The Secure Times

An online forum of the ABA Section of Antitrust Law's Privacy and Information Security Committee

Leave a comment

Oregon Supreme Court Holds Insufficient Injury to Allow Negligence Claim in Data Breach Suit

On February 24, the Oregon Supreme Court held that absent any allegations that stolen personal information was used or viewed by a third party, plaintiffs had not suffered an injury that would support a negligence claim or an action under Oregon’s Unlawful Trade Practices Act in Paul v. Providence Health System-Oregon. 

The breach at issue occurred in 2005, when an employee left disks and tapes containing medical records for 365,000 patients in the employee’s car and those disks and tapes were stolen.  Some of the records went back 20 years, and contained Social Security numbers and medical information.   In 2006, the defendant settled with the Oregon Attorney General and agreed to pay credit monitoring costs to affected patients for two years and over $95,000 to the Attorney General.  In 2007, the trial court granted the defendant’s motion to dismiss, taking into account that several plaintiffs had been at least partially compensated via the attorney general settlement, and holding that the plaintiffs’ claimed damages were premised on the risk of future injury rather than actual present harm.

Plaintiffs argued that they had suffered financial loss in the form of past and future costs of credit monitoring, maintaining fraud alerts, and notifying various government agencies regarding the theft, as well as possible future costs related to identity theft.  They also argued that they had suffered damages by the emotional distress caused by the theft of the records.   The Supreme Court however found not only that there was no evidence that the plaintiffs had suffered any financial loss as a result of the breach, but also that there was no evidence that the records had ever been accessed or viewed.  The Court also noted that its decision to dismiss the claims were in line with many other decision by courts in other jurisdictions, such as Pisciotta v. Old Nat. Bancorp out of the Seventh Circuit and Ruiz v. Gap from the Ninth Circuit.



Leave a comment

Supreme Court Hears Oral Arguments in Data Mining Case

Today, the Supreme Court heard oral arguments in Sorrel v. IMS.  At issue was a Vermont law that banned the selling and buying of prescription information without a doctor’s consent. The law also requires that doctors fill out a form as part of their license renewal application that indicates whether they agree to have their prescription information sold for marketing purposes.  The Second Circuit previously held this law was an impermissible restriction upon commercial speech, and therefore unconstitutional.

At oral arguments, it was clear that the Justices viewed this case as one concerning commercial speech.  In response to Vermont’s arguments, Justice Kennedy stated Vermont was “regulating speech,” and Justices Kennedy, Scalia, and Chief Justice Roberts all suggested that Vermont was attempting to limit drug companies’ speech only because the speech was effective in selling their products.  Although privacy observers have suggested that the ruling will have a large impact on both data mining companies and consumers, only at the end of arguments did at least some of the Justices appear open to allowing states some ability to regulate data-mining that threatened privacy. 

The Court is expected to issue a decision before recessing for the summer.  The transcript of today’s arguments is available here

Leave a comment

Supreme Court Grants Certiorari in Case Challenging Vermont’s Prescription Confidentiality Law

On January 7, 2010, the U.S. Supreme Court granted the petition for writ of certiorari filed by the State of Vermont seeking to overturn the decision from the Second Circuit which held that Vermont’s prescription confidentiality law was unconstitutional. 

The section of the Vermont law at issue in the appeal, codified at 18 V.S.A. § 4631, prohibits the sale, license, or exchange for value of prescriber-identifiable data for marketing or promoting a prescription drug unless the prescriber consents.  The Vermont legislature passed the law in 2007, intending to protect public health, to protect prescriber privacy, and to reduce health care costs.

The law was challenged by companies, commonly referred to as “data miners,” which purchase information regarding prescriptions from pharmacies, including the prescriber’s name and address, the name, dosage, and quantity of the drug, the date and place the prescription is filled, and the patient’s age and gender.  The data miners aggregate this information and sell it to pharmaceutical research and manufacturing companies to assist in their marketing efforts to prescribing physicians.  The law was also challenged by the Pharmaceutical Research and Manufacturers of America.  

The Second Circuit overturned the district court’s decision, 631 F. Supp. 2d 434 (D. Vt. 2009), upholding the Vermont law as a constitutional restriction of commercial speech.  The Second Circuit determined that the Vermont law did not pass intermediate scrutiny under Central Hudson Gas & Elec. Corp. v. Pub. Serv. Comm’n, 447 U.S. 557 (1980) because the Vermont law did not “advance the state’s interests in public health and reducing costs in a direct and material way” and there were less speech-restrictive means which Vermont could have used. 

