Hospital Breach Lawsuit Gets Class-Action StatusFormer Employee Was Sentenced in Related ID Theft Case
A federal judge has granted class-action status for a breach-related lawsuit against an Alabama hospital where a former employee was convicted of identity theft that led to federal tax refund fraud.
In a March 17 ruling, a U.S. district judge said the lawsuit against Flowers Hospital in Dothan, Alabama, merited class-action status despite the lack of clear evidence that all of the individuals on whose behalf the lawsuit was filed suffered damages as a result of the 2013 breach incident, involving the theft of paper records.
No trial date has been set yet.
The lawsuit, which alleges negligence and breach of contract, claims that from approximately June 2013 until about February 2014, Flowers Hospital paper records containing the personally identifiable information and protected health information of five named plaintiffs "and thousands of other class members was left unguarded, unprotected, and/or otherwise subject to theft by Flowers employees and other third parties who otherwise had no reason to be in possession of such information." As a result, the information "of thousands of class members was stolen from the hospital by Kamarian D. Millender, a Flowers employee, as well as an unknown accomplice," the lawsuit complaint alleges.
In December 2014, Millender, a former Flowers Hospital lab technician, was sentenced to two years in prison after pleading guilty to identity theft in a criminal case related to the breach (see Prison Term for ID Theft at Hospital).
In the case against Millender, federal prosecutors said he and others stole patient medical records that contained personal identification information, which was then used to file more than 100 false tax returns, victimizing approximately 73 individuals. Prosecutors said the false tax returns attempted to defraud an estimated $536,000 from the Internal Revenue Service. "The IRS was able to stop the vast majority of the falsely claimed refunds, but approximately $18,915 in refunds were issued," according to the prosecutors' statement.
Details of Ruling
In the class-action suit ruling, Judge W. Keith Watkins wrote: "To be clear, the named plaintiffs have not shown exactly how many putative class members were affected by the data breach. But they have proved that the class will most likely number in the hundreds. ... And even assuming ... that the class is limited to the 73 victims identified in Millender's plea agreement, the named plaintiffs have easily satisfied the numerosity requirement."
The breach at Flowers Hospital was reported to the Department of Health and Human Services in April 2014 as a theft involving paper/film records affecting 629 individuals, according the HHS' Office for Civil Rights' "wall of shame" website listing breaches affecting 500 or more individuals.
Court documents in the data breach class-action lawsuit, however, note that "between April 8, 2014, and August 29, 2014, [Flowers Hospital] sent letters notifying 1,208 ... patients that their personal information may have been compromised. The hospital maintains that an overabundance of caution led it to draft an overlong mailing list - that the list reflected a healthy respect for HIPAA, not the actual extent of the data breach."
The suit alleges that the hospital began investigating the "the heist" of data after it "got word of Millender's arrest" on Feb. 24, 2014, when he was apprehended by the a county sheriff's office with "54 patient records in hand."
A Flowers Hospital spokeswoman declined to comment on the case. "It is our practice not to comment on litigation," she says.
Significance of Ruling
Although the Flowers Hospital case involves the theft of PII and PHI contained in paper records, "I don't think that the result of this decision would have been different if electronic records were involved," says privacy attorney Adam Greene of the law firm Davis Wright Tremaine.
"What distinguishes this case from many other breach cases is that it is clear that identity theft occurred as a result of the breach, rather than a breach case where there is merely a risk of identity theft," he says. "The fact that the identity theft occurred using paper records, rather than electronic records, likely did not have a significant impact."
The case could pave the way for similar rulings by other courts in data breach cases, Greene says.
"It is unclear that the entire class was equally impacted by this breach. The certified class includes all individuals whose information was stolen, without regard to whether the theft led to identity theft," the attorney says. "To the extent that other courts look to this decision as precedent, it may make it easier to certify classes where it is unknown whether each member of the class suffered the same type of harm."
Many class-action lawsuits fail because a court finds that there is no evidence of actual harm, Greene adds. "Here, it certainly doesn't hurt the plaintiffs that there is a conviction proving that some of the breached information was unlawfully used."
Yet, the ruling is only the first hurdle for plaintiffs in the case, Greene notes. "There still may be challenges, however, proving exactly whose information was used for identity theft among the notified patients."
Insider Threat Reminder
Attorney Steven Teppler of the Abbott Law Group notes that despite the attention that cyberattacks and external threats are getting, healthcare entities cannot afford to lose focus on preventing and detecting breaches involving insiders, or insider's credentials.
The Flowers Hospital case "is a public service announcement to healthcare providers - make sure you have your house in order" in terms of dealing with insider threats, Teppler says.
"You want to look at after-hour [data access] activity on a random sampling basis to find out what computers, what network nodes are involved in out-of-band activity being copied, sent and received," he says. "You want to watch traffic patterns and people patterns."
The most important lesson emerging from the Flowers Hospital case is the importance of scrutinizing insiders, says attorney Marti Arvin, vice president of audit strategy at the security consulting firm CynergisTek.
"It is important to vet employees prior to hire as part of an effective compliance program," she says. "It is also important to ensure the organization has appropriately secured all individually identifiable information, whether electronic or paper. Only those with a need to know should be able to access such information. The money spent on the appropriate controls and auditing and monitoring of those controls to ensure they are working appropriately would hopefully help avoid, or at least mitigate, the expense of defending this type of case."