Please pardon the lawyer speak in the title here, but that is sort of what this post is about.
Check out this piece. It is about the two lap top computers, stolen from Horizon Blue Cross Blue Shield, that contained unencrypted information about 840,000 plan members. Guess what happened next. You got it! A lawyer filed a class action suit on behalf of the wronged members.
Now life gets interesting, to the extent that the law ever does. Simply, a lower court rejected the suit since HIPAA does not set forth any personal remedies for HIPAA violations. Translated, only the Government has the right to dump on HIPAA violators.
BUT, an appeals court recently ruled that HIPAA can establish a standard of care, and organizations that violate this standard can be sued in non-Federal court systems. Note. There is no claim here that anyone was actually harmed by the theft in any material way. They have just been wronged!
Bottom Line. While damage awards are far from guaranteed under this set of circumstances, what is for sure is that Horizon will wind up with a lot of aggravation and legal expenses coming out of all of this. The message of this appeals court ruling? If your organization is responsible for the storage of patient medical data, you should redouble your security efforts to make sure that something like this does not happen under your roof!