Health Data Breaches Offer New Vein for Plaintiffs Lawyers to Tap

"Patient privacy is not a new area," Pillsbury partner Sarah Flanagan said. "What's new is class actions directed at security breaches that potentially involve thousands of patients."

Flanagan, who represents Stanford Hospital in a data breach case filed in September, said health care privacy litigation used to come in the form of individual actions against a hospital or medical services provider. But the $1,000-per-instance clause in California's Confidentiality of Medical Information Act of 1981 opens the doors to potentially multimillion-dollar awards if a hospital's entire patient roster is leaked online.

"You've seen these cases in the commercial setting," Flanagan said. "There have been plenty of credit card and other commercial cases in which privacy has been an issue." The law in those cases is further along. Now the plaintiffs bar has trained its eyes on the health care industry, which offers a unique regulatory scheme, she said.

Flanagan said the courts will have to answer a number of new questions about the language in the law and its application. For one thing, the law was not written with class actions in mind. One of the issues being challenged now is what plaintiffs have to prove to establish a negligent violation, which she said is necessary to qualify for the $1,000-per-breach award. Flanagan also questions how appropriate it is to aggregate what was intended to be nominal damages into a multimillion dollar number that is "disproportionate to any harm to the plaintiffs and to the violation."