The Nature of Harm In A Data Breach
Article on April 18, 2012
This post is part of our ongoing series of contributed content.
How do you measure the non-monetary harm caused by the disclosure of sensitive health information? And, why should you care? Obviously, the harm will vary from patient to patient and is dependent upon individual circumstances and can be difficult to measure. However, these challenges do not negate the existence or extent of the harm such a disclosure can create.
It is not hard to imagine that for certain individuals disclosure of medical information of a particularly sensitive nature – HIV status, reproductive issues, certain genetic markers and certain diagnoses such as cancer and mental health issues- could have a devastating impact on their lives. But how do you measure embarrassment, or mental distress? How do you measure the damage done to relationships or social ostracism?
It appears that courts are reluctant to delve into these waters and recognize non-monetary injuries, finding refuge in statutory language and legislative intent. For example, the U.S. Supreme Court decision issued last month in Federal Aviation Administration v. Cooper held, that an individual cannot sue the United States for damages under the Privacy Act of 1974 due to mental or emotional distress caused by the government's intentional violation of the individual's right to health information privacy. In the Cooper case, it was undisputed that the federal government had violated the plaintiff's right to health information privacy under the Privacy Act—the only issue was whether the individual could sue the government for damages resulting from emotional and mental distress. The majority found that it was unclear whether Congress intended to include mental and emotional distress in the term “actual damages” that may be awarded against the government under the Privacy Act.
On February 24, the Oregon Supreme Court issued a decision in Paul v. Providence Health System upholding a lower court ruling dismissing a class action for damages by individuals whose health records were among those stolen from a health care system in Oregon. The Court held “that plaintiffs' allegations of injury here are insufficient to state a claim for emotional distress. . . [because]. . . plaintiffs' alleged emotional distress is premised entirely on the risk of future identity theft, not on any actual identity theft or present financial harm.” Decision at p. 14. This decision suggests that plaintiffs who are victimized by the theft or loss of health records will have to show some current monetary harm or damage in order to maintain a class action lawsuit.
In both cases, the courts looked to “actual damages” measurable in dollars and cents. In the absence of this type of measureable damage, no recourse was available to the plaintiffs. While these decisions are beneficial from the perspective of both government and private actors who handle sensitive, private health information, the outcomes are less satisfying to those of us who are potential victims of unauthorized disclosures.
After all, what is privacy? Is health information the same as financial information? Do we suffer the same type of harm from the disclosure of health information as we do for disclosure of financial information or identity theft? If this were the case, why the need for the HIPAA and HITECH Acts and the volumes of resulting regulations?
A more satisfying interpretation of privacy might be found in Justice Sotomayor's dissenting opinion in the Cooper case where she expressed that, as a result of the majority opinion limiting “actual damages” under the Privacy Act of 1974 to pecuniary loss, “individuals can no longer recover what our precedents and common sense understand to be the primary, and often only, damages sustained as a result of an invasion of privacy, namely mental or emotional distress… And it cripples the Act's core purpose of redressing and deterring violations of privacy interests.” Dissenting opinion at p. 1.
Unlike the Privacy Act of 1974, HIPAA does not provide a private cause of action for individuals who have been harmed as a result of the unauthorized disclosure of protected health information. HIPAA established the standards for protecting such information and created a duty of disclosure once information has been disclosed and it allows individual states to impose standards that are higher, but not less, than the federal standards. This leaves the door open for states to adopt a broader definition of “harm” that either the majority in the Cooper case or the court in the Paul case were willing to recognize.
It may be that, in this electronic age, when the scope of individuals impacted by the disclosure of personal health information is potentially so vast, state courts and legislatures may be reluctant to impose any additional burden on health care providers to compensate persons for mental or emotional distress resulting from such a disclosure. However, as more high profile breaches occur, elected officials may come under pressure to recognize and provide a remedy for mental and emotional damages
Even if the harm is not recognized as a matter of law, that does not mean it does not exist. The question is—who will pay and how? Clearly, the bulk of the damage is suffered by the individuals who entrusted their personal health information to their doctors and other health care providers. However, it is also possible that our health care system may incur subtle and insidious damage as patients lose faith in the ability of health care providers to keep their most private health matters confidential and safe.