Thales Blog

Practicing Defensive Security: Responding To The Rise Of Healthcare Data Breach Lawsuits

April 25, 2012

Most readers are probably familiar with the idea of defensive medicine, the practice in which doctors treat patients not to ensure their health, but to safeguard against potential malpractice liability. Clearly, the seemingly hyper-litigious nature of the United States is a driving force behind that practice. In the medical world, defensive medicine is certainly not seen as an ideal practice, but some doctors have felt that it has become necessary to protect their careers.

The same thing is happening in data protection, particularly with respect to Protected Health Information, or PHI. Organizations are beginning to implement data encryption and other data security technologies in order to protect against non-compliance violations, certainly, but also against the cottage industry that has sprouted among plaintiffs’ attorneys – filing health care breach lawsuits. This is particularly true in California, where state law Confidentiality of Medical Information Act of 1981 provides for damages of up to $1,000 per person per violation. CMI was passed well before the digital age, when it was unlikely that thieves would be able to abscond with thousands of records. In the age of digital records, though, it is still somewhat uncertain as to how this law will be applied. In the meantime, plaintiffs’ attorneys are filing lawsuits by the dozens looking for the payout.

Interestingly, a recent paper by ESG suggests that 54% of companies have deployed data encryption solutions in response to targeted attacks. Given the huge impact that a successful class action suit could have on the long-term viability of an organization, it is likely that at least some portion of those deployment are a result of the fear of lawsuit. While regulatory compliance has had some success in moving companies towards greater levels of data security, it is often the threat of monetary loss that has a more profound impact in effecting change. Until the legal system determines how, or if, CMIA of 1981 will be applied in present circumstances, companies dealing with health data would be well-served to practice defensive security.