Health Care Attorneys for Licensed Professionals

Howell, Buchan and Strong Logo

Can Health Care Providers Be Sued for Being Hacked?

February 19, 2015
Est read time: 4 minutes

Recently in the news insurance giant Anthem, the second largest health insurer, reported being the victim of internet hackers.
Although it is too early to determine the extent of the damage, Anthem has publicly stated no medical information has been compromised, however, some reports indicate names, addresses, social security numbers and other “identifiers” may have been disclosed.

I have written previously about whether patients can bring lawsuits for a breach of HIPAA.
I. HIPAA Basics

In 1996, Congress passed the Health Insurance Portability and Accountability Act of 1996, which established the requirement for health care providers and other covered entities to make protected health information secure.   Generally, speaking HIPAA only allows the government to penalize healthcare providers, business associates, insurers, and clearinghouses with fines and other types of sanctions. The law provides:
§ 1320d-6. Wrongful disclosure of individually identifiable health information

(a) Offense
A person who knowingly and in violation of this part—

(1) uses or causes to be used a unique health identifier;
(2) obtains individually identifiable health information relating to an individual; or
(3) discloses individually identifiable health information to another person,

shall be punished as provided in subsection (b) of this section. For purposes of the previous sentence, a person (including an employee or other individual) shall be considered to have obtained or disclosed individually identifiable health information in violation of this part if the information is maintained by a covered entity (as defined in the HIPAA privacy regulation described in section 1320d-9(b)(3) of this title) and the individual obtained or disclosed such information without authorization.
(b) Penalties
A person described in subsection (a) of this section shall--
(1) be fined not more than $50,000, imprisoned not more than 1 year, or both;
(2) if the offense is committed under false pretenses, be fined not more than $100,000, imprisoned not more than 5 years, or both; and
(3) if the offense is committed with intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain, or malicious harm, be fined not more than $250,000, imprisoned not more than 10 years, or both.
II. No Private Right to Sue Under HIPAA


Courts have declined consistently to hold that HIPAA creates a private cause of action, meaning a right to sue individually if HIPAA is breached. Furthermore, federal courts have held that there is not even an implied right to sue under the Act.
III. Could a Lawsuit Be Brought Under An Alternative Theory of Liability.
Some interesting theories have been advanced to support the proposition that HIPAA creates standards for the health care and insurance industry to use in protecting health care information. Breach of those standards could conceivably be used as a basis for civil liability. This means that HIPAA would not be the basis for the cause of action, just the standards by which the jury evaluates fault.

In Florida, courts have traditionally recognized the tort of “Negligence per se” which refers to violation of a statute or ordinance as being the basis for liability. Negligence per se arises from violation of a statute establishing duty to take steps to protect particular class from particular injury or type of injury. It has been held that to establish negligence per se, plaintiff must (1) establish membership in class of persons intended to be protected, (2) show that injury is of type statute was intended to protect, and (3) show that injuries proximately resulted from violation of statute. Torres v. Offshore Professional Tour, Inc., 629 So. 2d 192 (Fla. 3d DCA 1993). Under a HIPAA scenario, patients are the primary “class of persons” the Act was intended to protect.


Another interesting, albeit novel, theory, has been described as the tort of “Negligent Enablement of Cybercrime.” As described in an article in the Berkley Technology Law Journal, this theory posits:

“Potentially, a software licensee could use The Health Insurance Port-ability and Accountability Act of 1996 (HIPAA)to prove negligent en-ablement of a computer intrusion. HIPPA prohibits a person from knowingly using a “unique health identifier” or wrongfully obtaining“identifiable health information relating to an individual” or disclosing“individually identifiable health information to another person.” Argua-bly, a provider that uses software with a known vulnerability is, in effect,knowingly disclosing private health information to unauthorized third par-ties such as cybercriminals.”

Rustad, Michael L., & Koenig, Thomas H., The Tort of Negligent Enablement of Cybercrime, 20 Berkeley Technology Law Journal 1154, 1594 (2005)
In one particular case, Walgreens was ordered to pay over $ 1 million as the result of a security breach. In that particular case, HIPAA was used, not as the basis for getting into court, but as a predicate for establishing fault for the breach.  See

IV. Conclusion
While HIPAA does not establish a jurisdictional basis for bringing a civil suit for breach of protected health information, some state tort laws and newly developing theories of liability may be a vehicle for establishing liability. Both patients and health care providers should be aware of this developing area of law.

If you have a question about your rights concerning medical records law, HIPAA, license discipline, or civil liability under Florida law contact Jeff Howell at the law firm of Howell, Buchan & Strong, Attorneys at Law at 850-877-7776 to schedule a free, no obligation consultation.

Have Questions? Let's Talk

Contact the law firm of Howell, Buchan & Strong at 850-877-7776 to set up a FREE no-obligation consultation. Our firm represents physicians, nurses, psychologists, and other licensed professionals statewide.
Cape Coral:
Top magnifiercross