The Second Circuit’s decision created a split with the First Circuit, which had previously upheld similar laws from New Hampshire (IMS Health Inc. v. Ayotte, 550 F.3d 42 (2008)) and Maine (IMS Health Inc. v. Mills, 616 F.3d 7 (2010)).

According to a statement from Vermont Attorney General, the case, Sorrell v. IMS Health Inc., No. 10-779, will likely be argued in April of this year and decided before the end of the Court’s term in June.


Leave a comment

Connecticut Data Breach Suit Settled for $375,000 in Penalties

On November 8, 2010, the Connecticut Insurance Commissioner announced that the Connecticut Insurance Department has reached a settlement with Health Net of Connecticut (“Health Net”) over Health Net’s actions during a 2009 data breach affecting approximately 500,000 Connecticut residents. The Insurance Department alleged that Health Net failed to safeguard personal health information and other personally indefinable information, including social security numbers and bank account numbers, of Connecticut residents from misuse by third parties and failed to timely notify affected residents of the data breach. The settlement requires Health Net to pay $375,000 in penalties. Since the 2009 data breach, Health Net has also provided credit monitoring protection for two years to affected Connecticut residents and agreed to improve data and information security standards to better protect information from unauthorized disclosure. Health Net’s settlement with the Insurance Department is in addition to a settlement between Health Net and the Connecticut Attorney General reached in July 2010, which required Health Net to pay the state $250,000. The Connecticut Attorney General had alleged that Health Net violated Connecticut data breach and data safeguard laws, as well as the federal Health Insurance Portability and Accountability Act (“HIPAA”).

Leave a comment

Oregon Court of Appeals Reviews Class Action Over Breach of Patients’ Records





/* Style Definitions */
{mso-style-name:”Table Normal”;
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-fareast-font-family:”MS Mincho”;
mso-bidi-font-family:”Times New Roman”;

In a long-awaited decision, Paul v. Providence Health System – Oregon (Oct. 6, 2010), the Oregon Court of Appeals ("Court") unanimously affirmed the dismissal of a class action arising out of a third party’s alleged theft of hospital patients’ personal information. The stolen records contained unencrypted personal, medical, and financial information for an estimated 365,000 patients.  Patients, whose information had allegedly been stolen from a hospital employee, sued the hospital for negligently failing to safeguard the records and violating Oregon’s Unlawful Trade Practices Act ("UTPA"). The patients, who asked to represent a class of all individuals affected by the alleged theft, sought injunctive relief and damages for emotional distress and for past and future costs of credit-monitoring and other services to protect against identity theft.

Plaintiffs’ negligence claims were based on per se and common law negligence.  As to the first negligence claim, the plaintiffs alleged that the hospital failed to comply with federal and Oregon state laws providing for the protection of medical information.  With regard to the common law negligence claim, plaintiffs alleged that the defendant was negligent "in failing to safeguard the data, in failing to encrypt it, in allowing its agent or employee to store such data in his or her car, and in failing to put in place policies that would protect such data from theft and disclosure."  Further, the plaintiffs claimed that the defendant violated Oregon’s "UTPA" by (1) "representing that all information gathered to sell its services or goods would be safeguarded and kept confidential when it knew that it lacked adequate means to safeguard such information" and (2) "representing that the business of sale of services and goods would include privacy and confidentiality when it knew that the transactions were not confidential due to its inadequate data protection program."  Plaintiffs did not allege that they had been victims of fraud or identity theft as a result of the stolen information or that the stolen information had otherwise been compromised. 

The trial court dismissed the patients’ claims for failure to state a claim on which relief could be granted, and, under a unique provision of Oregon law, determined that a class action could not be maintained because the hospital had provided a timely and appropriate remedy to patients allegedly affected by the theft.  On appeal, the Court agreed that the plaintiffs had not alleged a legal basis for the hospital’s liability, finding that the trial court was correct to dismiss the plaintiffs’ action and the hospital did not owe a special duty to protect patients’ records from theft other than the duty to exercise reasonable care to prevent economic loss or emotional distress to the plaintiffs.  Because the Court dismissed the action for failing to state a claim on which relief could be granted, the Court did not reach the question of whether the trial court properly determined that the case could not proceed as a class action.  The Oregon Court of Appeals opinion is available here

Thank you to Douglas Ross of Davis Wright Tremaine LLP and a member of the ABA Privacy and Information Security Committee for helping create this post. 

