The collection, use and disclosure of personal data trigger a range of privacy and cybersecurity laws and regulations, all of which are enforced by aggressive plaintiffs’ lawyers and government agencies. The retention of sensitive proprietary information pertaining to business partners also implicates a range of legal obligations, and exposure of such information often results in litigation and strained business relationships.
Our lawyers have handled hundreds of data breaches and draw on this experience to routinely represent clients in litigation and governmental investigations arising out of large, complex data breaches, including major incidents involving millions of personal, financial or patient records. We have also represented clients in complex class actions in courts around the country and in governmental investigations by the US Federal Trade Commission (FTC), Office for Civil Rights (OCR) and Federal Communications Commission (FCC), and by state attorneys general. We have also advised clients in disputes with vendors and business partners over losses arising out of cyber incidents.
We are the health-industry market leader with respect to handling responses to OCR investigations. Our lawyers have unparalleled experience negotiating resolution agreements with OCR on behalf of health clients, including major academic medical centers, health plans and provider networks.
We have litigated some of the most important privacy cases in recent years and have obtained landmark rulings, including the US Supreme Court’s 2015 ruling in Gobeille v. Liberty Mutual. We have defended clients in scores of federal and state cases across the country, including dozens of class actions involving claims under federal and state privacy laws, the Fair Credit Reporting Act, the Telephone Consumer Protection Act, the Fair Debt Collection Practices Act, and unfair and deceptive practices statutes, as well as numerous common-law privacy and security claims. We have also represented companies in data collection matters, disputes and class actions involving personal information acquired at point of sale using credit and debit cards in a number of states, including Song Beverly and other state statutes.
Obtained a victory before the US Supreme Court in one of the most important consumer privacy cases, Gobeille v. Liberty Mutual, persuading the Court to hold that self-funded insurance plans are exempt from a Vermont law purporting to compel disclosure of health information to the state
Represented a major e-commerce company in a dispute with its technology provider relating to the adequacy of the security in the provider’s solution, including the encryption algorithm used to secure the transactions between the e-commerce company and its customers
Assisted a large emergency medical physician practice with all aspects of its response to a theft of a portable hard drive containing medical billing information for more than 175,000 patients from over 50 jurisdictions, including drafting the template breach notification letter, breach reports to the Office for Civil Rights (OCR) and state regulators, talking points for call center operators, press releases and media notices, and an indemnification claim to the medical billing agency; after responding to OCR’s investigative data requests, the matter was successfully resolved with OCR without penalty; in conjunction with counsel to the billing agency, we obtained the dismissal, at the motion to dismiss stage, of a related consumer class action
Assisted a health plan client in responding to the theft of unencrypted desktop computers that affected over 40,000 individuals, including preparing the template breach notification letters, reporting the breach to OCR and responding to multiple investigative data requests from OCR
Assisted a large hospital system in its response to multiple investigatory requests resulting from a breach that potentially affected 3,800 individuals
Assisted a large hospital system in analyzing and preparing multiple notifications relating to a potential breach that occurred over many months in 2015 and potentially affected approximately 6,200 patients; subsequently assisted our client in responding to various investigative data requests from OCR related to the incident
Assisted a network of health care clinics in responding to multiple investigative data requests from OCR related to various breaches
Assisted a health system in its investigation of a breach that potentially affected approximately 800 patients, including preparing appropriate breach notifications and responding to multiple OCR investigative data requests about the breach
Assisted a large, multi-specialty physician practice in its investigation of a breach that potentially affected approximately 1,650 patients, including preparing appropriate breach notifications and responding to an OCR investigative data request about the breach