Healthcare Data Breach
Lawsuits Are On The Rise

Learn how PurpleSec’s experts can protect your business against the latest cyber attacks.

Author: Rich Selvidge, CISSP / Last Updated: 6/08/2022

Reviewed By: Jason Firch, MBA, Josh Allen, &  Michael Swanagan, CISSP, CISA, CISM

View Our: Editorial Process

BakerHostetler saw an uptick in data breach lawsuits in the weeks following incident notification, especially against healthcare organizations.

As healthcare data breaches continue to wreak havoc on small and large businesses around the country, data breach lawsuits are becoming more widespread.

According to the latest data security incident report from legal firm BakerHostetler, there has been a spike in duplicative litigation, which typically result in high defense and settlement costs.

What Happened?

BakerHostetler looked at over 1,200 data security events that its Digital Assets and Data Management Practice Group employees assisted clients with between 2021 and 2022.

The occurrences affected a wide range of industries, but the data indicated that healthcare was the most heavily impacted, accounting for 23% of all incidents studied.

According to the research, twenty-three of the occurrences resulted in at least one lawsuit.

While this may not appear to be a large amount, the twenty-three instances resulted in over fifty-eight lawsuits.

“There was always the danger of multidistrict litigation following significant data breaches in the past.”

“However, we increasingly see many cases filed in the same federal court after an event is reported. Alternatively, we observe a handful of instances in one federal court and another handful of cases in a state forum,” according to the paper.

“Due to the number of plaintiffs’ attorneys participating, this duplicative litigation tendency is increasing the ‘race to the courthouse’ filings, as well as the initial lawsuit defense expenses and the eventual settlement cost.”

Do Healthcare Providers Win These Lawsuits?

As previous instances have demonstrated, plaintiffs’ success in healthcare data breach litigation is tough.

This is in part due to the Supreme Court’s decision in Ramirez v. TransUnion, which said that data breach victims must show real damages and prove that the defendant’s actions caused the damage.

The June 2021 decision marked a fundamental shift in the way data breaches are dealt with in court.

To establish Article III standing, plaintiffs must now show that they have experienced tangible damage.

For example, a court recommended dismissing a class-action lawsuit against medical management business Practice first in February 2022, claiming a lack of proof of actual injury caused by a December 2020 breach.

“There have been very few published class certification judgments after data events over the last decade,” BakerHostetler stated, “yet the majority of those that did exist were beneficial to the defense.”

“However, two significant class certification judgments in 2020 and 2021 are emboldening plaintiffs’ firms, both in terms of the volume of lawsuits they file and their negotiating techniques during mediations.”

In addition to legal insights, the research stated that ransomware will be responsible for 37% of events in 2021, up from 27% in 2020.

Hackers were also seen utilizing double or triple extortion techniques to put further pressure on victims, according to the business.

In a press release, Craig Hoffman, co-leader of BakerHostetler’s national digital risk advisory and cyber security team, said that:

“A key difference between organizations that had meaningful ransomware events and those that did not was the use of an endpoint detection and response (EDR) tool that was set in enforcement mode with the anti-uninstall feature enabled.”

How Healthcare Providers Can Protect Themselves

• Limit access to your most valuable data, develop data classification policies and protect accordingly.
• Third-party vendors must comply with your data protection policies.
• Conduct employee security awareness training, employee mistakes account for over 80% of breaches.
• Update software regularly, unpatched software opens your network to multiple attack vectors.
• Develop a cyber breach response plan, know how to respond in the event
  of a breach.

Related Articles:

• How To Perform A Successful HIPAA Risk Assessment
• Free Data Security Policy Template (Updated 2022)
• 9 Data Security Strategies & Best Practices For 2022
• How To Develop An Effective Cyber Security Strategy
• Social Engineering: What Is It And Why Is It Effective?