Arizona, Georgia, Maine, Minnesota, South Carolina, and Wisconsin claimed that they provided information to OneTouchPoint clients, who in turn provided to OneTouchPoint their HIPAA-protected information that was disseminated in the breach. Pertinent to this article, the only injuries alleged by five of the named plaintiffs is spending time and money combatting the effects of the breach, such as calling banks, credit card companies, etc., and dimunition in the value of their information.

The Court held the dimunition in value claim was insufficient to establish standing, but he time the named plaintiffs spent mitigating the effects of the breach was an injury sufficient to establish standing. The Court further held that the complaint sufficiently alleged a claim for negligence because, as alleged damages, the mitigation efforts were not too speculative, and could be shown to be causally related to the breach.

Importantly, the Court rejected OneTouchPoint’s assertion that HIPAA and Section 5 of the FTC Act do not create a private right of action to assert a claim for negligence per se, i.e., a violation of those Acts’ requirements with respect to protected information, explaining that statutory intent should dictate whether a claim for negligence per se can be asserted, and the parties did not brief that issue sufficiently. This argument, held the Court, could be raised again on summary judgment.

That the named plaintiffs will be able to proceed on their negligence and negligence per se claims, at least until a dispositive motion is filed, highlights the importance of a “Covered Entity,” like a hospital or medical practice, sufficiently understanding how a Business Associate will secure protected information. OneTouchPoint may now have to incur the significant expense of class discovery, which could lead to a settlement-leveraging class certification motion. Given that a HIPAA “Covered Entity” can be liable under HIPAA for failing to properly diligence a Business Associate, one can envision negligence and negligence per se claims being brought against a Covered Entity for a Business Associate’s data breach. Consequently, a Covered Entity should be vigilant when it diligences a Business Associate, and insist on indemnification for any claims that result from the Business Associate’s data breach.

Duane Morris attorneys are experienced in advising clients with respect to HIPAA’s privacy and security requirements.

Class Action ADA Lawsuit Filed Against Hospital – A Sign of More to Come?

Disability discrimination lawsuits against hospitals have become relatively common in recent years as former hospital employees allege that their former employers discriminated against them on the basis of various disabilities in violation of the Americans with Disabilities Act of 1990. Other ADA lawsuits have been filed against hospitals and other healthcare providers, claiming that their websites or parking lots do not adequately accommodate those with disabilities. Yet others have been filed accusing hospitals of failing to accommodate deaf patients by not providing a live interpreter. But few, if any, major lawsuits had been brought against hospitals and healthcare providers alleging that the facilities themselves fail to accommodate patients with physical disabilities. That may have changed with a putative class action lawsuit filed in the U.S. District Court for the Western District of Pennsylvania in late July, which may be the first of many cases to come.

View the full Alert on the Duane Morris LLP website.

© 2009- Duane Morris LLP. Duane Morris is a registered service mark of Duane Morris LLP.

The opinions expressed on this blog are those of the author and are not to be construed as legal advice.

Proudly powered by WordPress