The latest legal activity in digital health and cybersecurity:
Teladoc’s pending class action lawsuit by shareholders was tossed. This was originally filed in June 2022 after the crash of Teladoc’s shares after The Big Livongo Writeoff in May 2022. Shareholder Jeremy Schneider, represented at the time by Jeremy Alan Lieberman of Pomerantz LLP, filed a lawsuit in the US Federal Court for the Southern District, located in downtown Manhattan, representing shareholders who purchased Teladoc shares between 28 October 2021 and 27 April 2022. The lawsuit cited materially false statements that Teladoc made on its business, operations, competition, and prospects that were overly positive and inflated share value. Judge Denise Cote agreed with Teladoc’s 20 January motion to dismiss based on specific disclosures that Teladoc made in multiple SEC filings in that period from the 2020 10-K on that countered claims made in the class action lawsuit.
Reading Judge Cote’s decision, Teladoc used specific limiting and warning language (what marketers call ‘downside’ language) on the risks around the merger. Their executives in public statements indicated that operations and competition were challenging. The class action suit failed to prove conclusively that the statements it identified were ‘materially misleading’ and would mislead a reasonable investor. Other statements made by executives were “largely non-actionable statements of opinion and/or expressions of corporate optimism”, a/k/a “puffery”. Class action suits of this type that go to Federal courts (versus state courts) rarely succeed due to the high bar of proof and volumes of case law at the Federal level.
This Editor noted that this particular class action did not include Mr. Schneider nor Pomerantz LLP. Different plaintiffs were represented by Labaton Sucharow LLP and The Schall Law Firm. Teladoc reportedly had no comment. Judge Cote’s opinion (Casetext), Mobihealthnews, Healthcare Dive
Easier to settle for $31 million than fight the Feds. Charged with violating the False Claims Act (FCA) and providing illegal incentives for referrals (the Anti-Kickback Statute that applies to Federally funded healthcare), NextGen Healthcare decided to settle with the Department of Justice (DOJ) for a whopping $31 million. The settlement does not admit wrongdoing by NextGen, which in its defense told Healthcare Dive that the claims made were over a decade old–and they were. At the time, their EHR used an auxiliary software that was designed only to perform the certification test scripts, thereby gaining 2014 Edition certification criteria published by HHS’s Office of the National Coordinator (ONC). In this Ur-time of EHRs, fixes like this weren’t (ahem) unusual. Compounding it was that the EHR then lacked certain additional required functionalities, including the ability to record vital sign data, translate data into required medical vocabularies, and create complete clinical summaries. Making NextGen’s decision the proverbial ‘no-brainer’ was that the controversial US Supreme Court ruling in June ruled that under the FCA, defendants are now liable for claims they suspect or knowingly believe are false, versus the previous objective standard. The Anti-Kickback Statute violation was blatant. NextGen was giving credits often worth as much as $10,000 to current healthcare customers whose recommendation of NextGen’s EHR software led to a new sale, along with incentives such as tickets to sports and entertainment events. Anti-Kickback is one of those ‘biggies’ that the average healthcare employee is trained on within their first 60 days. DOJ release
The AliveCor-Apple Federal antitrust case had a small but important split decision regarding ‘spoiliation’ in the discovery process that could impact the case’s outcome–and future litigation. This June US District Court for the Northern District of California order went against AliveCor in part of what it sought–that Apple’s deleted emails to and from Apple’s then Director of Health Strategy should be considered adverse by a jury. But Apple was then found at fault for deleting them despite their relevance to the case with a ‘duty to preserve’ that started on 25 May 2021 with the antitrust litigation. In general, emails such as these to and from relevant people are subject to a litigation hold.
- The director departed Apple only one week prior, 14 May 2021. His emails were auto-deleted at some point in accordance with company policy. In the discovery process, through other documents, AliveCor determined over a year later that the director was, indeed, relevant to the case.
- The order states that Apple should have preserved his emails from the start as he was an individual with potentially relevant information. From the order, “[the director] worked on strategic health initiatives, and the record shows that he regularly corresponded about the Apple Watch and AliveCor with individuals Apple did identify as relevant.” “Apple did not take reasonable steps to preserve electronically stored information that should have been preserved in the anticipation or conduct of litigation…” While it may have been “irresponsible and careless”, it wasn’t purposeful which then would have been considered for sanctions, but there is considerable strong language in the order that Apple’s counsel didn’t disclose the loss of this information even while under oath in a deposition.
- In the ‘adverse’ consideration, AliveCor did not gain what it wanted, which was an assumption that the lost emails were prejudicial–that they contained relevant material to AliveCor and Apple’s strategy of eliminating competition. “To the extent they existed, additional emails relevant to these topics may have been useful to enhance AliveCor’s case, but AliveCor has not shown that the absence of these emails will prevent it from proving its antitrust claims.”
AliveCor provided this Editor with a statement on the order:
“The Northern District of California judge’s description of Apple’s actions as ‘irresponsible and careless, and perhaps even grossly negligent’ in their handling of emails belonging to its former Director of Health Strategy that supported our pending antitrust case speaks to Apple’s usual playbook of shamelessly using legal tactics to steamroll innovative companies like AliveCor. Even though the judge stopped short of granting our motion to instruct the jury that they should assume the deleted emails were negative for Apple’s case, we are confident in the outcomes of our antitrust case and grateful for the outpouring of support we have received as we continue to hold Apple accountable.”
Last but certainly not least, a class action lawsuit against HCA. To no one’s surprise, it was filed last week (12 July) in the US District Court for the Middle District of Tennessee, as HCA is headquartered in Nashville. The plaintiffs are named Gary Silvers and Richard Marous, two HCA patients living in Florida, and was filed by two law firms, Shamis & Gentile and Kopelowitz Ostrow Ferguson Wieselberg Gilbert. The suit claims that HCA failed in their duty of confidentiality to protect sensitive information– personally identifiable information (PII) and protected health information (PHI)–that was contained in the hacked records. While HCA has released that the records did not include the most sensitive clinical information as it was used for email communications, the volume of 27 million rows of data that was apparently unencrypted potentially affects 11 million individuals [TTA 12 July]. The suit charges HCA with failure to safeguard ‘Private Information’ as a reasonable expectation using reasonable security procedures in light of current regulations (HIPAA, FTC), plus the susceptibility of healthcare organizations to cyberattacks which is well known. It seeks monetary damages plus injunctive and declaratory relief. This lawsuit is likely the first of many. Healthcare Dive, Healthcare IT News, HIPAA Journal
These lawsuits based on hacking and cybersecurity responsibility are becoming routine. On 7 and 10 July, Johns Hopkins was sued twice. This was for a May ransomware data breach on a software vulnerability called MOVEit that was exploited by a Russian ransomware group called CLOP. This may have compromised, according to the first suit, tens to hundreds of thousands of records, including sensitive PHI. Both suits allege negligence, breach of fiduciary duty, breach of confidence, invasion of privacy, breach of implied contract, and unjust enrichment. They seek monetary damages and injunctive relief. Both were filed in US District Court for the District of Maryland. Becker’s, Healthcare Dive, HIPAA Journal