Photo of Steven Boranian

We have two things in common with the petitioner in Mancini v. Commissioner of Internal Revenue, No 16975-13, 2019 Tax Ct. Memo LEXIS 16 (U.S. Tax Ct. Mar. 4, 2019).  First, we both will be filing our 2018 tax returns in about a month from now, unless of course Mr. Mancini is more on top of things than we are and has already filed.  Second, neither of us will be deducting our net gambling losses, but for different reasons.  For our part, we don’t have any gambling losses of which to speak.  For Mr. Mancini, he will not be deducting net gambling losses for 2018 or any other year because the Tax Court has ruled that his gambling losses are not a “casualty loss” that would be fully deductible under the U.S. Tax Code.

Yes, you read that correctly.  We are blogging about a tax case, which might amuse our tax attorney colleagues, but may leave our faithful readers in the drug and medical device world scratching their heads.  There is, however, a compelling tie in:  The petitioner in Mancini was trying to deduct his gambling losses as a “casualty loss” under the Tax Code because they alleged resulted from compulsive gambling caused by his treatment with Parkinson’s disease medication.

Although the Tax Court rejected the petitioner’s attempt to recharacterize his gambling losses, impulse control disorders such as compulsive gambling, compulsive shopping, and hypersexuality are diagnosable conditions that are more common than you might think.  Be that as it may, the petitioner rolled snake eyes.  He was diagnosed with Parkinson’s disease and was treated with increasing doses of Pramipexole, a dopamine agonist used to treat the condition.  While on a relatively high dose, the petitioner started gambling more and more, resulting in substantial losses.  When his wife and daughter eventually intervened, his neurologist discontinued the medication, and his gambling diminished, except to a “limited extent.”  Id. at **2-**3.  He later tried to deduct his losses, but rather than limit his gambling loss deductions to his gambling winnings, he called them “casualty losses” and tried to deduct them in their entirety.

A casualty loss is a non-business loss that arises “from fire, storm, shipwreck, or other casualty, or from theft.”  You know, like when a tree falls on your house during a storm.  The petitioner claimed that his gambling losses were an “other casualty” because his compulsive gambling “manifested abruptly once his dosage reached a certain level, it was unexpected . . . , and it was unusual, even for Pramipexole takers.”  Id. at **18.

The Tax Court ultimately rejected the deduction, but in the part of the order that we find most noteworthy, the Court ruled (1) that Pramipexole was capable of causing compulsive gambling and (2) that it had actually caused compulsive gambling in the petitioner.  The Tax Court discussed these concepts in terms of “framework evidence” and “diagnostic evidence, but we know them more commonly as “general causation” and “specific causation.”

Whatever you call them, the Tax Court’s ruling was based on the slimmest of scientific evidence.  On general causation, the Tax Court relied on the plaintiff’s expert, whose “knowledge comes from reading published studies—he even directly cited one during his testimony.”  Id. at **12.  Significantly, the government did not offer contrary evidence, leaving the expert’s opinion on that Pramipexole could cause impulse control disorders essentially uncontested in a forum where the etiology of alleged drug side effects is rarely, if ever, considered.  If the government had dug into the published studies, we expect it would have found a considerably more nuanced situation, but the Tax Court will never know.

On specific causation, the same expert drew his conclusion from the petitioner’s medical records, which showed that his compulsive gambling occurred while he was on his peak dose.  Id. at **14-**15.  We know this as “challenge and de-challenge,” where the onset of a complication coincides with the beginning of therapy and the complication abates when therapy is discontinued.  The problem with drawing causation opinions from “challenge and de-challenge” is that it relies solely on temporal correlation and ignores other potential causes and/or risk factors.  Did the petitioner have more free time and access to gambling?  Did he experience a “big win” or a “near miss,” both well known risk factors for compulsive gambling?  Did the court take into account his family’s intervention, which can have a powerful impact on gambling behavior?  It appears other potential causes were neither raised nor considered, which causes us to question the Tax Court’s finding of a causal relationship.

In the end, the petitioner lost his deduction because he did not suffer a “casualty loss,” regardless of the cause of his compulsive gambling.  For one thing, there was no physical damage to property, which is required under “sixty-odd years of caselaw.”  Id. at **18-**21.  Further, the losses were not “sudden” or “immediate,” like a tree falling on your house.  As the Court put it, “These losses were necessarily the result of dozens or hundreds of individual gambling sessions and probably thousands of separate wagers.”  Id. at **23.

The upshot is that the Tax Court’s questionable conclusion on causation wound up being superfluous.  One footnote is that the petitioner did try to sue the drug manufacturer in a product liability lawsuit, but was found to be time barred.  Id. at **5.  Perhaps his tax strategy was his fallback position, and we don’t blame him for trying to manage his tax burden within the limits of the law.  I guess that makes three things we have in common.

Medical device sales representatives are often present in the operating room during surgical procedures, especially with procedures involving orthopedic devices.  With those kinds of devices (and others), the hospital typically contacts the sales representative in advance, and he or she is charged with delivering the device in the specified size and providing any specialized instrumentation required for implantation.  The system is logical and effective, but it still comes as a surprise to many lay people that an industry representative is involved at all.  Plaintiffs’ attorneys sometimes emphasize this disconnect to suggest that something untoward is going on, although surgeons and nurses will tell you that a sales consultant’s presence in real time is an integral part of the process.  Many surgeons will tell you that they always expect the consultant to be there.

We were thus surprised to see the tables turned in Parker v. Orthofix Inc., No. 3:17-cv-248, 2019 U.S. Dist. LEXIS 24271 (D. Or. Feb. 14, 2019), where the plaintiff faulted the medical device sales representative for not being present for her surgical procedure.  At first blush, it seems like a damned-if-you-do-damned-if-you-don’t situation, but in the end the district court’s order rejecting the plaintiff’s claim came down to the evidence.  The court granted summary judgment for the manufacturer because the plaintiff could not produce evidence suggesting that the defendant’s representative should have been there (with instruments in tow), let alone that any duty existed or was breached.

Here is what happened.  The plaintiff underwent vertebral fusion surgery using the defendant’s plating system, but her pain persisted.  She therefore went to another surgeon, who determined that a second surgery was required to remove the defendant’s plate and re-perform the procedure using a competitor’s plate.  Id. at *4-*5.

This is where things went off track.  The hospital’s supply office arranged to have the competitor’s replacement plate available (apparently delivered by the competitor’s sales consultant), but after the surgeon started the procedure, he realized that he did not have the specialized tool required to remove the defendant’s plate.  It is not entirely clear why.  The hospital’s clinic supervisor said she never requested the specialized tool because the surgeon did not note in his pre-surgery report that he intended to remove the defendant’s device.  Id. at *6-*7.  The surgeon wrote in his post-operative note (and later testified) that he believed that someone had contacted the defendant beforehand to secure the specialized tool and was told that the surgeon could use instruments from the hospital’s universal tray.  Id. *7.

