Kansas Judge Rules that Class Action over CareCentrix Data Breach may Proceed

On December 19, 2016, in Hapka v. Carecentrix, the United States District Court for the District of Kansas denied CareCentrix, Inc.’s (CareCentrix) motion to dismiss a class action suit arising from a data breach affecting CareCentrix’s personal and tax information regarding thousands of employees.  The Court found that plaintiff Sarah Hapka, individually and on behalf of all others similarly situated, met the Article III standing requirements and sufficiently alleged a claim upon which relief could be granted.

Hapka claimed that in February 2016, an unauthorized person posed as one of CareCentrix’s employees and emailed a request for current and former employees’ Internal Revenue Service (IRS) Wage and Tax Statements (W-2 Forms). One of CareCentrix’s employees complied with the request, providing the W-2 Forms which included employees’ names, addresses, birth dates, wages, and Social Security Numbers.  Hapka alleged that shortly after this data breach, she received a letter from the IRS indicating that someone filed a fraudulent tax return in her name.  She later brought the underlying putative class action claiming that CareCentrix negligently permitted the data breach and that she and the class of plaintiffs will suffer imminent and certain impending injury of fraud and identity theft.

CareCentrix conceded that Hapka suffered some form of actual, concrete injury due to the filing of a false tax return. However, it argued that the other allegations of injury—the impending costs of countering the current tax fraud and heightened risk for future identify theft—are too speculative to meet the Article III standing bar set by the Supreme Court’s decision in Spokeo, Inc. v. Robins, which required plaintiffs to show an invasion of a legally protected interest and allege a concrete injury.  The Court rejected CareCentrix’s attempt to look at the plaintiff’s alleged injuries in a vacuum, stating that “[t]he fact that her stolen information has been used once has a direct impact on the plausibility of future harm.” Although the Court acknowledged that federal courts have disagreed about whether an alleged increased risk of identity theft is a sufficient injury to meet standing requirements, it followed the line of cases finding standing because the plaintiffs suffered from identity theft after a data breach.  Ultimately, the Court held that the plaintiffs met standing requirements.

The Court further rejected CareCentrix’s claim that Hapka failed to adequately plead the negligence claim because it did not have a statutory duty of care regarding employee information, and that plaintiff failed to allege any common-law duty. The Court found that identification of a statutory duty was unnecessary, and that the allegations that the harm was foreseeable established a common-law duty to exercise reasonable care.

This case further highlights how the Supreme Court’s decision in Spokeo earlier this year has produced varied results in breach litigation.  The Kansas Court acknowledged the split among federal courts on standing requirements, but effectively avoided ruling on the issue since Hapka actually suffered injury due to the filing of a false tax return.  If the plaintiffs did not have this example demonstrating that a concrete injury had in fact occurred, it is questionable whether the Kansas Court would have decided to deny CareCentrix’s dismissal motion on standing grounds.Continue Reading December 2016 Monthly Update

The day before Thanksgiving, the HHS Office of Civil Rights (OCR) announced its first settlement involving a reported data breach implicating security of medical devices used in the hospital setting. OCR’s $850,000 settlement and resolution agreement with Lahey Hospital and Medical Center (LHMC) stem from the theft of a laptop workstation used to operate and produce images from a portable CT scanner from an unlocked treatment room on August 11, 2011.

Consistent with OCR’s past practice, OCR launched in-depth investigations that uncovered additional alleged HIPAA Security Rule violations following LHMC’s required breach reports to OCR. As part of its resolution agreement, LHMC agreed to update its security policies and procedures and comply with extensive training and reporting requirements conditions of a corrective action plan for two years.

The LHMC resolution is especially noteworthy for several reasons. At the outset, it is the first OCR resolution specifically involving a medical device in a hospital setting, as opposed to ePHI that hospitals store in EMRs/EHRs. Second, the number of individuals affected was relatively low compared to other incidents with comparably large settlements (only 600 people), which shows OCR is focused equally on large and small incidents.Continue Reading HHS-OCR Announces First Settlement Involving Medical Device Security Issues