A few years ago, the "Clapper" legal precedence was successfully used by breached Covered Entities to defend themselves against additional litigation (beyond that from DoHHS or State Attorney General Offices). Recently though, we are seeing not only more civil cases being filed, but that courts are allowing damages to be paid.
UCLA Health just closed a $7.5M case initiated in 2015 and while we were curious to read that some of the settlement monies are going into a "cybersecurity enhancement fund", this amount of money represents a serious unplanned expense. What's not included is four years of lawyer fees defending the lawsuit.
UConn Health is responding to a class action suit, following a phishing attach that affected more than 325,000 people. We'll be reading about this case in the future, but for now it appears that the plaintiffs claim actual damages from bank fraud associated with the compromised UConn Health information.
Speaking of phishing and compromised ePHI, Oregon DHS just exposed 350,000 patients worth of ePHI. Time will tell if another lawsuit will be filed.
Phishing works - period. Phishing campaigns to train your workforce also work to help reduce the potential for criminals to gain access to ePHI - period. Two factor authentication can help protect ePHI, depending on how email is configured - period. You can defend yourself and protect your patients, and your actions will always be less expensive than responding to a class action lawsuit.
Stay (HIPAA) safe.