Whatever occurred before the procedure, the evidence was uniform that the surgeon telephoned the defendant during the surgery and learned that he needed the specialized tool, resulting in the surgeon ending the procedure.  The plaintiff required a third surgery, which also failed to resolve her pain.  Id. at *7-*9.

The plaintiff sued only the medical device manufacturer, and instead of alleging the usual defect allegations against the defendant’s plating system, the plaintiff claimed only that the defendant “negligently misinformed [the hospital] and the surgical team before the unsuccessful surgery about the tool needed to remove the [plate] being contained within a universal tray” and that “this misinformation caused the surgical team to begin operating on Plaintiff without having the correct tool, resulting in the surgical team needing to abandon that surgery.”  Id. at *8-*9.

It turns out, however, that the plaintiff did not have admissible evidence that anyone had ever contacted the defendant before the surgery, which would explain why the defendant’s sale consultant was not there.  The surgeon wrote in his post-operative note that he believed that someone had contacted the defendant, only to be told that the universal tools would do.  But what “someone” was told is obvious hearsay, and there was no other evidence of that purported conversation.  Throughout discovery, no one could even identify the person who placed this call nor the person who received it.  Thus, while the surgeon’s post-operative note met the business-records exception to the hearsay rule, the plaintiff could not account for the second and third levels of hearsay.  Id. at *10-*15.  That is to say, writing down that “someone told me that someone told him or her” is not admissible evidence.  See Fed. R. Evid. 805 (separate exception required for each level of hearsay within hearsay).

The surgeon’s deposition testimony met the same fate:  “I can remember in this case someone telling me that they had talked to Orthofix, and . . . saying that . . . the plate was easy to take out . . . with what I believe is called a universal system.”  (Id. at *16-*17) (emphasis in original).  Again, hearsay within hearsay, as was the testimony of the competitor’s sales representative:  “I had spoken with [the surgeon] and it was his understanding that we would only need the universal system . . . he thought the hospital had contacted the Orthofix rep to get the product there.”  Id. at *20-*21.  This piling on did not help because hearsay problems cannot be cured with still more inadmissible hearsay.

Beyond that, the plaintiff opposed summary judgment with evidence of the contact made with the defendant during surgery.  But that evidence did not raise a dispute of material fact.  The plaintiff’s claim alleged that the defendant misrepresented the tools required to remove the defendant’s plate, which caused the surgical team to start and later abandon the second surgery.  Thus, undisputed evidence that the defendant provided information after the surgery commenced was irrelevant:

Because Plaintiff alleges that Defendant supposedly gave this misinformation to the surgical team before surgery, evidence of a statement made by an employee or agent of Defendant during the unsuccessful surgery would not provide support for Plaintiff’s claim or create a genuine dispute of material fact.  By that time, the surgery had begun and any misstatements made during that surgery cannot be the cause of that surgery having occurred.

Id. at *19-*20 (emphasis in original).  So something fell through the cracks here, and it was no fault of the plaintiff.  It was likewise not the defendant’s fault.  As the district court concluded, “[S]omeone dropped the ball . . . .  Whether that someone was [the surgeon], someone on his surgical team, someone working for [the hospital], someone working for Defendant, or someone else, the Court cannot determine, and on the evidence presented by Plaintiff neither can a jury.”  Id. at *22.  Summary judgment granted.

Bexis is known to say that nothing good ever comes out of Missouri, but the Missouri Supreme Court has proven him wrong.  We have long made exceptions to Bexis’ proclamation for Mark Twain, Maya Angelou, and Kansas City barbeque, and we can now add to that list the Missouri Supreme Court’s new opinion in State ex rel. Johnson & Johnson v. Burlison, No. SC96704, 2019 WL 581175 (Mo. Feb. 13, 2019), where the Missouri Supreme Court took another step toward limiting the blatant forum shopping and venue abuse to which Missouri practitioners have become accustomed.

The controversy arises from Missouri’s unique and permissive joinder rules, which have been widely used to pile scores of non-resident plaintiffs into St. Louis City (which is different from St. Louis County) by joining their claims with those of one St. Louis City resident.  You can read our take on the issue here.  As you might expect, we have bemoaned this practice as unjustified and unfair.

The Burlison opinion is a game changer for the better.  In Burlison, one St. Louis City resident filed an action in St. Louis City along with dozens of non-Missouri plaintiffs against New Jersey and Delaware defendants.  The defendants filed motions to sever the non-residents and transfer their cases to other venues, which the court denied.  Id. at *1.  After multiple amended petitions (and an equal number of overruled objections to venue), the court set one plaintiff for trial—a resident of St. Louis County (which again is different from the City).  After yet another overruled objection to venue in St. Louis City, the defendants petitioned the Supreme Court for a writ of prohibition arguing that venue in St. Louis City was improper.  Id. at *2.

The Supreme Court agreed and held that Missouri’s permissive joinder rules could not trump the standard venue rules.  That is to say, plaintiffs who cannot themselves establish venue in St. Louis City cannot enter that forum through the backdoor by joining with one St. Louis City resident.  The opinion’s discussion started strong:

The central issue in this case is whether permissive joinder of separate claims may extend venue to a county when, absent joinder, venue in that county would not otherwise be proper for each claim.  It cannot and does not.  This is evidenced not only by our Court’s rules but also nearly 40 years of this Court’s precedent.

Id. at *3 (emphasis added).  The plaintiff had argued that the venue statute (Mo. Rev. Stat. § 508.010) does not dictate one specific venue when multiple joined plaintiffs claim their injuries occurred both inside and outside Missouri.  Moreover, the joinder rule (Civil Procedure Rule 52.05(a)) allows “two of more separate causes of action” to be joined in one petition.  Id.  Thus, according to the plaintiff, he and the other plaintiffs could unilaterally choose their venue, including St. Louis City, by banding together.  Id.

The problem for the plaintiff is that his position runs directly contrary to another Missouri rule—Rule 51.01, which expressly states that the rules of civil procedure “shall not be construed to extend or limit the jurisdiction of the Courts of Missouri or the venue of civil actions therein.”  Id. (emphasis in original).  Because the plaintiff could not have established venue in St. Louis City if he had sued on his own, he was relying on a rule of civil procedure (the joinder rule) to expand venue.  The rules and precedent applying them prohibit that result:

What Rule 51.01 and the holding in Turnbough [v. Gaertner, 589 S.W.2d 290, 292 (Mo. 1979)] make clear is joinder of [the plaintiff’s] claims with the other claims alleged in the petition cannot extend venue to a county where [the plaintiff’s] claims could not otherwise be brought and pursued.  Because [the plaintiff’s] wife was first injured in St. Louis County, § 508.010.4 dictates the proper venue for [the plaintiff’s] claims is St. Louis County.  The city of St. Louis is an improper venue . . . .”

