[ Thursday, January 07, 2016 ]
Massachusetts Court Finds Standing to Sue for Breach Without Showing Actual Damages:
Jeff [3:50 PM]
Boston Medical Center used a record transcription vendor that posted BMC's patient data on a website for physicians to access; however, access to the website was not password-protected. Even though there is no evidence that any unauthorized person looked at the data, much less any allegation of actual harm, BMC notified 15,000 patients of the possible breach (likely because they couldn't reasonably determine that there was a "low risk of compromise," since they couldn't prove a negative).
A patient sued BMC, not even alleging that anyone actually viewed the data, just that the fact that it was exposed is sufficient to allow the patient to sue. BMC moved to dismiss, saying that the plaintiff should have to show damages to be able to have standing to sue. The judge disagreed, and rejected the motion to dismiss.
It appears that the trial court infers that the notice from BMC is somehow proof that there is a real risk of harm, justifying standing. That puts a covered entity in a tough position: if they really think there's virtually no risk but want to give notice "just to be on the safe side," they run the risk of opening the door to unharmed plaintiffs (i.e., those without actual damages) to drag the entity into court at considerable expense.
It will be interesting to see if this holds up; it seems to be contrary to the Clapper decision, which requires that some actual harm be alleged.
Blogger: HIPAA Blog - Edit your Template