It seems like only yesterday we first learned of a breach involving the University of Miami Health System (UHealth) and an unnamed storage vendor. Oh, wait. It was.
Notification letters went out to patients on or about February 3, and a potential class action lawsuit was filed in federal court in Florida yesterday. Having skimmed the lawsuit, I confess I am somewhat perplexed by some of the claims, as they do not appear to have any support in any of the publicly available documents on the breach. As one example, the complaint alleges a breach involving UHealth’s “computer storage system,” but the breach reportedly involved paper records. As another example, the lead plaintiff, Joan Carsten, alleges (in Paragraph 19):
As a result, on a date known specifically to Defendant, an unauthorized person or persons, intentionally accessed Plaintiff’s and Class Members’ PII, and then intentionally misused the PII and intentionally disclosed the PII to third parties for profit, causing damage to Plaintiff and Class Members.
Where are they getting that “factual allegation” from? All U. Miami Health System has reported is that neither they nor their vendor can locate some boxes of records that contained bill vouchers. The vouchers included patient’s name, date of birth, Social Security numbers, physician name, facility, insurance company name, medical record number, visit number, procedure and diagnosis codes for the patient’s visit.
There is nothing in their February 3 letter to patients suggesting that the data has been misused or sold. To the contrary, they stated that they have no indication of any kind of misuse. And while Ms Carsten alleges that she became a victim of unauthorized purchases from her bank account, given all the security breaches we saw last year, how can she substantiate her claim that her fraudulent charges were linked to this particular breach – particularly when no banking or financial information was involved? Indeed, we have yet to be told when those boxes of records were last verified/inventoried at the storage vendors. Have they been missing for years or did they go missing shortly before UMHS requested them in June?
And why does the complaint claim that on a date “known specifically to Defendant,” when there’s been no suggestion by UMHS that they know when the records might have gone missing.
The complaint also alleges negligence and violation of the Fair Credit Reporting Act. With respect to the latter, the complaint will likely fail because of its circular reasoning, e.g., UMHS violated FRCA by failing to maintain reasonable security procedures. How do we know they failed to maintain reasonable procedures? Because they experienced a breach. (Para 52). That same type of circular argument was just rejected this week by a federal court in Ohio in a potential class action lawsuit against Nationwide Insurance over their data breach in 2012.
That UMHS failed to notify patients in what I would consider a reasonable timeframe is clear, and the complaint does raise some state-level statutory claims. But where is there any demonstration of harm clearly linked to this breach or – as Clapper held – any demonstration of impending harm clearly linked to this incident? Maybe having been a victim of fraudulent charges is enough to avoid a motion to dismiss, but eventually, I suspect this lawsuit will be dismissed.
Maybe plaintiffs shouldn’t rush to sue and wait to see what additional information comes out? Just a thought….
The above is not to suggest that HHS/OCR might have something to say about UHealth’s security safeguards and the delay in notification. But given how data breach lawsuits have gone in this country, I just don’t see this one as being likely to prevail. What do you think?