Id. at *6 (emphasis added).  The Supreme Court therefore ordered the plaintiff’s claims severed and transferred to the proper venue.

There were two long dissents, which we will not parse here.  We will say, however, that one complains that “the Court holds that no plaintiff or claim can be joined with any other plaintiff or claim unless venue can be established independently for each claim” and that “[i]n the future, numerous claims that previously could have been filed together in one action—and in one venue—must now be filed separately.”  Id. at *14.  The dissent holds this out to be a self-evidently bad thing, but we (and a majority of the Missouri Supreme Court) clearly see this as the correct and proper result.  We do not see the good in allowing large groups of unrelated plaintiffs to join their claims together in a forum with which neither they nor their claims bear any relation, and we have always wondered why courts tolerate it.  Add the Missouri Supreme Court to the list of those that will not.

It is easy to articulate the core principle behind the First Amendment right to free speech:  The government can’t restrict what you say or make you say what the government wants without a good reason.  Ah, but how good a reason and what kind of reason?  That is where it gets more complicated.  How do we distinguish, for example, between a law that requires every man, woman, and child to declare “All hail the mighty New England Patriots” in public every day and a law that requires certain government-approved warnings with prescription drugs.

Both represent the government compelling speech, but one passes Constitutional muster in its current form while the other clearly would not.  (Hint: The unconstitutional one is the hypothetical law compelling Patriot worship, which would be a bad idea with or without the First Amendment and might even run afoul of the prohibition on cruel and unusual punishment.)  Whether government regulation of speech violates the constitution depends on the nature of the regulation and the standard under which courts review the law, and all of this is put on display in the Ninth Circuit’s recent en banc opinion striking down San Francisco’s sugar-sweetened beverage warning law.  The case is American Beverage Ass’n v. City and County of San Francisco, — F.3d —, No. 16-16072, 2019 WL 387114 (9th Cir. Jan. 31, 2019), and while the entire eleven-judge panel agreed that San Francisco’s law violated the First Amendment, it filed four different opinions explaining why.

As far as public health policy goes, San Francisco’s beverage warning law was a clumsy effort.  It required that advertisements for sugar-sweetened beverages include the following warning in a size no smaller than 20 percent of the ad and set off in a rectangular box—a sort-of “black box” warning:

WARNING:  Drinking beverages with added sugar(s) contributes to obesity, diabetes, and tooth decay.  This is a message from the City and County of San Francisco.

Id. at *1.  The law applied to some sugary drinks—but not all.  It applied to some advertisements—but not all.  And, importantly, the warning was not factually true—sugary drinks do not contribute to Type 1 diabetes.  We are no fans of sugary drinks, but we can’t help but think that the law has a certain arbitrary feel to it.

So maybe the law could have been written better and maybe it represented debatable public policy.  But was it unconstitutional?  The majority decided that it was, and it came to that conclusion after applying a form of “rational basis” review and rejecting the application of heightened scrutiny.  That is to say, the government did not have to demonstrate that its regulation of commercial speech was “narrowly tailored” to a compelling governmental interest or that it met any other version of heightened scrutiny—strict, intermediate, or otherwise.  Id. at *4-*5.  Referring to Supreme Court precedent, the majority set the standard as follows:

[B]efore NIFLA [National Institute of Family & Life Advocates v. Becerra, 138 S. Ct. 2361 (2018)], we examined a similar health and safety warning and held squarely that Zauderer [v. Office of Disciplinary Counsel, 471 U.S. 626 (1985)] provides the proper analytical framework for considering required warnings on commercial products:  “[T]he government may compel truthful disclosure in commercial speech as long as the compelled disclosure is ‘reasonably related’ to a substantial governmental interest.”  CTIA, 854 F.3d at 1115-17.  We rejected the argument that intermediate scrutiny—as required by Central Hudson, 447 U.S. 557, for situations in which speech is restricted or prohibited—should govern.  We also rejected the argument that Zauderer applies only to situations in which the government requires disclosures to prevent consumer deception . . . .

Id. at *4 (Emphasis added).  Let’s unpack that a little bit.  At least when it comes to health and safety warnings, the Ninth Circuit held that the government can compel truthful disclosure so long as the disclosure is reasonably related to a substantial governmental objective.  That situation is to be distinguished from laws restricting or prohibiting commercial speech, to which intermediate scrutiny under Central Hudson would apply.  Then there is strict scrutiny, which should apply to certain other regulation of speech.

When it came to San Francisco’s beverage law, the Ninth Circuit majority applied the Zauderer three-part test to determine whether the law survived rational basis review:  Whether the notice is (1) purely factual, (2) noncontroversial, and (3) not unjustified or unduly burdensome.  Id. at *4.  The law fell on the third requirement:

On this record, the 20% [size] requirement is not justified when balanced against its likely burden on protected speech.  [¶]  In addition, . . . [San Francisco has] not shown that the contrasting rectangular border containing a warning that covers 20% of the advertisement does not “drown[ ] out” Plaintiffs’ messages and “effectively rule[ ] out the possibility of having [an advertisement] in the first place. . . .

The required warnings therefore offend Plaintiffs’ First Amendment rights by chilling protected speech.

Id. at *5.  We have no strong opinion on this particular law.  We are, however, surprised that the Ninth Circuit did not apply a heightened level of scrutiny.  The result would have been the same, but the court could justifiably have set the bar higher for laws that compel commercial speech.

That was the opinion of one judge who concurred in the result, but dissented “from most of the reasoning.”  Id. at *6-*10.  In this judge’s view, the San Francisco beverage law was a “content-based regulation of speech, which is subject to heightened scrutiny under the First Amendment unless the Zauderer exception applies.”  Id. at *6.  In other words, strict scrutiny applies unless the compelled notice is purely factual, noncontroversial, and not unjustified or unduly burdensome.  Id. at *7, and see supra.  Here, the factual accuracy of the required warning was disputed, and with regard to Type 1 diabetes the warning was literally false.  Id. at 8.

Moreover, the law was anything but “noncontroversial.”  To the contrary, “the warning here requires the advertisers to convey San Francisco’s one-sided policy views about sugar-sweetened beverages.”  Id.  Recall that the requirement that the compelled speech be “noncontroversial” comes from very recent Supreme Court authority, a 2018 opinion addressing mandated government messaging at prenatal clinics.  See NIFLA, 138 S. Ct. 2361.  If any “controversial” or “inaccurate” government-compelled message triggers heightened scrutiny, then why would that not apply to government-mandated drug warnings that similarly lack scientific support?  Food for thought.  Finally, requiring commercial speakers to “fight a government-scripted message that drowns out their own advertisements is unduly burdensome.”  Id.  Under these circumstances, heightened scrutiny should apply, and “[b]ecause the warning requirement is not narrowly drawn” to a substantial state interest, “it does not survive even intermediate scrutiny.”  Id. at *9.

