Meghan O’Connor Quoted in Part B News Article About New York Health Care Data Breach Settlement
Meghan O’Connor, a Milwaukee-based partner in the Quarles & Brady Health & Life Sciences Practice Group and co-chair of the Data Asset Management, Privacy & Cybersecurity team, shared her perspective in a Part B News story about the significance of a data breach settlement involving a physician practice with multiple locations in the state of New York.
The $2.5 million settlement came after a class action suit in the wake of a data breach involving the practice that affected more than 167,000 people. Plaintiffs in the suit alleged the practice “maintained, used, and shared [their] Private Information in a reckless manner” that left their data “vulnerable to cyberattacks.”
O’Connor commented on the argument underpinning the plaintiffs’ case and what it likely means for other health care organizations facing a situation such as this. An excerpt:
The guidance quoted in the complaint comes directly from, and cites, a “How to Protect Your Networks from RANSOMWARE” circular at the FBI website, and a Microsoft Security advisory at their website (see resources, below).
As Meghan O’Connor, partner in the Quarles & Brady law firm in Milwaukee, reads this, the plaintiffs aren’t suggesting the guidance they cited is legally binding: “Rather, they cite it as plaintiff’s evidence of what a reasonable organization should have known and done at the time. That’s classic negligence framing: widely available guidance helps establish foreseeability and the standard of care.”
…
But even if you have good guidance sources, O’Connor warns, “compliance with guidance is not a safe harbor. In U.S. data breach litigation — particularly in health care — there is no checklist that confers immunity. Plaintiffs can still sue even if an organization followed recognized or best-in-class frameworks, because courts evaluate security in context: the nature of the data, known threats, prior warnings and how controls were actually implemented in practice.”