Wednesday, October 31, 2012

In Reversing the Dismissal of a Healthcare Data Breach Class Action, the Eleventh Circuit Shows the Importance of Encryption


In early September 2012, the Eleventh Circuit decided Resnick v. AvMed, Inc., reversing, in part, a motion to dismiss, and thereby permitting a class action against AvMed, a Florida health plan provider, that arose from the theft of unencrypted information to move forward.

Specifically, the Court ruled that: (1) plaintiffs claiming actual identity theft resulting from a data breach have standing to bring a lawsuit, which was a matter of first impression before the Circuit, and (2) plaintiffs showed a nexus between the data theft and the identity theft and therefore met the causation element for purposes of federal pleading standards.

The class action stems from the theft of two laptop computers from AvMed’s Gainesville, Florida office in December 2009. The laptops contained electronic protected health information, Social Security numbers, names, addresses and phone numbers of 1.2 million current and former AvMed members. As the Court explained, “AvMed did not take care to secure these laptops, so when they were stolen the information was readily accessible,” and, despite being careful with their personal information, Juana Curry and William Moore, the two named Plaintiffs, became victims of identity theft. Ms. Curry’s name was used to open Bank of America accounts and credit cards which were used to make unauthorized purchases, and her home address was then changed with the post office. Mr. Moore’s information was used to open an account with E*Trade Financial and he was notified that the account was overdrawn.

In the last few years, several courts addressing non-healthcare related data breach class actions dismissed these actions on standing grounds. To have standing, plaintiffs must have an actual concrete injury in fact. Defense counsels have generally argued – with great success – that a mere loss of personal data, without more, does not demonstrate an injury. However, where plaintiffs can demonstrate monetary losses, courts have generally found standing. Here, the two Plaintiffs each suffered monetary losses due to the identity theft.

Further, the Eleventh Circuit also ruled that Plaintiffs showed a nexus between the data theft and the identity theft and therefore met the causation element, which requires plaintiffs to show that the particular bad act by the defendant caused the plaintiff’s harm. Specifically, the Court reversed the lower court’s dismissal of the following five claims, each of which required causation: (1) negligence, (2) breach of contract, (3) breach of implied contract, (4) breach of fiduciary duty, and (5) unjust enrichment. Upon review, the Court ruled that the Plaintiff’s allegations that the sensitive information contained in the stolen laptops “was the same sensitive information used to steal Plaintiffs’ identity,” were sufficient to show a nexus between the data breach and the identity theft.

Most interesting is the unjust enrichment claim, where Plaintiffs argued that “AvMed cannot equitably retain their monthly insurance premiums – part of which were intended to pay for the administrative costs of data security – because AvMed did not properly secure Plaintiffs’ data, as evidenced from the fact that the stolen laptop containing sensitive information was unencrypted.” Plaintiffs further argued that “AvMed should not be permitted to retain the money belonging to plaintiffs because AvMed failed to implement the data management and security measures that are mandated by industry standards.” The Court agreed and ruled that Plaintiffs pled sufficient facts to meet the unjust enrichment elements, in spite of AvMed’s argument that it provides health insurance and not data security services. As such, the class action litigation continues.

Healthcare companies should view this case with concern for at least two reasons. First, the identity theft happened ten months, in the case of Ms. Curry, and fourteen months, in the case of Mr. Moore, after the data breach. Generally, data breach insurance providers cover credit watch services for only one year form the date of discovery or notice of the breach. Second, the Plaintiffs survived on the motion to dismiss because they alleged that the information on the laptop was the same information necessary to commit identity theft. In the current environment, very little information is needed to commit identity theft. Importantly, healthcare companies can foreclose this claim altogether by encrypting mobile devices, which is certainly more cost efficient than fighting a class action lawsuit.