Two other judges wrote separately to note that they would find the ordinance unconstitutional on the sole basis that it was not purely factual, which they believed to be a threshold question.  Yet another judge wrote that Central Hudson controlled and that “the Supreme Court held that regulation of commercial speech is evaluated under an intermediate scrutiny standard.”  Id. at *13.  Although this final opinion did not garner a majority, it cut to the core of the dispute with this conclusion:  “I share . . . concerns that our current case law [applying rational basis review] will lead to a ‘proliferation of warnings and disclosures compelled by local municipal authorities’ that have ‘only a tenuous link to a ‘more than trivial government interest.’”  Id. at *13 (internal citations omitted).  This captures the classic First Amendment question:  How good a reason and what kind of reason does the government need to restrict what you say or compel you to say what the government wants?  The majority answered that the government can compel truthful disclosure that is reasonably related to a substantial governmental interest.  A minority would have held the government to a greater level of scrutiny.

We have a feeling we have not heard the last of this, particularly as to what is, or is not “purely factual” and “noncontroversial,” and particularly as to the level of scrutiny required to satisfy the First Amendment test.  In many drug and medical device cases, plaintiffs are positing liability on theories that defendants should have warned (thus seeking to compel speech in the form of warnings) about risks or other information that the FDA has concluded are not scientifically based.  If scientific basis, or its absence, equates to either the “purely factual” or “noncontroversial” elements of an emerging First Amendment test, then the basis exists for a new constitutional defense in a significant number of prescription medical product liability actions.  And as to California, requiring governmentally compelled warnings to have sufficient scientific basis as to be “noncontroversial” has obvious implications for that state’s Proposition 65.

What do you get when no one has been injured and the most you can say is that maybe someone received medicine made from an active pharmaceutical ingredient that may have contained—but was never actually observed to contain—a harmless contaminant?  Add to that that you can’t really tell who might have used the product that may (or may not) have been affected.  Why, of course, you get a consumer class action—one where patients received exactly the therapeutic benefit they bargained for and probably did not pay for it themselves anyway, but they still want money.

This is what class actions in the pharmaceutical space often look like—no-injury classes seeking partial or full refunds of the purchases prices for products that worked, but allegedly were not all they were supposed to be.  Take for example a New Jersey case from a couple of months ago, Fenwick v. Ranbaxy Pharmaceuticals, Inc., No. 3:12-cv-07354, 2018 WL 5994473 (D.N.J. Nov. 13, 2018), where the district court denied certification of a putative nationwide class on the basis that it was impossible to ascertain who would be in the class and that individualized issues predominated.

In Fenwick, the defendant voluntarily recalled multiple lots of its generic cholesterol medicine after manufacturing employees noticed blue particles in the raw material used to make the product.  The tiny particles were glass from glass liners on machines used in the manufacturing process, so the manufacturer discarded that batch.  Id. at *1.  Another batch was later shipped from the same facility to another facility, where it was made into pills, which were then sent to the distribution center of 35 different companies.  No one had actually observed particles in this later batch, but the manufacturer nevertheless voluntarily recalled the pills made from the batch and eventually recovered about 85 percent of the bottles shipped.

The rest were distributed to pharmacies, where some portion was further repackaged and dispensed to patients.  Id. at *1-*2.  Exactly who those patients were was anyone’s guess, and whether any of the recalled product was actually affected by any manufacturing issue was similarly a matter of speculation.  The manufacturer and the FDA agreed that the possibility of any health consequences was “extremely low” and that “patients who have the recalled medicine can continue taking it.”  Id. at *1.

Five individuals who allegedly purchased the drug filed a class action purporting to represent a nationwide class of consumers who were not injured and did not even necessarily use a contaminated product.

The heart of the order denying class cert is the district court’s discussion of the ascertainability of the proposed class.  There was a time when federal courts did not necessarily require that plaintiffs prove that it was possible to ascertain a class’s members, but the requirement is now well established.  The district court described it in the following very quotable passage:

Ascertainability functions as a necessary prerequisite (or implicit requirement) because it allows a trial court effectively to evaluate the explicit requirements of Rule 23.  In other words, the independent ascertainability inquiry ensures that a proposed class will actually function as a class. . . .  The ascertainability inquiry is two-fold, requiring a plaintiff to show that: (1) the class is ‘defined with reference to objective criteria’; and (2) there is ‘a reliable and administratively feasible mechanism for determining whether putative class members fall within the class definition.’ . . .  [A]scertainability only requires the plaintiff to show that class members can be identified. . . .  However, a party cannot merely provide assurances to the district court that it will later meet Rule 23’s requirements . . . [n]or may a party ‘merely propose a method of ascertaining a class without any evidentiary support that the method will be successful.’

Id. at *4 (internal quotations and citations omitted).  The gist is that the putative class representatives do not have to identify each class member before moving for class certification, but they have to prove that they can do it through an objective and reliably feasible method.

And that is where the class in Fenwick failed.  The plaintiffs relied on their damages expert, who sampled dispensing information from four retailers and opined that he could identify class members by reference to the timeframe during which recalled and non-recalled pills were available and National Drug Code, the unique FDA number that identifies a drug and its manufacturer.  Id at *6.  This method, however, did not pan out:  It was based on a sample of only four companies; it did not include consumer-level data for most of the companies; it did not identify any individual consumers; and it included consumers who bought pills from non-recalled lots.  Id.  If there were ever a case calling for application of the Daubert reliability standard at the class certification phase, this was it.  Regardless, the opinion was not close to meeting the objective and reliably feasible standard for ascertaining putative class members.

At bottom, it is simply not possible to identify class members based primarily on NDC numbers, at least not without a host of additional information, including “a means to identify consumers.”  Id.  “Plaintiffs have not shown that the data they have provided includes this necessary information.”  Id.

The district court could have stopped there, but it also ruled that the plaintiffs failed to prove that common issues would predominate.  They were purporting to assert claims for breach of implied and express warranties and unjust enrichment on behalf of a nationwide class.  To avoid predominating individual issues inherent in the application of 50 states’ laws, the plaintiffs urged application of New Jersey law to the entire class.  The district court, however, conducted a choice-of-law analysis and concluded that each individual class member’s home state had the most significant relationship to the plaintiffs’ warranty claims.  With the application of multiple states’ laws, common issues could not predominate.

The story here is a lack of ascertainability, and this class died when the plaintiffs’ expert agreed that there is “likely no feasible way to accurately identify” individuals who actually bought the recalled product.  Id. at *8.  The correct result for the correct reason.

