Class Actions and PII - Personally Identifiable Data

What is PII Personally Identifiable Information?

Photo Credit: Unsplash | Updated: September 15, 2024

Data Breach Class Action Settlements

You may have heard of some data breach class action settlements involving a range of topics from consumer products to data breaches. On this very website, you may have seen links to various class action settlement sites that ask for some personal information (name, date of purchase, purchased amount, receipts) in order to file a claim.

For instance: These data breach settlements and investigations involve some of the biggest companies in the United States leaking sensitive customer or consumer data.

Often you've faced online forms that seek to gather your personal information with the intent to benefit you, only to end up finding out that they're only doing this for their own benefit like data mining or marketing analytics. You'd be valid in your cynicism or skepticism. So how do you know what these lawyers and law firms are doing with your personal information?

Understanding Personally Identifiable Information (PII)

Personally Identifiable Information, commonly known as PII, refers to any data that can be used to identify a specific individual, either directly or indirectly. This concept encompasses a wide range of information, from obvious identifiers like names and Social Security numbers to more subtle data points that, when combined, can pinpoint a person's identity.

The Significance of PII

In our increasingly digital world, PII has become a critical concern for both individuals and organizations. The importance of PII stems from several factors:

• Privacy Protection: As personal data becomes more valuable, safeguarding individual privacy has become paramount.
• Legal Compliance: Many laws and regulations now require organizations to protect PII, with severe penalties for non-compliance.
• Financial Implications: Data breaches involving PII can result in significant financial losses for both companies and affected individuals.
Reputation Management: Organizations that fail to protect PII may suffer severe reputational damage.

Types of Personally Identifiable Information (PII)

PII can be categorized into various groups:

• Basic Identifiers: Name, date of birth, gender
• Contact Details: Address, phone number, email
• Professional Information: Employer, job title, work history
• Government-Issued IDs: Passport number, driver's license, Social Security number
• Health-Related Data: Medical records, biometric information
• Digital Footprints: IP addresses, online usernames, browsing history

What are Examples of PHI?

PHI Identifiers Under HIPAA

Protected Health Information (PHI) refers to any health-related data that can identify an individual. HIPAA outlines 18 identifiers that qualify information as PHI:

• Names: Names become PHI only when linked to health data. For example, "John Smith" alone is not PHI, but "John Smith was treated for diabetes" is PHI.
• Geographic Information: Street addresses, cities, counties, and ZIP codes smaller than a state.
• Dates: Birthdates, admission dates, discharge dates, death dates, and ages over 89.
• Phone Numbers: Any personal or work telephone number connected to medical info.
• Fax Numbers: Identifiable fax lines used for transmitting health records.
• Email Addresses: Patient or client emails tied to healthcare data.
• Social Security Numbers: SSNs linked to health or insurance records.
• Medical Record Numbers: Unique identifiers for patient records.
• Health Plan Beneficiary Numbers: Insurance or policy identifiers.
• Account Numbers: Billing or financial accounts related to healthcare.
• Certificate or License Numbers: Professional or personal licenses connected to health information.
• Vehicle Identifiers: License plates or VIN numbers associated with an individual’s care.
• Device Identifiers: Serial numbers of medical devices like pacemakers or implants.
• Web URLs: Any website address that reveals patient identity.
• IP Addresses: Device IPs tied to an individual’s health data.
• Biometric Identifiers: Fingerprints, voiceprints, or retinal scans linked to medical records.
• Full-Face Photos: Photographs and comparable identifiable images.
• Other Unique Identifiers: Any code or characteristic that could identify a person when combined with health data.

How Names Become PHI

A name alone is not always PHI. It becomes PHI when linked with health information:

• Not PHI: "John Smith, 555-1234" in a phone book (no medical context).
• PHI: "John Smith was admitted to Bellevue Hospital with pneumonia."
• PHI: "Jane Doe received chemotherapy on May 3, 2025."

What is HIPAA?

