Analysis: Unusual Ruling in Massachusetts Breach Case

A Massachusetts judge's unusual decision to allow a class-action lawsuit stemming from a health data breach to proceed, despite a lack of evidence of harm stemming from the incident, likely won't influence other cases, says attorney Kevin McGinty.

The case, Walker et al vs. Boston Medical Center, stems from a breach reported in 2014. The medical center notified about 15,000 patients that their health records were inadvertently made accessible to the public through the unsecured website of an independent medical record transcription services company (see Transcription Breach Affects 15,000).

The Massachusetts judge's ruling is unusual because most data breach related class-action lawsuits, especially those filed in federal courts, have been dismissed if plaintiffs haven't been able to show evidence they've been injured by identity theft, fraud or other harm as a result of the breaches. In the latest such ruling, a U.S. District Court in New York dismissed a class-action lawsuit against arts and crafts retailer Michaels, which suffered a malware breach in 2013 affecting more than 2 million individuals.

But courts are becoming "much more sensitive to data breaches, depending on the type of data that is stolen," McGinty, who is not involved in the Massachusetts case, says in an interview with Information Security Media Group.

While many highly publicized lawsuits have involved breaches that resulted in the theft of credit card data, "it's very hard for consumers to be injured" by such thefts because they are not held responsible for the fraudulent charges on their cards that might result, and an individual's credit card number cannot be used to steal their identity, he explains. That's why the courts have found in many such cases that there was no standing to bring the claim.

However, when a breach involves the theft of medical information, "courts are a lot more sensitive to that - not only does it have highly personal information about the individual that might be embarrassing to them, but often medical information has dates of birth and Social Security numbers that can be used to steal identities," he says.

So, in the Massachusetts case, the judge's decision likely reflected that medical information, and not credit card information, was exposed, plus the uncertainty about what happened to the information, McGinty says. "The judge seemed reluctant to do away with the case, when there is no basis at this point to know what happened to the information."

Will Ruling Be Influential?

The judge's ruling in the early stages of this case is likely to only be relevant to other state cases in Massachusetts, McGinty says. "And it's not even clear how extensively it's going to be in play here," he says, because the case is just entering the discovery phase, which will help determine if there is any evidence of harm.

The vast majority of breach cases wind up in federal courts, the attorney points out. And winning these class-actions became more difficult for plaintiffs after the U.S. Supreme Court in 2013 ruled in the case of Clapper vs. Amnesty International that standing could not be based solely on the potential for future injury, he notes.

In the interview, McGinty also discusses:

Lessons that other organizations can learn from the Massachusetts case so far; Whether the ruling allowing the case to proceed to the discovery phase could potentially impact other state or federal breach cases involving Massachusetts residents; The next steps in the case against the Boston healthcare organization.

An attorney in the Boston office of the national law firm Mintz Levin, McGinty specializes in corporate, healthcare and class-action litigation. He also co-chairs the firm's class-action working group and its healthcare enforcement defense group and has significant experience representing healthcare related entities in a variety of litigation matters. His healthcare industry clients have included pharmacies, hospitals, clinical laboratories, diagnostic imaging providers, pharmaceutical companies and managed care organizations.