More and more frequently, we find ourselves typing the following line of text into our complaints:
Because of the highly sensitive nature of the medical records maintained in its care, the Defendant healthcare provider was a target for cyber criminals.
Medical information is the most sensitive data we have. Our past medical procedures, chronic health issues, catastrophic diagnoses ... who knows this information and who does not should be something we control. We don't.
The rapid growth of electronic medical record keeping, online medical services, and mobile medical apps has created new pressure points for criminals to exploit. And while healthcare providers make endless promises that they protect patient data, too often, they don't do what they say. When hackers breach a provider's systems, it reveals the provider who was hacked lacked simple security measures healthcare providers should all use, such as storing data in secure, offline locations; encrypting private records and data; using up-to-date software equipped with standard security patches; using anti-virus applications that block malicious code from external sources; and implementing policies requiring all workers with system access to use https protocols when using online tools.
When healthcare providers fail to protect medical records from hackers, they break the law. The Health Insurance Portability and Accountability Act, usually called “HIPAA,” requires healthcare providers to “implement policies and procedures to prevent, detect, contain, and correct security violations;” and “implement a security awareness and training program for all members of its workforce;” among other things. (45 C.F.R. § 164.308). State laws in places like Michigan, New York, and California also require healthcare use, at minimum, reasonable care to protect patient medical records from hackers. (See, for example, MCL 500.1406(1), Cal. Civ. Code § 56, N.Y. Gen. Bus. Law § 899-BB.)
But healthcare providers aren't keeping up with these requirements. IBM Research shows the healthcare industry has been the hardest hit by cybercrime for twelve consecutive years. More than 100 million Americans were involved in healthcare data breaches in 2023 according to the federal government's Health and Human Services Office for Civil Rights, more than 2x the number impacted in 2022. If your healthcare provider has not been the target of a data breach yet, odds are it will be soon. In 2023 alone, our firm filed complaints on behalf of more than 5 million patients.
The fallout from a breach for the patients involved can be a nightmare. When hackers steal records from a healthcare provider, they generally sell off the records in the untraceable corners of the Internet to other criminals who use them to blackmail patients under threat of releasing the information or make phony offers to "scrub" the data from the dark web for a fee. Studies by the National Institute of Standards and Technology show hackers often steal data and then hold it for future use years, or even decades later.
So how do we get healthcare providers to beef up their security and actually safeguard their patients' records? We're lawyers, so we do what lawyers do--we sue them. Healthcare providers will invest in their data security if they know that there are serious consequences (class action lawsuits) from a data breach. While this won't solve the healthcare industry's data breach epidemic by itself, it will help.
If you have been impacted by a healthcare data breach, talk to us. It's our job to help you.