We have taken a daily multivitamin ever since our doctor told us that we were chronically deficient in a particular vitamin, the one you can get from being out in the sun.  Given our chosen line of work, we should not be surprised that we don’t get enough sunlight.  We should also not be surprised that dietary supplements—such as our daily chewable multivites—generate substantial litigation, usually based on the premise that the supplements don’t do what their sellers say they are supposed to do.

Plaintiffs often file these kinds of lawsuits in California because of California’s liberal consumer protection laws, but many of them find out that the FDA regulates dietary supplements as food.  Regular readers of the blog can see where this is headed.

That’s right.  Federal preemption.

Take for example the Ninth Circuit’s recent opinion in Dachauer v. NBTY, Inc., No. 17-16242, 2019 WL 150016 (9th Cir. Jan. 10, 2019).  In that case, the plaintiff purchased vitamin E supplements that claimed on their labels to “support cardiovascular health” and to “promote[ ] immune function.”  Id. at *1.  The court noted that the plaintiff “purchased one bottle of the supplements for health reasons.”  Id.  We think it is more likely that the plaintiff’s attorneys had an expert who questioned the value of vitamin E supplements and sent the plaintiff to buy his “one bottle” for litigation reasons, rather than “health reasons.”  But we don’t really know and are probably just being cynical.

Regardless, the plaintiff sued under California’s consumer statutes alleging that the supplements do not present cardiovascular disease and might increase the risk of all-cause mortality, rather than promote “immune function.”  Id.

Here is where the FDA’s regulation of dietary supplements comes into play, and there are only two things you really need to know.  First, the FDCA has an express preemption provision for certain food labeling claims, under which federal law preempts any state law that establishes “any requirement respecting any claim . . . made in the label or labeling of food that is not identical to [federal requirements].”  Id. at *3 (citing 21 U.S.C. § 343-1(a)(5)).  This is a strong preemption provision, and the “identical to” language is arguably even stronger than the “different from or in addition to” language that we are used to in the medical device context.”

Second, when it comes to dietary supplement labeling, the FDCA distinguishes between “disease claims” and “structure/function claims.”  A “structure/function claim” describes the role of a nutrient or ingredient intended to maintain the structure or function of the body.  By comparison, a “disease claim” claims to diagnose, mitigate, treat, cure, or prevent disease.”  Id. at *2.  An FDA guidance provides that structure/function claims can use general terms, such as “strengthen,” “improve,” and “protect,” so long as the claims “do not suggest disease prevention or treatment.”  Id. (quoting Regulations on Statements Made for Dietary Supplements Concerning the Effect of the Product on the Structure or Function of the Body, 65 Fed. Reg. 1000-01 (Jan. 6, 2000)).  Apropos to this case, the guidance identifies “helps maintain cardiovascular function” as an example of a permissible structure/function claim.  Id.

Having made labeling claims that are quite clearly permissible structure/function claims, the defendant moved for summary judgment on the basis that the plaintiff’s claims were preempted.  In other words, the plaintiff was asserting that state law required labeling different from the federally approved labeling.  The district court granted summary judgment, and the Ninth Circuit affirmed.  With regard to the labeling claim that the supplement “support[ed] cardiovascular health,” the plaintiff had an expert who disagreed, but the federal requirement was what it was, and the plaintiff’s expert could not just erase it:

The FDA allows manufacturers of supplements to make general claims—such as “promotes heart health”—and to substantiate them with evidence that a supplement has some structural or functional effect on a given part of the human body.  Manufacturers need not also have evidence that those structural or functional effects reduce the risk of developing a certain disease.  Plaintiff disagrees with the federal statutory scheme for dietary supplements, but we cannot accept his invitation to upend it.

Id. at *3 (emphasis added, citations omitted).  The Ninth Circuit came to a similar conclusion with regard to the plaintiff’s arguments targeting the “promoted immune function” claims.  The FDCA does not require that manufacturers substantiate structure/function claims about immune health with proof that their supplements reduce the risk of all-cause mortality.  Thus, “[b]ecause any such requirement under California law would differ from the FDCA’s labeling requirements, the FDCA preempts Plaintiff’s claim to the extent that he argues that Defendants make a false structure/function claim because their supplements fail to reduce the risk of all-cause mortality.”  Id. at *4.

The only claim that survived was the plaintiff’s claim that the defendant’s structure/function claim about immune health was misleading because the supplements actually increase the risk of all-cause mortality.  Because that claim would be misleading under either federal or state law, it was not expressly preempted.  Id.  The plaintiff, however, did not submit evidence sufficient to raise a triable issue of fact.  His expert cited four meta-analyses, but none concluded that vitamin E supplements caused an increased risk.  Id.  With no substantial evidence that the defendant’s “promoted immune function” claim was misleading, the plaintiff was not entitled to proceed.  Summary judgment affirmed.

The Dachauer opinion comes to the right result for the right reasons.  For our part, we will continue to take our daily multivitamin with modest expectations, and maybe we will try to get out into the sun more often.

A federal court in Utah ruled the other day that it had no personal jurisdiction over a corporate parent, even though the plaintiffs alleged that the defendant subsidiary was the “alter ego” of its owner.  We read the order with great interest for a couple of reasons.  First, one of our first assignments out of law school was to respond to discovery and write motions for an insurance company’s parent—a holding company that held considerable assets, but did not underwrite insurance policies.  We have learned over the years that some companies don’t care so much about corporate parents being sued, and others care a great deal.  Our insurance company client was in the “cared a great deal” bucket, leaving us to parse endlessly how the “company” differed from the “group,” how the company did all the business and had all the employees, and how they all scrupulously observed every corporate formality.  It usually worked, because it was all true.  The holding company was a holding company, and the insurance company had the wherewithal to answer for his own debts.  Ever since this experience, we have held a persistent (perverse?) interest in alter ego, agency, and other ploys to “pierce the corporate veil.”

The second reason the recent District of Utah case caught our interest is because one of the underappreciated aspects of the Supreme Court’s reset of general personal jurisdiction in Bauman is how the Court discarded so-called “agency jurisdiction.”  That was where a court could impute a subsidiary’s forum contacts to the corporate parent by applying a relaxed “agency” standard.  That form of jurisdiction does not exist anymore.  See Daimler AG v. Bauman, 571 U.S. 117, 134-36 (2014).  The Supreme Court closed the loop when it recalibrated specific personal jurisdiction in BMS and held that specific jurisdiction cannot be based on another defendant’s forum contacts.  See Bristol-Myers Squibb Co. v. Superior Court, 137 S. Ct. 1773, 1783-84 (2017).

