Data breach litigation: Mitigating risks in the Healthcare sector

19th November 2021

The curve

There is a marked increase in the volume of data breach claims being pursued by individual claimants and via proposed group/class actions.  This is likely to be partially related to a number of high profile group actions involving well-known brands/organisations, combined with the proactive recruitment of claimants by claims management firms.

The sensitive nature of data held by firms operating within the Healthcare sector mean that data breach claims are a particular risk.

Quite apart from regulatory concerns and requirements, the fallout from a data leak can be devastating from a reputational perspective.

The trajectory

The claims follow an all-too familiar trajectory. An organisation suffers a data breach relating to the personal data of its patients/customers/employees. Consumer-focused claims management firms then seek to sign up affected parties and prepare pre-action correspondence with a view to either putting pressure on organisations to settle, or to issuing multiple claims for damages for breach of data protection legislation, breach of confidence, misuse of private information and negligence.  Many such claims are backed by conditional fee agreements and After the Event (ATE) insurance.

Unfortunately, employees and end-users within the Healthcare sector, such as the elderly, patients and loved ones/friends and relatives, can often be particularly vulnerable to the persuasive tactics of unscrupulous claims companies.

The answer

There are some proactive steps that Healthcare organisations should take now:

Health Check.  We regularly carry out health check reviews of existing policies, procedures and training with a view to “future proofing” against claims of this nature.

Act Fast and Mitigate.  Ensure internal protocols and policies are implemented, monitored and followed. Where a breach has or is likely to arise, investigate quickly (maintaining records of any such investigation). Report breaches (or potential breaches) to your data protection team and involve specialist advisers as soon as possible, not least because a report may need to be made to the ICO. Taking quick action is not only a regulatory obligation, but may also prevent further loss and damage.

Talk to us.  The law in relation to data breach claims is developing apace [1].  Our team of commercial dispute resolution lawyers are highly experienced in resolving and robustly defending claims of this nature and are closely monitoring all key developments. This expertise, when combined with our specialist regulatory and compliance team’s understanding of the related regulatory matrix, ensures that an informed and robust strategy can be adopted if and when any Healthcare organisation faces the threat of data breach litigation.

[1] See our [recent briefing hyperlink to Warren v DSG briefing], for example.