Once More Unto the Breach

The client who changed the direction of Torin Dorros’ career was a nurse in the midst of a new relationship. All was going well, until she discovered that her partner’s ex—also a nurse—had, in a fit of jealousy, accessed her medical files, including mental healthcare and OB-GYN records, and posted the information online.

Dorros reached out to the medical provider, citing a violation of the California Confidentiality of Medical Information Act. As the case was resolving in mediation, Dorros, who’d been representing clients in the healthcare sector for nearly 15 years, began to see that this kind of work would be increasingly relevant and necessary.

“Roughly 12 years later,” he says, “it’s 95% of my practice.”

The founder of an eponymous firm in Beverly Hills, Dorros comes from a family of physicians: His father is a neuroradiologist, his uncle a cardiologist, and several other family members have their own specialties. Dorros briefly considered going into medicine himself, but he had a preference for debate. After graduating from the University of Houston Law Center in 1996, he relocated to San Francisco to join an appellate firm that included hospitals and doctors among its clients. 

Quickly he became involved in a groundbreaking project. “Someone called me and said hospitals and doctors are looking to email their medical records, and they’re trying to figure out what type of law to put into place to protect the privacy side of these medical records,” he says. “I ended up advising them on the privacy rule of HIPAA.”

At the time, both telemedicine, and HIPAA, the Health Insurance Portability and Accountability Act, signed into law by President Bill Clinton in 1996, were new, and increasingly they became a critical element of care. This, along with entertainment law, was the brunt of Dorros’ practice until the phone call from the nurse in 2013. 

He estimates he’s now worked on nearly 1,500 cases involving medical privacy breaches.

Most breaches, he adds, are not intentional and malicious but the result of human error. “It’s really rare for the defendant to be the actual doctor,” he says. “Doctors, by overwhelming percentage, really do a good job of respecting privacy. Some states, like Texas, have a whole privacy training program in order to get your license.”

Regardless of intent, there is potential for serious damages. “They have different fact patterns but they’re all somewhat similar in nature,” says Dorros. “Patient has medical information or medical records at a provider, and it gets released to someone without authorization.” 

I’m not here to do damage to [hospitals]. I’m here to protect my client’s privacy rights. That can be done without being a jerk.

His largest case was a class action against Aetna in 2017. A third party working for the health insurance company sent notices to more than 11,000 patients in envelopes with large plastic windows through which information regarding their HIV medication was visible. “The allegation was, ‘Listen, you violated people’s privacy because you sent it in the mail, it was viewable by anyone, and that triggered a breach,’” he says. 

Dorros says Aetna and its counsel came to the negotiating table in good faith, and the case—believed to be the world’s largest data breach involving HIV privacy at the time—settled for $17 million.

“More often than not, providers in this area truly do appreciate and respect their patients’ privacy and step up to the plate,” he says. “That’s why these cases don’t get to court a lot.”

Computer hacking gets a lot of media attention, but even there Dorros notes it’s necessary to examine whether it was a true computer hack or merely a problem with the technology that allowed patient files to be accessed relatively easily. Again, bad actors or human error?

“For the number of patients that are served and the number of providers that maintain medical records, I think things are done pretty darn well,” he says.

In negotiations, Dorros brings an eye toward settlements in part to maintain what privacy is left for the client, and in part because of his history and respect for the medical profession. 

“Having been an attorney for hospitals and doctors for 15 years before switching to representing patients, I absolutely take the hospital’s and the doctor’s and the nurse’s positions into consideration,” he says. “I’m not here to do damage to them. I’m here to protect my client’s privacy rights. That can be done without being a jerk.”

Dorros would like to see the legal system understand more broadly how harmful medical privacy breaches can be. He uses a hypothetical example of an up-and-coming athlete who sustains an injury that’s leaked to the press just when he or she is about to turn pro. 

“Every patient, their information is important to them for one reason or another,” he says. “I respect that. And I have to get the other side to respect that, too.”