So where did that leave the plaintiff in the recent Utah case who was trying to sue a medical device company and its corporate parent?  Because there was no general jurisdiction over the non-resident parent, the plaintiff had to prove specific jurisdiction through the rigorous and difficult-to-prove “alter ego” standard.  The case is Jorgensen v. Wright Medical Group, Inc., No. 2:18-cv-366, 2018 WL 6250606 (D. Utah. Nov. 29, 2018), and the plaintiff sued the medical device manufacturer (the “company”) and its holding company (the “parent”) alleging injuries resulting from treatment with the device.

The district court rejected jurisdiction over the parent, and there are three interesting points.

First, the district court considered evidence, even though it was ruling on a motion to dismiss.  In an attempt to establish sufficient forum contacts, the plaintiffs alleged that both the company and the parent “sold, distributed, and marketed” the device within Utah.  Id. at *2.  But the parent submitted uncontroverted affidavits explaining that it did no business in Utah and had no place or business or property there.  Id.  The plaintiff submitted press releases and SEC filings where the parent spoke of its medical device business generally, but the district court found that consolidated statements are a “common business practice” that did not undermine the specific facts in the sworn affidavits.  Id. at *3.  The lesson is that unproven allegations will not carry the jurisdictional day.  Even on a motion to dismiss, courts can and should consider evidence.

Second, the alter ego standard is difficult to meet.  In attempting to attribute the company’s forum contacts to the parent, the plaintiff relied on the same press releases and SEC filings as before, but they were not sufficient.  Rather, “(1) there must be such unity of interest and ownership that the separate personalities of the corporation and the individual [shareholder] no longer exist . . . and (2) the observance of the corporate form would sanction a fraud, promote injustice, or an inequitably result would follow.”  Id at *4.  This standard is based on Utah law, but it is similar to standards we have seen in other states.  Here, the parent’s affidavits again held sway:  They attested that the parent “maintains separate accounting and banking records from the accounting and banking records of [the company].”  Id.  The plaintiff neither rebutted this evidence, nor alleged that any fraud or injustice would result from observance of the corporate form.  Id.

Third, in what might be the most useful part of the order, the district court denied “jurisdictional discovery.”  Id. at 5.  The following standard applied:  “‘The district court does not abuse its discretion by denying jurisdictional discovery where there is a very low probability that the lack of discovery’ would affect the outcome of the case.”  Id.  The plaintiff had to suggest specific discovery that would lead to a different result, and he came up with just one set of documents that purportedly would show the parent’s “direct involvement” in the medical device at issue.  But another plaintiff had offered those same documents to establish liability against the parent in another case, and the parent was dismissed, making is “highly unlikely” that the documents would make a difference here.  Id.

All is not lost for this plaintiff.  He still has jurisdiction over the medical device company, although we know nothing from this order about the arguable merits of his claims.  He will not, however, be allowed to reach into the parent company’s pockets.

We celebrated National Cybersecurity Awareness Month a few weeks ago by bringing you the FDA’s newly published Medical Device Cybersecurity Regional Incident Preparedness and Response Playbook, with a promise to cover the Agency’s promised update on its Guidance for Content of Premarket Submissions for Management of Cybersecurity in Medical Devices, which was first published in 2014.

Well, the Agency has now published the Draft Guidance (you can review it here), and it is really interesting for a few reasons.  First, the FDA continues to view medical device cybersecurity risks through the same lens as it views any other risk.  That is to say, treatment with any medical device presents potential risks, and premarket submissions for connected medical devices should permit analysis of cybersecurity risks compared against the device’s benefits.  Second, the Draft Guidance generally follows the philosophy and framework set forth in the FDA’s current guidance, but places considerably greater flesh on the bone.  Third, the Draft Guidance places a much greater emphasis on medical device warnings, including suggesting the inclusion of a long list of detailed information—so much information that we wonder about usefulness and feasibility.

So what does the Draft Guidance say?  The theme is that the increasing use of connected medical devices and portable media in medical devices makes effective cybersecurity more important than ever to ensure device functionality and safety.  The Draft Guidance’s mission is clear:  “Effective cybersecurity management is intended to decrease the risk of patient harm by reducing device exploitability which can result in in intentional or unintentional compromise of device safety and essential performance.”  (Draft Guidance, at p.3)  “Intentional or unintentional.”  In other words, we are talking here not only about bad actors and malicious attacks, but also accidents and other situations where no harm to a device’s function was intended at all.

One new feature is the creation of two tiers of medical devices:  A device is “Tier 1, Higher Cybersecurity Risk” if (1) the device is capable of connecting to another medical or non-medical product, or to a network, or to the Internet; AND (2) a cybersecurity incident affecting the device could directly result in patient harm to multiple patients.  All other devices are “Tier 2, Standard Cybersecurity Risk.”  (Id. at 10)  The catch-all nature of Tier 2 seems odd at first blush because it would appear to include devices for which there is no conceivable cybersecurity risk, such as orthopedic implants.  Also note that these tiers cut across the FDA’s existing statutory device classifications, such that a Tier 1 device could be Class II or Class III device.  They are separate criteria.  (Id.)

The consequence of falling into Tier 1 is that the Draft Guidance calls for considerably more exacting information in premarket submissions.  More specifically, premarket submissions for Tier 1 devices should “include documentation demonstrating how the device design and risk assessment” incorporate certain design controls that accomplish the following:

  • Identify and Protect Device Assets and Functionality – The focus here is on the design of “trustworthy” devices and the presentation of documentation demonstrating “trustworthiness.” A trustworthy device should prevent unauthorized use through sufficient authentication and encryption; should ensure the trustworthiness of content by maintaining “code, data, and execution integrity” through such measures as software/firmware updates and enabling secure data transfer; and should maintain confidentiality.  ( at 11-16)
  • Detect, Respond, Recover – As the Draft Guidance puts it, “appropriate design should anticipate the need to detect and respond to dynamic cybersecurity risks.” This includes designing the device to detect cybersecurity events promptly.  It also includes designing the device to respond to and contain the impact of cybersecurity incidents and to recover its capabilities.  This would be though such measure as routine security updates and patches, systems to detect and log security compromises, features that protect critical functionality, and measures for retention and recovery of system configurations.  It also includes something called a “CBOM”—a Cybersecurity Bill of Materials, essentially a list of hardware and software components that are or could become susceptible to vulnerabilities.  ( at 16-18)

Perhaps the most interesting part of the Draft Guidance is the recommendation for device labeling.  As product liability litigators, medical device labeling is near and dear to our hearts because a manufacturer’s potential liability often depends on the adequacy of the risk information and instructions for use.

