Class Action Suits Would Focus on PIH Health Breach That Affected 200,000
Several law firms are racing to be among the first to file class action lawsuits against PIH Health in the wake of the California-based regional healthcare network reporting last month that a 2019 phishing breach affected nearly 200,000 individuals.
Since Jan. 30, at least three law firms have issued public statements announcing they are “investigating” the data breach reported on Jan. 10 by PIH Health and inviting victims of the incident to contact the firms with information about the impact.
As of Monday, law firms soliciting victims of the PIH Health data breach to contact their firms include KellerGrover LLP, Federman & Sherman and Abington Cole & Ellery.
A search of U.S. federal courts nationwide Monday via the online public access service Pacer did not turn up any lawsuits that have been filed against PIH Health in the aftermath of its data breach disclosure.
PIH Health and the three law firms issuing statements did not immediately responded to Information Security Media Group’s requests for comment.
San Francisco-based KellerGrover LLP, issued a press release on Feb. 7 noting that the data breach reported by PIH Health exposed patient names, treatment and diagnosis information, Social Security numbers and driver’s license numbers.
“Healthcare providers are required to give patients timely notice of data breaches, and the negligent release and disclosure of medical information can, under certain circumstances, give rise to claims by affected individuals for money damages,” Keller Grover LLP attorney Eric Grover said in the statement.
In its Jan. 30 statement, Oklahoma City-based Federman & Sherwood, said it was investigating the PIH Health breach because “malicious actors often target healthcare companies, such as PIH Health, to obtain patients’ sensitive heath and personal information, which can be used to commit identity theft, blackmail and other crimes against patients.”
On its website, Federman & Sherman is also inviting individual victims of the PIH Health breach to fill out a “confidential questionnaire” that includes questions such as whether they have experienced “any type of fraud relating to the data breach at PIH Health.”
A third law firm – Abington Cole & Ellery Law of Tulsa, Oklahoma, that has announced it’s investigating the PIH Health data breach notes in its statement that “health data breaches can be extremely dangerous and expose patients to ransom shakedowns, whereby those in possession of the health data threaten to release patients’ private and sensitive health information to the public if patients fail to make ransom payments.”
In its Jan. 10 breach notification statement, PIH Health says that on June 18, 2019, it learned that certain PIH Health employee email accounts had potentially been accessed without authorization as a result of a targeted phishing campaign.
“Upon learning of this information, PIH Health took steps to secure its email system and network, including resetting the passwords required to access potentially affected employee email accounts. PIH Health also immediately launched an investigation and engaged leading, independent cybersecurity experts to provide assistance,” the statement notes.
PIH Health says that as a result of its investigation, on Oct. 2, 2019, it determined that certain employee email accounts were accessed without authorization between June 11 and June 18, 2019.
The Department of Health and Human Services’ Office for Civil Rights’ HIPAA Breach Reporting Tool website lists the PIH Health hacking/IT incident as affecting nearly 200,000 individuals. As of Monday, the PIH Health incident is the second largest breach added to the federal website so far in 2020.
The HITECH Act mandates that covered entities notify individuals of a health data breach without unreasonable delay but in no case later than 60 days from the discovery of the breach, except where law enforcement has requested a delay. PIH Health has not commented on why it apparently took several months to report the incident to HHS after discovering the phishing attack.
Race to Be First?
Some legal experts note that competition is growing among law firms to represent victims in data breach lawsuits seeking class action status.
“Class action lawsuits based on health information law violations are a booming legal business for defense and plaintiff lawyers. Both are becoming much more adept and sophisticated at handling these cases,” says independent HIPAA attorney Paul Hales.
After large data breaches, Hales says, many law firms race to quickly file lawsuits. “Multiple law firms may file class actions quickly to address the same breach and become lead counsel as cases are consolidated,” he notes.
But being first to file a potential class action lawsuit in the aftermath of a major health data breach is not a guaranteed advantage, says technology attorney Steven Teppler of the law firm Mandelbaum Salsburg P.C.
“In the past, prevailing in a competition for leadership in a class action meant being first to file, particularly where, for example, a data breach affects victims nationwide,” he says. “That’s not typically the case today. In such situations, [where there] will be potentially many plaintiff-side firms vying for leadership, the courts are tending to evaluate competing firms using a variety of criteria. Experience and competence plays a large role, and the courts are also seeking more diversity in the firms selected for leadership, executive committee and steering committee roles.”
Law firms issuing press releases announcing they are “investigating” data breaches in pursuit of potential class action lawsuits is a recent development, Teppler adds.
“In my experience, such public press releases have not been very common, as firms routinely seek clients through a combination of social media, traditional broadcast and other online advertising means in connection with cases being investigated,” he says. “I can only guess that a press release may be perceived as getting better ranking in search engine optimization. Inevitably, the major search engines modify their algorithms to address this.”
So how should other organizations prepare in advance for potential post-breach lawsuits?
“Healthcare providers and health plans must be prepared to defend class actions, but the best strategy is prevention,” Hales says. “When a breach does occur, it is essential that all steps of the HIPAA Breach Notification Rule and applicable state breach law be followed promptly. We do not know why PIH Health waited until 2020 to report a June 2019 breach to federal and California authorities, but that delay may have increased its liability and ultimate costs.”
In light of the rising number of security incidents – and resulting lawsuits, Teppler says having a cyberinsurance policy “is as important as having ordinary property and casualty insurance. Having counsel review policies can ensure that coverage is adequate from both a scope as well as monetary perspective.”
In terms of helping individual victims of data security incidents, breached entities should offer expanded credit and/or background monitoring, “but helping victims of compromise to mitigate the effects of a compromise should also be considered as an option,” Teppler says.
“For breaches that occur as a result of a compromise of a connected device, or the managed service provider that intermediates between a consumer and the device, there should be other remedial measures to make the consumer whole.”