Doctor concerned with health care law

Breaking news and expert analysis on legal and compliance issues

[Back To Home][Back To Archives]

From Health Law Daily, February 13, 2017

Premera’s data breach headaches continue in court

By Anthony H. Nguyen, J.D.

A putative class action suit against Premera Blue Cross, a health care benefits servicer and provider, was permitted to continue because fraud-based claims based on affirmative misrepresentations did not require actual reliance and an express contract breach. The district court, however, dismissed claims related to active concealment and contract-based claims alleging breach of an implied term in an express contract (In re: Premera Blue Cross Customer Data Security Breach Litigation, February 9, 2017, Simon, M.).

Background. Premera publicly disclosed in March 2015 that its computer network had been breached, compromising information of 11 million current and former members, affiliates, and employees. The information included names, dates of birth, Social Security numbers, along with medical claims information and other protected health information (PHI) (see Premera offering identity theft protection for cyberattack victims, March 18, 2015). The individuals alleged that after discovery of the breach, Premera unreasonably delayed notifying affected individuals. In an amended pleading, the individuals alleged a number of fraud-based and contract claims stemming from Premera’s policy booklets, privacy notice, and code of conduct following the nationwide data breach.

Fraud-based claims. According to the complaint, Premera did not take appropriate measures under federal and state law to safeguard the PHI. The individuals alleged that Premera’s policy booklets, privacy notice, and code of conduct are sent to members and contain affirmative misrepresentations regarding confidentiality of the PHI. Premera argued that in an affirmative misrepresentation case, without any allegations that any individual read and relied upon the allegedly false or misleading statements, an individual could not demonstrate causation. The district court rejected this argument, noting that the state consumer protection act in question did not require actual reliance. As such, the individuals’ claim of affirmative misrepresentation would remain.

The court also found that the amended complaint sufficiently articulated that Premera should have disclosed that it did not implement industry standard access controls, did not fix known vulnerabilities in electronic security protocols, failed to protect against reasonably anticipated threats, and did not comport with its assurances regarding PHI. The amended complaint sufficiently alleged a claim for fraud by omission and claims based on alleged misrepresentations.

The court dismissed claims related to active concealment.

Contract-based claims. For similar reasons as to the fraud-based claims, the district court found that the representations in the privacy notice were sufficient for a breach of contract claim. Notably, it was reasonable that an individual who received a policy booklet with an attached privacy notice would consider it an express contract of PHI protections.

The individuals, thus, sufficiently alleged claims for breach of express contract for alleged breach of Premera’s obligations contained in its policy booklet and privacy notice.

In an alternative to the breach of express terms in the express contract, the amended complaint also alleged that there was an implied term in the express contract. Specifically, the express contracts implied that Premera would implement data security to safeguard and protect PHI in accordance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) (P.L. 104-191).

Under state law, a court may imply an obligation into a contract based on five requirements: (1) the implication must arise from the language used or it must be indispensable to effectuate the intention of the parties; (2) it must appear from the language used that it was so clearly within the contemplation of the parties that they deemed it unnecessary to express it; (3) implied covenants can only be justified on the grounds of legal necessity; (4) a promise can be implied only where it can be rightfully assumed that it would have been made if attention had been called to it; (5) there can be no implied covenant where the subject is completely covered by the contract. In addition, the state has implied the duty of good faith and fair dealing into every contract. Premera argued that implying a data security term into a parties’ contract would frustrate the purpose of Congress in not allowing a private right of action under HIPAA.

The court noted that the factors must be met before implying any other term into a contract governed by state law. The individuals offered no support for the proposition that if a contract could not expressly disclaim a particular obligation, a contract that does not expressly include that same obligation would be invalid. As such, the court held that for contracts governed by state law, it would decline to imply a term into the parties’ contracts that would require adequate data security measures be taken. The fact that there is no private right of action under HIPAA, however, does not preclude causes of action under state law, even if such a cause of action requires as an element that HIPAA was violated.

The case is No. 3:15-md-2633-SI.

Attorneys: Chase C. Alvord (Tousley Brain Stephens PLLC) and Keith S. Dubanevich (Stoll Stoll Berne Lokting & Shlachter PC) for Plaintiffs. Daniel R. Warren (BakerHostetler) and Darin M. Sands (Lane Powell PC) for Premera Blue Cross.

Companies: Premera Blue Cross

MainStory: TopStory CaseDecisions CyberPrivacyFeed EHRNews HIPAANews OregonNews

Back to Top

Health Law Daily

Introducing Wolters Kluwer Health Law Daily — a daily reporting service created by attorneys, for attorneys — providing same-day coverage of breaking news, court decisions, legislation, and regulatory activity.

A complete daily report of the news that affects your world

  • View full summaries of federal and state court decisions.
  • Access full text of legislative and regulatory developments.
  • Customize your daily email by topic and/or jurisdiction.
  • Search archives for stories of interest.

Not just news — the right news

  • Get expert analysis written by subject matter specialists—created by attorneys for attorneys.
  • Track law firms and organizations in the headlines with our new “Who’s in the News” feature.
  • Promote your firm with our new reprint policy.

24/7 access for a 24/7 world

  • Forward information with special copyright permissions, encouraging collaboration between counsel and colleagues.
  • Save time with mobile apps for your BlackBerry, iPhone, iPad, Android, or Kindle.
  • Access all links from any mobile device without being prompted for user name and password.