The FDA seems to agree that device labeling is important.  After citing the governing statutes and regulations, the Agency counsels that “when drafting labeling for inclusion in a premarket submissions, a manufacturer should consider all applicable labeling requirements and how informing users through labeling may be an effective way to manage cybersecurity risks.”  (Id. at 18-19)  The Draft Guidance then lists 14 separate factors that it recommends for inclusion in the labeling.  We paraphrase them below not because we expect you to study them, but more so you can get a sense of how exacting these recommendations could be.  Here goes:

  • Device instructions and product specifications related to recommended cybersecurity controls appropriate for the intended use environment;
  • A description of the device features that protect critical functionality;
  • A description of backup and restore features;
  • Specific guidance to users regarding supporting infrastructure requirements;
  • A description of how the device is or can be hardened using secure configuration;
  • A list of network ports and other interfaces that are expected to receive and/or send data, and a description of port functionality and whether the ports are incoming or outgoing;
  • A description of systematic procedures for authorized users to download version-identifiable software and firmware;
  • A description of how the design enables the device to announce when anomalous conditions are detected (e., security events);
  • A description of how forensic evidence is captured, including but not limited to any log files;
  • A description of the methods for retention and recovery of device configuration;
  • Sufficiently detailed system diagrams for end users;
  • “A CBOM including but not limited to a list of commercial, open source, and off-the-shelf software and hardware components to enable device users . . . to effectively manage their assets, to understand the potential impact of identified vulnerabilities to the device (and the connected system), and to deploy countermeasures to maintain the device’s essential performance”;
  • Where appropriate, technical instructions to permit secure network deployment and servicing, and instructions on how to respond upon detection of a cybersecurity vulnerability or incident; and
  • Information, if known, concerning device cybersecurity end of support, e., the time when the manufacturer may no longer be able to reasonably provide software patches and updates.

We support providing adequate information to device users, and we doubly support taking medical device cybersecurity seriously.  These recommendations, however, raise several questions.  For one thing, who is the intended audience?  The learned intermediary doctrine in most every state holds that medical device warnings are for the prescribing physicians—and no one else.  Is this information to be written for physicians, or IT professionals, or even patients?  We don’t know.

We also wonder about whether it is feasible to provide all this information, or even useful.  Maybe it would be both, or maybe neither.  But we think it is fair to ask whether providing “sufficiently detailed system diagrams” and lists of “commercial, open source, and off-the-shelf software and hardware components” is the most helpful information for protecting patient health and safety.  What is a “CBOM”?  We also wonder how the adequacy of this information would be judged.  Unlike medical risk information, this information is beyond what most physicians (the learned intermediaries) would readily appreciate.  In the so-far-extremely-unlikely event that a cybersecurity incident results in harm to a patient, will we have a new category of experts to depose?

To round it out, the Draft Guidance recommends including design documentation and risk management documentation that demonstrates device trustworthiness and the design’s connection to “threat models, clinical hazards, mitigations, and testing.”  (Id. at 21-22)

The above questions and more can be presented to the regulators as they consider the Draft Guidance and put it in final form.  Comments and suggestions are currently due sometime next March, although these deadlines tend to slip.  We will eagerly see what people have to say.  Stay tuned.

What happens when you have a class action where some putative class members suffered an injury while others did not? Can such a proposed class even be certified? The answer depends on whom you ask. The plaintiffs/class representatives will surely point out that whether any individual class member actually suffered a compensable injury is a mere administrative detail that can be sorted out after the fact. Trust us, Judge. Just certify the class, and we’ll make sure the right people get paid.

The defendants on the other hand will emphasize (correctly) that there is this little thing called due process, which prohibits certifying a class where individual class members have contested injuries or no injuries at all. That was the dilemma that the First Circuit addressed in In re Asacol Antitrust Litig., No. 18-1065, 2018 WL 4958856 (1st. Cir. Oct. 15, 2018), and the court came to the correct conclusion that a class that includes uninjured class members cannot be certified. The First Circuit also poured buckets of cold water on questionable concepts of aggregated proof and statistical modeling.

Here is what happened. The plaintiffs sued the defendant claiming that its discontinuation of one drug and introduction of similar substitute drugs violated the consumer protection and antitrust laws of twenty-six jurisdictions. Id. at *1. The district court later certified a class of “all Asacol purchasers who subsequently purchased [the alleged substitute drugs] in one of those twenty-six jurisdictions.” Id.

But here is the rub. In certifying the class, the district court found that approximately 10 percent of the class members (mostly if not entirely third-party payers) had not suffered any injury attributable to the defendants’ alleged wrongful conduct. Id. And here is the further rub. The defendants claimed that uninjured class members actually made up more than 10 percent of the class, and the plaintiffs claimed that the number actually was less. In other words, it was undisputed that some portion of the class had no compensable injury, and the fact of injury was contested for some additional and unknown portion of the class.

The district court determined nonetheless that the uninjured class members could be removed “in a proceeding conducted by a claims administrator.” Id. When someone suggests relying on a post-certification “claims process” to smooth over disputed individual issues in a class action, the red flags start to wave in our heads. The submission of a form to a “claims administrator” is not an adequate substitute for the due process to which defendants are entitled absent an agreement, such as with a class settlement.

Red flags waived in the heads of the First Circuit too, resulting in an opinion reversing class certification. First, there was the issue of standing. The defendants argued that the class representatives had never made purchases within twenty-two of the jurisdictions and thus lacked standing to sue under those states’ laws. Id. at *3. In the First Circuit’s view, the issue was whether the class representatives had the proper incentive to advance claims under all those states’ laws, and it ruled that they did. Id. at **3-5. The only carve out was New York, which uniquely requires proof of deception. Id.

Second, the First Circuit considered Rule 23(c)(3)’s requirement that common issues predominate over individual issues, and this is where this class action failed. It was undisputed that some number above or below ten percent of the certified class suffered no compensable injury. Id. at *6. The district court’s major error was its assumption that it would be possible “to establish a mechanism for distinguishing the injured from the uninjured class members” and that “Class members will be asked to submit a claim form, along with data and documentation that may be deemed necessary for consideration.” Id. at *7.

That process would not be sufficient, in part because “[o]ne can only guess what data and documentation may be deemed necessary, what the formula will be, and how the claims administrator will decide who suffered no injury.” Id. The First Circuit distinguished the situation where class members would establish their claims through “’unrebutted testimony’ contained in affidavits.” Id. (distinguishing In re Nexium Antitrust Litig., 777 F.3d 9 (1st Cir. 2015)). Here, the plaintiffs did not intend to rely on unrebutted testimony to eliminate uninjured class members, and the defendants had expressed their intention to challenge any affidavits that might be gathered. Id. Because such disputed individual issues cannot be resolved under Rule 23, the First Circuit’s “inability to fairly presume that these plaintiffs can rely on unrebutted testimony in affidavits to prove injury-in-fact is fatal to plaintiffs’ motion to certify this case.” Id. at *8.

This is an important holding. The predominance of individual issues should preclude class certification under Rule 23(c) in every instance, and that rule applies with no less force when the predominating individual issue is whether each class member has suffered an injury in fact. It is not sufficient, as the First Circuit held, to certify the class based on vague promises of sorting it out later.

