Health Data Theft Case Prompts Lawsuit

Suit Alleges Adventist Health Failed to Protect Information
Health Data Theft Case Prompts Lawsuit

Adventist Health System faces a class action lawsuit seeking damages for failure to safeguard the HIPAA-protected information of 763,000 patients at several of its hospitals in Florida.

See Also: 9 Common Security & Compliance Risks and What You Can Do to Overcome Them

At the heart of the lawsuit is a breach that involved a former emergency department worker of Florida Hospital Celebration. Over a two-year period from 2009 to 2011, the worker improperly accessed the electronic records of more than 763,000 patients treated at several Florida Hospital locations and sold personal information on about 12,000 patients to a co-conspirator, law enforcement officials say. That information was used to solicit legal and chiropractic services for patients involved in motor vehicle accidents, according to law enforcement officials (see: Prison Time for Health Data Theft).

The class action lawsuit seeks unspecified damages for individuals whose sensitive information was inappropriately accessed. It also asks the court to order Adventist to protect all data collected in compliance with HIPAA and industry standards.

Florida Hospital Celebration is one of 37 hospitals in the Adventist network.

Selling Data For Profit

The former hospital worker, Dale Munroe II, pleaded guilty and was sentenced in January to a year in federal prison for selling patient information he improperly accessed (see: Selling Records for Profit Alleged).

Two other co-conspirators in the incident, including Munroe's wife Katrina, who was a former insurance worker at Florida Hospital Celebration, and Sergei Kusyakov, who was involved with the operation of two Florida chiropractic centers, also pleaded guilty. Kusyakov, who authorities allege paid Munroe for the stolen patient information, was recently sentenced to four years in federal prison. Katrina Munroe awaits sentencing in July.

Lawsuit's Allegations

The class action lawsuit, filed April 9 in the U.S. District Court in Orlando, Fla., alleges that "Florida Hospital breached its statutory obligation and express promise by maintaining its patients' sensitive information in an electronic database that lacked crucial - and statutorily required - security measures and protocols, in addition to failing to adequately train and monitor its employees access to sensitive information."

The lawsuit alleges that Florida Hospital employees were "able to easily gain access to the sensitive information of thousands of patients across 22 campuses using nothing more than employer provided log-in credentials, even though they were not authorized to access such information."

A spokeswoman for Adventist said on April 15 the organization had not yet been served court papers and declined to comment.


About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity, ISMG

McGee is executive editor of Information Security Media Group's HealthcareInfoSecurity.com media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeek's healthcare IT media site.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing healthcareinfosecurity.com, you agree to our use of cookies.