Healthcare News & Insights

Who’s liable after patient data is breached?

Healthcare organizations can face many consequences if information is lost or stolen, including lawsuits from patients. When are organizations held liable after a data breach? 

One recent lawsuit was filed against IBM and Health Net, a California-based health insurer.

IBM, which manages Health Net’s IT infrastructure, informed the company that it had lost nine hard drives containing personal and medical information of more than 800,000 Health Net members.

The affected people were told about the incident by Health Net. Three of the drives were later found, but the others remained missing.

In response, a group of individuals whose data was contained on those drives sued IBM and Health Net, blaming the two companies for negligence in exposing their personal information and endangering their privacy (Cite: Whitaker v. Health Net of California, Inc.).

However, the court threw out the case. The reason: None of the plaintiffs could show they’d suffered any actual harm because of the loss of their information. For instance, none  could show that they were the victim of any fraud after the incident.

In previous cases, courts have likewise ruled that data breach victims must suffer real damage before they can sue — they can’t sue simply because they’re theoretically at greater risk of fraud because of the breach.

That’s one reason it’s critical for healthcare organizations to respond quickly and appropriately after information is lost of stolen. Read here for more information about responding after a data breach.

Subscribe Today

Get the latest and greatest healthcare news and insights delivered to your inbox.