Nor is it acceptable to promise proof of “class-wide impact” through purported expert testimony. According to the plaintiffs, proof of “class-wide impact” would result in some uninjured class members receiving compensation, but it will all “net out” in the end and “should be of no concern” to the defendants. Id. at *9. Such rough justice ignores that when a defendant is not liable to particular individuals because they suffered no injury, the amount of total damages should be reduced. Id. Moreover, when relief depends on determining whether an individual has been injured, the defendant must have an opportunity to challenge each class member’s proof. Id.

Finally, the First Circuit condemned the reliance on statistical analysis at the expense of due process. The following quote is long, but you should read it because it is powerful:

Accepting plaintiffs’ proposed procedure for class litigation would also put us on a slippery slope, at risk of an escalating disregard of the difference between representative civil litigation and statistical observations of tendencies and distributions. Once one accepts plaintiffs’ “no harm, no foul” position there would be no logical reason to prevent a named plaintiff from bringing suit on behalf of a large class of people, forty-nine percent or even ninety-nine percent of whom were not injured, so long as aggregate damages on behalf of “the class” were reduced proportionately. Such a result would fly in the face of the core principle that class actions are the aggregation of individual claims, and do not create a class entity or re-apportion substantive claims.

Id. at *10 (emphasis added). Read that last line again because it re-emphasizes that Rule 23 is a rule of procedure. It does not bestow substantive rights, nor could it alter substantive law—such as laws requiring proof of an injury in fact before someone can sue—without running afoul of the Rules Enabling Act.

The First Circuit here applied the predominance requirement in a way that essentially enforces the requirement of ascertainability—i.e., you can’t certify a class if you can’t ascertain who would be in the class before certification. The First Circuit also walked back from the Neurontin trilogy, which pushed concepts of aggregated proof beyond the breaking point, which we discussed here. Both are welcome developments.

Did you know that October is National Cybersecurity Awareness Month?  Neither did we, until we started poking around the FDA’s recent press release announcing that it intends to update its guidance on medical device cybersecurity within the next few weeks.  We also learned that National Cybersecurity Awareness Month has been observed each October since its inception in 2004.  Observed by whom?  We’re not exactly sure.  We picture our IT consultants walking office to office handing out hats and stickers with catchy slogans like “A password is like underwear. Change it!”  Or some lame pun involving the work “phishing.”  If it were up to us, we would default to the simple and classic “Ctrl-alt-delete before you leave your seat.”

All kidding aside, cybersecurity threats have moved in recent years from theoretical to very real, and while there remains no reported instance of anyone hacking into a medical device being used to treat a patient, the potential vulnerability is one to which we need to pay attention.

That includes the FDA.  The FDA has published guidance on cybersecurity with regard to both premarket submissions and post-market submissions.  (You can see our take on the postmarket guidance here)  Based on the FDA’s press release, updates are coming to the premarket guidance, specifically to “highlight the importance of providing customers and users with a ‘cybersecurity bill of materials,’ or in other words, a list of commercial and off-the-shelf software and hardware components of a device that could be vulnerable to attack.”  This jibes with the FDA’s general approach to cybersecurity, which is to undertake a risk-based analysis that identifies vulnerabilities, assesses the potential frequency and severity of the risk, identifies mitigations, and proceeds accordingly.  Such a risk-based analysis should be familiar to anyone who operates in the medical device space, where risks and benefits are weighed on a daily basis.

The other news of the press release is the publication of a Medical Device Cybersecurity Regional Incident Preparedness and Response Playbook, which “describes the types of readiness activities that’ll enable HDOs [healthcare delivery organizations] to be better prepared for a cybersecurity incident involving their medical devices.”  This Playbook was prepared by the MITRE Corporation, a government-sponsored research and development organization.  You can get a copy of the Playbook here, and you can that it is aimed at healthcare providers and critical healthcare infrastructure in which medical devices operate.

The purpose of the Playbook is to help HDOs get ready for cybersecurity threats affecting medical devices that could impact continuity of care and patient safety.  More specifically, the playbooks objectives are to:

  • Provide baseline medical device cybersecurity information that can be incorporated into an HDO’s emergency preparedness and response framework;
  • Outline roles and responsibilities for responders to clarify lines of communication “across HDOs, medical device manufacturers (MDMs), state and local governments, and the federal government”;
  • Describe a standardized approach to response efforts;
  • Serve as a basis for enhanced coordination activities among medical device cybersecurity stakeholders;
  • Inform decision making and the need to escalate response;
  • Identify resources HDOs can leverage as a part of preparedness and response activities; and
  • “Serve as a customizable regional preparedness and response tool for medical device cyber resiliency that could be broadly implemented.”

We put that last one in quotes because we’re not exactly sure what “cyber resiliency” means, but we assume it means the ability to fend off a cybersecurity event or at least mitigate its impact.  Toward that end, the Playbook suggests a four phase approach:  (1) Preparedness; (2) Detection and Analysis; (3) Containment, Eradication, and Recovery; and (4) Post Activity.

“Preparedness” means exactly what it says, with an emphasis on mindfulness of cybersecurity when procuring medical devices and keeping an inventory such that the HDO is always aware of what connected devices it has on hand.  HDOs should engage in “hazard vulnerability analysis” (again, a focus on risk) and plan for communicating and responding during an event.  That includes medical device manufacturers, whom the Playbook places squarely within the communication loop with the HDO and the FDA.

“Detection and Analysis” focuses on identifying when an incident has occurred and assessing its priority on a numerical scare that strangely assigns “Emergency” events to “Category 0.”  Analysis and documentation are important parts of the process, too.

The core of the response falls under “Containment, Eradication, and Recovery,” which appropriately focused on patient safety.  Is the device safe to use?  Is there a reliable way to test the device and confirm it is working correctly?  Are there spare or backup devices?  How quickly can the problem be fixed, and has there been collateral damage to the broader healthcare system?  These are the questions that HDO should be asking.

Finally, the “Post Activity.”  The Playbook recommends attention to lessons learned, including possibly retaining a digital forensics expert and updating the plan.

As we have said before, medical device cybersecurity is here to stay, and the FDA has been busy.  In addition to the Playbook (which is not an FDA document, but still, you get the gist), the FDA has entered into memoranda of understanding to form information sharing analysis organizations (“ISAOs”), which are “groups of experts that gather, analyze and disseminate important information about cyber threats.”  The Agency has participated in cybersecurity exercises and summits, and has engaged discussions with other government agencies, including the Department of Homeland Security.  It has proposed a Center of Excellence for Digital Health, which “would help establish more efficient regulatory paradigms, consider the building of new capacity to evaluate and recognize third-party certifiers, and support a cybersecurity unit to complement the advances in software-based devices.”  We will keep you posted.