Data Breach, But No Proof of Damages: I just saw an interesting case out of Iowa (via BNA, subscription required), Doe v. Central Iowa Health System, Iowa, No. 07-1017, 5/15/09, where an employee/patient who had attempted suicide sued several hospitals and other providers over improper access to his medical records by coworkers. The jury determined that improper access occurred, but the plaintiff didn't show that the disclosures caused his mental anguish.
I noted early on that the big issue in improper disclosure cases will be the measure of damages (if you violated HIPAA, you've lost the case and are left simply to argue damages). Interestingly, in most cases, there aren't going to be any damages: except for sexual issues, mental health, or drug information, most medical information is pretty damned dull, when you think about it. Wanna see an MRI of my ruptured achilles tendon from a few years ago? I didn't think so. Here, the case DID involve one of those areas, so you'd think damages would be easy to prove. And I think they would've been, except that the plaintiff did not put on any expert testimony of his mental anguish and the physical effects it had; all he had was his own personal testimony that he lost sleep, became less social, etc. If he had hired an expert psychologist to say how screwed up he was (in other words, if he'd focused on damages), he'd have come out with some judgment cash.