Premera’s data breach headaches continue in court


February 13, 2017

A putative class action suit against Premera Blue Cross, a health care benefits servicer and provider, was permitted to continue because fraud-based claims based on affirmative misrepresentations did not require actual reliance and an express contract breach. The district court, however, dismissed claims related to active concealment and contract-based claims alleging breach of an implied term in an express contract (In re: Premera Blue Cross Customer Data Security Breach Litigation, February 9, 2017, Simon, M.).

Background. Premera publicly disclosed in March 2015 that its computer network had been breached, compromising information of 11 million current and former members, affiliates, and employees. The information included names, dates of birth, Social Security numbers, along with medical claims information and other protected health information (PHI) (see Premera offering identity theft protection for cyberattack victims, March 18, 2015). The individuals alleged that after discovery of the breach, Premera unreasonably delayed notifying affected individuals. In an amended pleading, the individuals alleged a number of fraud-based and contract claims stemming from Premera’s policy booklets, privacy notice, and code of conduct following the nationwide data breach.

Fraud-based claims. According to the complaint, Premera did not take appropriate measures under federal and state law to safeguard the PHI. The individuals alleged that Premera’s policy booklets, privacy notice, and code of conduct are sent to members and contain affirmative misrepresentations regarding confidentiality of the PHI. Premera argued that in an affirmative misrepresentation case, without any allegations that any individual read and relied upon the allegedly false or misleading statements, an individual could not demonstrate causation. The district court rejected this argument, noting that the state consumer protection act in question did not require actual reliance. As such, the individuals’ claim of affirmative misrepresentation would remain.

The court also found that the amended complaint sufficiently articulated that Premera should have disclosed that it did not implement industry standard access controls, did not fix known vulnerabilities in electronic security protocols, failed to protect against reasonably anticipated threats, and did not comport with its assurances regarding PHI. The amended complaint sufficiently alleged a claim for fraud by omission and claims based on alleged misrepresentations.

The court dismissed claims related to active concealment.

Contract-based claims. For similar reasons as to the fraud-based claims, the district court found that the representations in the privacy notice were sufficient for a breach of contract claim. Notably, it was reasonable that an individual who received a policy booklet with an attached privacy notice would consider it an express contract of PHI protections.

The individuals, thus, sufficiently alleged claims for breach of express contract for alleged breach of Premera’s obligations contained in its policy booklet and privacy notice.

In an alternative to the breach of express terms in the express contract, the amended complaint also alleged that there was an implied term in the express contract. Specifically, the express contracts implied that Premera would implement data security to safeguard and protect PHI in accordance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) (P.L. 104-191).

Under state law, a court may imply an obligation into a contract based on five requirements: (1) the implication must arise from the language used or it must be indispensable to effectuate the intention of the parties; (2) it must appear from the language used that it was so clearly within the contemplation of the parties that they deemed it unnecessary to express it; (3) implied covenants can only be justified on the grounds of legal necessity; (4) a promise can be implied only where it can be rightfully assumed that it would have been made if attention had been called to it; (5) there can be no implied covenant where the subject is completely covered by the contract. In addition, the state has implied the duty of good faith and fair dealing into every contract. Premera argued that implying a data security term into a parties’ contract would frustrate the purpose of Congress in not allowing a private right of action under HIPAA.

The court noted that the factors must be met before implying any other term into a contract governed by state law. The individuals offered no support for the proposition that if a contract could not expressly disclaim a particular obligation, a contract that does not expressly include that same obligation would be invalid. As such, the court held that for contracts governed by state law, it would decline to imply a term into the parties’ contracts that would require adequate data security measures be taken. The fact that there is no private right of action under HIPAA, however, does not preclude causes of action under state law, even if such a cause of action requires as an element that HIPAA was violated.

The case is No. 3:15-md-2633-SI.

Attorneys: Chase C. Alvord (Tousley Brain Stephens PLLC) and Keith S. Dubanevich (Stoll Stoll Berne Lokting & Shlachter PC) for Plaintiffs. Daniel R. Warren (BakerHostetler) and Darin M. Sands (Lane Powell PC) for Premera Blue Cross.

Companies: Premera Blue Cross

MainStory: TopStory CaseDecisions CyberPrivacyFeed EHRNews HIPAANews OregonNews

Back to Top

Health Law Daily

Get breaking court decisions, legislative and regulatory developments, updates on rulemaking and enforcement, and a complete report of the daily news that affects your world. Access news, analysis, and alerts by email, RSS, web-based platforms, and mobile 24/7.


Get a Free Trial