Leave a comment

Consumer Advocates and Pharmacists’ Group Request FTC and HHS Investigation of Possible Violation of Health Privacy Rules

The National Community Pharmacists Association (NCPA) and seven consumer advocacy groups have requested that the FTC and the Department of Health and Human Services to investigate activities by CVS Caremark that may violate HIPAA.  In a letter filed with the FTC and HHS, the organizations alleged that CVS Caremark used health information in violation of healthy privacy and antitrust laws.  CVS Caremark was created from the 2007 merger of the pharmacy CVS and the pharmacy benefits manager Caremark Corp.  The letter alleges, among other things, that CVS Caremark uses the information it obtains from non-CVS pharmacies through its pharmacy benefits management program to market the CVS mail-order pharmacy and CVS in-store pharmacy programs to those consumers–an inappropriate use of protected health information.
CVS Caremark recently settled an action with the FTC regarding its data security practices.
Additional coverage of the story is available here.

Leave a comment

Becoming HITECH: Actions Covered Entities and Business Associates Should Take Now to Comply with the Requirements of the HITECH Act

The HITECH Act’s breach notice provisions became effective yesterday, but there are many additional features of the statute of which covered entities and business associates should be aware.  For example, the HITECH Act creates several new and potentially burdensome obligations that affect the relationship between covered entities and business associates. Because these changes are quite substantial and necessitate revisions to existing business associate agreements, covered entities and business associates should begin compliance efforts as soon as possible.  Additional comentary on the HITECH Act and implementing regulations is available here and here.

Leave a comment

FTC and HHS Issue Healthcare Notice of Breach Rules Under The American Recovery and Reinvestment Act of 2009

On August 17, 2009  the Federal Trade Commission (FTC) issued its final rule and on August 19, 2009 the Department of Health and Human Services (HHS) issued its interim final rule, both relating to notification of individuals when their health information is breached.  The regulations are the result of requirements under the American Recovery and Reinvestment Act of 2009 (ARRA), with the HHS more specifically required under the Health Information Technology for Economic and Clinical Health (HITECH) Act, a part of ARRA.  The HHS regulations apply to covered entities under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and their business associates.  The FTC’s rule, the Health Breach Notification Rule (Health Breach Rule), applies to both vendors of personal health records (PHR) – which provide online repositories that people can use to keep track of their health information – and entities that offer third-party applications for personal health records.


Continue reading

Leave a comment

Medical Identity Theft Is Nothing To Sneeze At

According to the World Privacy Forum, medical identity theft is on the rise, and the problem will only get worse before it gets better.  This article from msnbc illustrates the issue and how it can impact individuals in a worse way than financial identity theft.

Leave a comment

Personal Health Records Industry Faces New Privacy Law

Many companies are beginning to get into the business of enabling individuals to store and manage their health records on their web sites. Often, these companies are not HIPAA-covered entities. Are there any other privacy laws that they need to consider as they enter this market?
Until recently, there was no privacy law that specifically applied to a personal health record service provider that is not covered by HIPAA. But there is a lot of focus on the part of legislative and regulatory bodies on the lack of a specific law that covers this emerging industry. In fact, California just amended its Confidentiality of Medical Information Act (CMIA) to expand its scope to cover the personal health records industry. (Civil Code 56.05 – 56.37)
California’s CMIA, among other things, requires that companies allow individuals to access their medical information and obtain patient consent before disclosing medical information to third parties. CMIA also requires that medical information not be used for purposes beyond health care services without patient consent.
Any company that collects medical information from individuals should check to see if CMIA applies to its practices and, if so, ensure that it is complying with CMIA. In particular, it should obtain all the patient approvals that are necessary for the company to use the medical information it collects as intended. Companies that are not covered by CMIA should nonetheless consult generally-applicable state privacy laws, some of which specifically cover medical information and apply to companies who are otherwise unregulated by industry-specific laws (e.g., California’s Civil Code 1798.91, requiring consumer notification when collecting medical information that will be used for direct marketing purposes).