Michael Coco writes:

The dreaded PHI data breach is every covered entity’s bad dream, but the West Virginia Supreme Court just turned that bad dream into a nightmare. The court decided a case, Tabata v. Charleston Area Medical Center, Inc., brought on behalf of thousands of patients requesting class certification to sue the medical center for breaching their privacy rights. The patients alleged that the medical center was responsible for placing their personal and medical information on an electronic database and website, which was accessible to the public. This database included names, contact details, Social Security Numbers, and dates of birth of 3,655 patients, along with certain basic respiratory care information. The breach was also an apparent HIPAA violation and was reported by the Center on the “Wall of Shame” website for reporting HIPAA data breaches involving more than 500 individuals. A business associate, Xforia Web Services, was also reported on the website as having been involved in the breach but is not listed among the parties in the West Virginia Supreme Court opinion.

The lower West Virginia court held that the patients lacked standing and could not be certified as a class because they had no actual, concrete damages as a result of their information being accessible on a website controlled by the medical center. None of the patients could prove their information was stolen or used for a nefarious purpose, and their claims were based on a general invasion of privacy action and emotional distress.

In reversing the lower court ruling, the West Virginia Supreme Court focused on the four usual requirements to certify a class – “numerosity”, commonality, typicality, and adequacy of representation – and did not require the class members to prove any actual, pecuniary damages. The West Virginia Supreme Court determined that a violation of the patient’s right to privacy alone was enough to create the requisite standing to bring an action, and the plaintiffs need not prove actual damages as a prerequisite to class certification.

This state ruling stands in contrast to the federal rule articulated in Federal Aviation Administration v. Cooper, in which the Supreme Court of the United States evaluated the standing issue under the doctrine of sovereign immunity and held that an individual needed to prove actual, pecuniary damages before he or she might prevail in a suit against the federal government for wrongful disclosure of health information under the Privacy Act.

Although limited to West Virginia, the Tabata ruling could persuade courts in other states to allow breach actions brought by affected individuals even where proof of damages is lacking. Normally, a covered entity might suffer fines, notification and remediation costs, and negative publicity for a breach, but HIPAA does not provide individuals a private cause of action.  As long as no PHI was actually stolen and used to injure a party, the ability of a patient to bring a private civil suit in state court is limited. The Tabata case opens the door to filings in state court by any patient who had his or her information impermissibly disclosed, regardless of any actual injury. In the event of a large breach, this could subject a covered entity to a large class action or thousands of suits brought by individual patients.

[Michael Coco handles a range of corporate matters, focusing his practice primarily in the area of health law. As a former ER staff nurse and chemist, Michael has in-depth insight into such topics as FDA approval of medical devices as well as hospital compliance with federal and state laws and regulations, including privacy and security of health information and professional standards.]