Class Action Suit Filed in Insider BreachAlleges Patients Didn't Get Privacy Protection They 'Paid For'
A class action lawsuit has been filed against a hospital company and a business associate in a case involving an insider breach that affected more than 82,000 individuals and allegedly went on for about two years. The plaintiffs claim they did not receive the data privacy protections that they "paid for" and that was promised to them by the hospital involved.
The attorneys who filed this case used a similar argument to win a $3 million settlement against health plan company AvMed following a breach involving the theft of two unencrypted laptops containing information on 1.2 million members. (see Settlement In AvMed Breach Suit)
That settlement was significant because it awarded payments even to individuals who were not victims of identity theft. The bulk of the settlement in that case represented what AvMed should have spent on protecting data, so it amounted to a refund of premium overpayment.
The new lawsuit was filed on Feb. 18 in the U.S. district court for southern Florida against Hospital Corporation of America - which owns the Aventura (Fla.) Hospital and Medical Center, where the breach occurred - and Envision Healthcare. The suit says Envision Healthcare, doing business under the name Valesco Ventures, provided hospital physician staffing and related services to Aventura. The incident involved a Valesco Ventures employee who allegedly accessed patient information at the hospital without authorization.
The plaintiffs are seeking undetermined damages and restitution, as well as an order "requiring defendants to protect all data collected through the course of their business in accordance with HIPAA and Florida statutes."
The lawsuit charges that HCA and Valesco failed to safeguard patients' sensitive personal information, including, names, dates of birth, and protected health information as defined by HIPAA.
"Defendants - through Aventura Hospital's privacy policies and patient agreements - specifically promised to protect patients' sensitive information by adopting and implementing the specific data security regulations and standards set forth under HIPAA and Florida," says the suit.
"Unfortunately, it took a large-scale medical data breach to reveal - for the third time - that defendants failed to provide their patients' with the level of data protection that they promised and paid for."
In addition to the insider breach at the center of the suit, Aventura is listed on the U.S. Department of Health and Human Services' "wall of shame" breach tally as having two previous data breaches affecting more than 500 individuals.
The HHS site lists a breach reported by Miami Beach Healthcare Group Ltd., doing business as Aventura Hospital and Medical Center, on Nov. 5, 2012, affecting 2,560 individuals and involving the theft of electronic health records. The tally also lists an incident Aventura reported on Aug. 26, 2014, involving the theft of a desktop computer and affecting 948 individuals.
The breach that led to the new lawsuit is listed on the tally as a "theft, unauthorized access/disclosure" incident involving electronic health records and business associate Valesco Ventures. The incident was reported to HHS on Sept. 9, 2014.
Valesco Ventures, in a breach notice mailed to affected individuals, said that an employee inappropriately accessed the patient information from Sept. 13, 2012, through June 9, 2014.
The lawsuit argues that because Aventura failed to apply security controls to its databases in accordance with HIPAA requirements, "the employee was able to easily gain access to the sensitive information of thousands of Aventura Hospital patients - even though the individual was not authorized to access such information, was presumably supervised in some capacity, and access to such information had nothing to do with his or her job responsibilities and duties."
The suit alleges that Aventura informed patients that they would have their "medical records, including all computerized medical information, kept confidential." But the breach shows that the "defendants' statements about their data security and management practices - both through their privacy policies and public representations - served to falsely inflate the advertised utility of their services, thus allowing Aventura Hospital to charge patients higher costs for treatment."
Edmund Normund, an attorney representing the plaintiffs in the suit, tells Information Security Media Group that Aventura and its business associate failed to implement data management and security measures "that the plaintiffs paid for," which enabled them to "unjustly enriched themselves."
That is a similar argument that was used in the AvMed case. The AvMed suit alleged that as a result of the health plan company's failure to properly secure their information, members overpaid for insurance coverage, the price of which, they allege, included the costs associated with protecting their information.
Ari Scharg, another attorney representing plaintiffs in the Aventura case, tells ISMG a key contributor to healthcare breaches involving insiders is that hospitals often "fail to segment employees' access" to patient data based on the employees' roles. "Access to data should be based on what's needed to do the job. Bookkeepers, for instance, shouldn't have access to clinical information."
Aventura, in a statement provided to ISMG, says: "We dispute the many inaccuracies in the complaint. Aventura Hospital has significant training and compliance programs in place to deal with patient privacy and security of data. Because this kind of criminal activity has affected a number of healthcare organizations in South Florida, we are continually reviewing and reinforcing our processes to help ensure the protection of patient information."
Aventura notes that it is providing free credit monitoring and repair services to those affected by the breach. "Our goal is to see that these schemes are uncovered and those responsible are brought to justice."
An Envision Healthcare spokesman tells ISMG: "A subsidiary of Envision was dismissed from an earlier lawsuit making the same allegations once the plaintiff's attorney realized he had named the wrong defendants. We were similarly named in error in this lawsuit and expect to be dismissed for that same reason."