Healthcare Providers Hit By Class-Action Lawsuits Relating to Breaches of Patient Personal Data
A class action lawsuit has been filed against Tennessee-based Community Health Systems, Inc. (CHS) relating to a data breach affecting the personal data of approximately 4.5 million patients. Earlier this month, CHS filed a report with the U.S. Securities and Exchange Commission providing notice of an external cyber-attack on the company’s computer systems that CHS believes to have occurred in April or June, 2014. According to the report, the attackers bypassed the company’s security measures using malware and obtained non-medical patient identification data, including patient names, addresses, birthdates, telephone numbers and social security numbers. Although the report indicates that CHS notified affected patients and offered identity theft protection services in an attempt to minimize the damage caused, a class action lawsuit has been filed against CHS in the U.S. District Court for the Northern District of Alabama. The plaintiffs in the lawsuit allege that CHS failed to implement and follow adequate security measures to protect their sensitive data and also failed to notify them of the data breach in a reasonable time, resulting in increased risk of identity theft.
In related news, a proposed settlement has been reached in a similar class action lawsuit against the University of Miami Health System (UMHS) alleging that it failed to adequately protect patient information and failed to timely notify patients of a data breach. This lawsuit stemmed from the loss of billing vouchers by an off-site storage vendor that contained names, dates of birth, social security numbers and medical information relating to several thousand patients. As part of the proposed settlement, UMHS will be required to pay approximately $190,000 in monetary damages and attorneys’ fees and undertake additional security precautions to prevent future breaches.
Both of these cases illustrate how failure by medical providers to implement effective security measures to address the variety of ways that patient personal data can be breached, and to notify patients promptly following the occurrence of any such breach, can lead not only to liability to the Department of Health and Human Services under HIPAA, but also private causes of action by affected patients.