Data breach lawsuits get easier while electronic medical records create questionable evidence

UPDATE on August 5: Neiman Marcus has requested a rehearing en banc in the data breach lawsuit referenced below. The retailer asserts that the 7th Circuit Court’s “use of an expansive standard to find that… speculative allegations of … injury” is sufficient to establish standing in data breach suits will be “enormously consequential to the national legal landscape.”

True enough. But his does not change Habeas Hard Drive’s conclusions about medical records, below. Even if the full 7th Circuit Court should find for Neiman Marcus, the company’s arguing only about the risk of injury related to credit card accounts. It says none exists because credit card holders are not accountable for fraudulent charges to their accounts. 

Habeas Hard Drive repeats, loud and clear:  Electronic medical records are a mess, creating both actual risk and potential risk, and the health care sector will suffer continued legal jeopardy, even after other business sectors have tightened security.  — HHD, August 5, 2015

The medical field is particularly sensitive to potential litigation, but that anxiety has not translated to better data management practices. Information chaos reigns in the health care sector.

UCLA Health System is the latest to be sued for a massive data breach, with 4.5 million plaintiffs asserting that they’ve been exposed potential harm because the UCLA medical facilities failed to encrypt patient records. The claims aren’t related to actual harm, but to potential harm. But…

Almost simultaneously, we see this from the 7th Circuit, in effect lowering the bar for data breach suits. In a class action against Neiman Marcus, plaintiffs claims both potential and concrete injury after a breach of credit card data. The court found an ‘objectively reasonable likelihood’ that they will suffer fraud and identity theft caused by the exposure of their data.

The court said, in effect, “Duh!” What else would motivate cybercriminals to steal credit card information? Plaintiffs satisfied the requirements to show a substantial risk of harm that’s traceable to the defendants, and for which there is redress, the court concluded. (The court did not acknowledge the Plaintiffs’ claims of concrete injury, remanding those back to the lower court.)

If they’re pounded with data breach lawsuits, maybe the business world will start taking security seriously. But health care data won’t be easily buttoned up, leading to long-term legal jeopardy. For proof, we look to the doctors themselves, whose despair over electronic medical records has reached critical mass. At a town hall hosted last month by the American Medical Association, they told bitter tales of “workflow problems, decreased productivity, lack of interoperability,” according to this story from the FierceHealth IT newsletter.

“We have a technology that brings graduate degree-educated people to their knees,” AMA president Steven Stack said. “There’s something not right here.”

The practitioners are complaining about the effect on patient service and medical outcomes, not about data security. But this is a big indicator that security flaws and poor information governance are also at hand, leading to unreliable records.

Frustrated and demoralized personnel working with a system they detest are less likely to follow best practices. Moreover, the technologies are are geared to meeting federal data-gathering goals, the doctors complain, not medical efficacy.

The result is an environment that cultivates poor data integrity, casting doubt on the data coming out of the system. Poor data integrity means questionable evidence.

All of this underscores the need for special care reconstructing medical data in advance of litigation. Electronic medical records have varying degrees of reliability. Defendants may claim they don’t have the records being requested, which may or may not be true.

When it comes to interpretation, what you see is not necessarily what the patient got. Printing out a report from a medical system or device is not an accurate representation of the record. It’s an incomplete record at best, and therefore a poor representation of actual events. For ease of use by the medical staff, printouts produce only portions of the data, distorting it in ways that can damage both sides. But such printouts are often presented as evidence in med mal cases.

Forensically preserved evidence is legitimate only when it’s presented in its native format — that is, the way it was created and stored in the system – a format the end user generally does not see. Native files produce the most accurate picture of what occurred in the past — which is the definition of forensics.

All of this can accrue to the favor of either side. Early preservation of electronic evidence is the key to sound discovery.  Ask your expert to help you write a request that will produce native files.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s