The Health Insurance Portability and Accountability Act (HIPAA) is a federal law enacted in 1996 to protect sensitive patient health information from being disclosed without a patient’s consent or knowledge. HIPAA sets national standards for the security and privacy of PHI:

• Privacy Rule: Establishes how PHI can be used and shared.
• Security Rule: Requires safeguards to protect electronic PHI (ePHI).
• Enforcement Rule: Provides standards for compliance investigations and penalties.
• Breach Notification Rule: Requires organizations to notify individuals and regulators if PHI is compromised.

Covered entities (like healthcare providers, insurers, and clearinghouses) and their business associates (vendors or contractors handling PHI) must comply with HIPAA to ensure patient privacy and data security.

Examples of PHI Class Actions

Class action lawsuits often arise when PHI is exposed due to a data breach, unauthorized disclosure, or improper handling of sensitive medical records. Recent cases include:

• Anthem Data Breach: A massive breach compromised the PHI of nearly 80 million people, leading to one of the largest healthcare settlements in U.S. history.
• Community Health Systems Breach: Hackers accessed the PHI of 4.5 million patients, including names, addresses, and Social Security numbers.
• Montefiore Medical Center: A data breach exposed patient medical records and billing information, resulting in legal action for alleged HIPAA violations.
• Excellus BlueCross BlueShield: PHI of more than 10 million members was exposed, sparking lawsuits over inadequate data security measures.
• Banner Health: Attackers stole the PHI of 3.7 million patients, including medical records and insurance details, leading to significant legal claims.

Protecting PII

To safeguard PII, organizations should:

• Implement robust data security measures
• Provide regular employee training on data handling
• Conduct frequent security audits
• Develop and enforce strict data protection policies
• Stay informed about evolving privacy laws and regulations

Why do I need to provide personal information when filling out a claim form?

The personal information you submit in your claim for is used by the lawyers representing class action members in a class action settlement to:

• Determine your eligibility and the validity of your claim,

• Compare, if necessary, against an existing database of information,

• Assess the proportionate claim amount you are entitled to.

Any information reviewed and stored by the class action administrators is maintained and accessed as per the stated privacy policies of the website. For instance, many class action law firms and their partners adhere to a well-established privacy policy standard known as the GDPR. Make sure to check the privacy policy section of any website you visit to ensure that you are aware of and comfortable with the way that your data is retained and used before you submit your information in any forms.

What is the Genetic Information Protection Act?

PII can also be considered your biometric or genetic information, according to certain interpretations of the Illinois GIPA laws. GIPA, or the Genetic Information Protection Act, is an Illinois law that seeks to protect genetic information of Illinoisians. The protection is provided for individuals' privacy and non-discrimination based on their "genetic" information, as defined by HIPAA.

Generally, the law does not allow employers to make decisions based on certain HIPAA defined "genetic" factors such as RNA, DNA, proteins, chromosomes, metabolites, mutations, or chromosomal changes. It also prohibits the release of some of this private information to anyone other than the person being genetically tested. This is similar to how personally identifiable information is protected.

Providing Accurate Information to Class Action Administrators

This should go without being said, but make sure that you fill out claim forms with information that is up-to-date and as correct as possible to your best knowledge. The information you provide should be current, and include valid email addresses and phone numbers with your claim submission. It is your responsibility to supply accurate contact information to the class action claims administrator for you to receive a payment. Some class administrators may confirm your email or cell phone number, or notify you of upcoming settlement payments.

Additionally, accurate contact information will ensure that any follow up from class action claims administrators reaches you using the contact information you provide. This may be a good method for you to contact claims administrators in the event that any of your pertinent information changes such as your home address.

How Concerned Should I Be About My Data?

As a rule of thumb, you can always err on the side of caution by doing your due diligence. Meaning, read the privacy policy pages of any website where you are submitting your personal data, and make sure to record where and when you have submitted any data that is deemed personally identifiable information or personally sensitive information.