Michigan residents sue Thomson Reuters over public display of Social Security numbers

Case Overview

A class-action lawsuit filed in the U.S. District Court for the Eastern District of Michigan alleges Thomson Reuters publicly displayed Social Security numbers through its search engines. The plaintiffs, Michigan residents, claim the search platform made SSNs accessible without authorization, creating direct identity theft risk and potential regulatory exposure for any covered entity whose patient data appeared in the exposed records.

While this case involves a major data aggregator rather than a healthcare provider, the incident highlights a critical vulnerability independent practices often overlook: third-party data leakage. If patient SSNs or other protected health information (PHI) flow to vendors, business associates, or even billing partners who then expose that data through inadequate security controls, your practice bears regulatory liability under HIPAA's business associate accountability framework.

Key Claims

The lawsuit centers on unauthorized public disclosure of Social Security numbers via Thomson Reuters search engines. Key allegations include:

• Publicly accessible SSNs: Plaintiffs' Social Security numbers appeared in search results without consent or legal justification
• Data aggregation risk: Search platforms that index records from multiple sources may inadvertently expose sensitive identifiers
• Identity theft exposure: SSNs remain a primary vector for fraud, particularly when linked to names and addresses

For healthcare practices, this case underscores the danger of downstream data exposure. Patient SSNs collected for billing or insurance verification can surface in unexpected places if vendors lack proper access controls.

Legal Implications

HIPAA's Omnibus Rule makes covered entities directly responsible for business associate failures. If a practice shares PHI with a vendor who then exposes it through poor security practices, both entities face enforcement risk. HHS OCR has imposed multi-million-dollar penalties when covered entities failed to properly vet vendors or enforce contractual safeguards.

The average data breach costs healthcare organizations $9.8 million (IBM Security, 2024), with breach lifecycles averaging 258 days from initial compromise to containment. Class-action litigation adds another layer: even if OCR doesn't pursue enforcement, affected patients can sue for damages, as demonstrated by this Thomson Reuters case.

Michigan residents filing this lawsuit establishes standing based on injury-in-fact—their SSNs were exposed without consent. Healthcare practices face similar exposure when patient data reaches vendors who lack adequate security controls, particularly when those vendors aggregate data from multiple sources or display it in searchable formats.

What This Means for Your Practice

Audit your data flows immediately. Many practices share SSNs, dates of birth, and insurance identifiers with billing partners, clearinghouses, and EHR vendors without confirming where that data ultimately goes. Questions to ask:

• Does your billing vendor share data with third-party aggregators?
• Are Business Associate Agreements (BAAs) in place with every entity that touches PHI?
• Do BAAs include downstream subcontractor liability clauses?
• When was the last time you reviewed vendor security practices?

This case also highlights Social Security number minimization. HIPAA doesn't require SSNs for treatment, and many practices have transitioned to medical record numbers or other non-sensitive identifiers. Reducing SSN collection reduces downstream exposure.