About 20 Tennessee-based health care companies have reported data breaches in the past few years, and several of them have faced lawsuits afterward.
A bill making its way through the statehouse would make it harder for breach victims to sue. Critics say the policy would be one of the most lenient in the country and that it would allow companies to slack off on cybersecurity.
Personal health information is more valuable on the black market than credit card or social security numbers alone, which is one of the reasons hackers have focused on that industry.
Murfreesboro Medical Clinic reported an attack in June.
That’s in Sen. Shane Reeves’ district. He filed Senate Bill 2018 this year. The measure focuses on class action lawsuits.
Supporters argue this kind of legal challenge kicks companies while they’re down.
“We can’t stop that attack,” Reeves said during a hearing this week. “But what we can do is try to put things in place, so that they’re not being caught up in civil action lawsuits when they’re just trying to get back on their feet.”
Under current law, companies have to take “reasonable care” to prevent leaks. But this proposal would raise the bar. Victims would have to prove “willful, wanton or reckless” negligence.
“If they’re doing what they can, then they should not have to spend millions of dollars to climb out of a hole,” Reeves said.
Joey Peay is the CEO of Murfreesboro Medical Clinic. He said, after the attack, the facility ended up spending $1.5 million on IT updates and credit monitoring services for patients whose data was put at risk.
Federal data estimate about 560,000 patients were affected.
Peay told the committee it didn’t take long for the class actions to roll in. He said, a few weeks ago, he and the legal team went through a day of mediation meetings.
“Those eight named plaintiffs in the six suits, they get chump change,” he said. “They get a couple thousand dollars apiece. The trial lawyers are splitting almost $400,000 … So it’s just become a racket for trial lawyers exploiting what could have driven our company into bankruptcy.”
And that amount is just attorneys’ fees, Peay said. The actual settlement will be somewhere in the seven-figures.
Jim Higgins is a personal injury attorney, and he testified against the bill on behalf of the Tennessee Trial Lawyers Association. He and other critics say the measure would let companies be lax on cybersecurity.
“Companies that do not take reasonable care in guarding information are immune the way this bill is written, because that standard is gone,” he said. “It protects companies that do not take reasonable care.”
Higgins noted that other states and the federal government are moving the other direction on holding companies responsible for data breaches. As an example, he noted Congress is trying to crack down on social media company TikTok over data privacy concerns.
“Tennessee will have less rights than any other state in the country if this law gets passed,” he said. “I understand the intention — the frustration if somebody goes through it. But the protection needs to be there.”
Health care companies have to report data breaches to the federal government. The 20 attacks in Tennessee have affected an estimated 14 million people.
Several million of those people don’t live in Tennessee. They were affected by an HCA Healthcare leak last summer. The hospital giant runs an automated patient email service, and hackers broke into the database that supports it. An estimated 11 million patients were involved. That data included the kind of information that would be in those emails — such as patients’ names, appointment times and locations. It didn’t include financial or clinical information — such as credit card information or diagnoses.
But within days, several class action lawsuits were filed. Nashville’s NewsChannel 5 interviewed an attorney involved, who was representing a Nashville woman whose data was stolen. She said her team was fighting not just for the named plaintiffs but all 11 million patients.
On Air - 90.3 WPLN-FM