A health insurer that had laptops with personal information stolen can be sued by participants, even if they have no evidence that the thieves later misused the data, a federal appeals court ruled.

The 3rd U.S. Circuit Court of Appeals’ ruling in the case In re Horizon Healthcare Servs., Inc., Data Breach Litigation, No. 15-2309 (Jan. 20, 2017), illustrates the potential liability exposure for employers and other plan sponsors that do not have strong safeguards in place, such as encryption for laptops with sensitive information.

Two unencrypted laptops were stolen from Horizon Healthcare Services, Inc., in 2013. They contained protected health information (PHI) subject to the Health Insurance Portability and Accountability Act (HIPAA), as well as other personal identifying information (PII) such as Social Security numbers.

Four Horizon members filed a class action on behalf of themselves and the more than 800,000 other customers whose personal information was stored on those laptops. They alleged willful and negligent violations of the Fair Credit Reporting Act (FCRA; 15 U.S.C. §1681 et seq.) as well as numerous violations of state law. Essentially, they claimed that Horizon inadequately protected their personal information.

Judge Patty Shwartz reached the result that a loss of privacy is itself an injury that courts have recognized independently of any statute.

“The intangible harm from the loss of privacy appears to have sufficient historical roots to satisfy the requirement that Plaintiffs have alleged a sufficiently concrete harm for standing purposes,” Shwartz wrote. “While Plaintiffs do not allege that the laptop thieves looked at or used their PII and PHI, Plaintiffs lost their privacy once it got into the hands of those not intended to have it.”

- See more at: http://hrdailyadvisor.blr.com/2017/02/28/health-insurer-can-sued-losing-phi-even-no-evidence-misuse/#sthash.9JWp5Lbz.dpuf