Incident & Breach Response , Legislation & Litigation , Security Operations

Loss of Records From Disposal Truck Triggers Legal Action

Lawsuit Tied to Paper Records Breach Faces Hurdles
Loss of Records From Disposal Truck Triggers Legal Action

Like class action lawsuits stemming from breaches of electronic health data, a new lawsuit filed in the aftermath of the loss of paper records faces slim chances of success, some legal experts say.

See Also: How Tri-Counties Regional Center Secures Sensitive Files and Maintains HIPAA Compliance

Radiology Regional Center, Fort Meyers, Fla., has been sued in the wake of a 2015 breach that occurred when paper medical files of its patients flew out of a disposal truck. Records for up to 483,000 individuals were being transported, but it's unclear how many were lost, according to the suit, as well as previous statements by the radiology practice.

The lawsuit claims that the December 2015 incident puts patients of the practice at risk of harm. In addition to the risk of identity theft and credit card and income tax fraud, the lawsuit states, some of those whose records were lost, including judges and police officers, run the risk of their occupations and addresses being exposed to those who could do them harm.

Challenging Case

But without strong proof of harm, plaintiffs will have difficulty winning their case, some legal experts contend.

"I don't think the issue of paper vs. electronic has any particular impact in any direction on a class action suit's success," says attorney Kirk Nahra of the law firm Wiley Rein LLP. "The major issue is still injury or damage - which will clearly be an issue here. It will be very hard to move from 'records are floating around' to 'someone found them, read them and did something wrong with any resulting information'."

Whether stemming from the breach of paper or electronic records, class action lawsuits brought for alleged privacy violations or failure to safeguard information typically have a common thread, notes privacy attorney David Holtzman, vice president of compliance at the security consultancy CynergisTek.

"There must be some statutory standard or duty of care on which behavior is measured against," he says. "And in order for the lawsuit to be successful, there must be some alleged activity that falls below the standards for protecting the data, and a demonstrable injury or harm to the individual that resulted from that failure to protect the information that was disclosed."

The suit makes a number of allegations, including violations of Florida's deceptive and unfair trade practice law, breach of contract, breach of fiduciary duties, negligence and unjust enrichment. It claims that "defendants were completely unaware of the legal duties in disposing of private records ... that they created system vulnerabilities. Instead of, for example, creating a chain of custody protocol and shredding documents before shipping them off to a garbage dump, defendants decided to toss them out like a spring garage cleaning."

Breach Details

A statement posted on Radiology Regional Center's website says that on Dec. 19, 2015, Lee County Solid Waste Division, the company responsible for the disposal of the Florida-based radiology services provider's patient records, ran into trouble while it was transporting patient records to an incinerator to be destroyed.

"During transport, a small quantity of records were released on Fowler Street in Fort Myers, Florida," the statement says. "This incident resulted from the condition of the container used by Lee County Solid Waste Division to transport the records and the Lee County driver's failure to properly secure the container door."

Because records for 483,000 patients were among the materials being transported by the county waste disposal company, the practice reported that figure to HHS in its breach report, according to the statement.

The records involved, which dated from 2005 to 2012, may have contained patient names, addresses, phone numbers, Social Security numbers, dates of birth, health insurance numbers and other medical status and assessment information, as well as certain financial information, the practice said.

While Radiology Regional contends there were only "a small quantity" of records impacted by the mishap, the lawsuit claims otherwise. "Thousands and thousands of medical records [were] hurled from a garbage truck into a busy county road," according to the complaint.

The lawsuit is seeking an unspecified amount of damages.

Radiology Regional, as well as attorneys for the plaintiffs, did not immediately respond to Information Security Media Group's request for comment.

Lessons Learned

The security incident, and the subsequent lawsuit, spotlight the need for healthcare organizations and their vendors to effectively safeguard all forms of PHI, both paper and electronic, including during the disposal process.

"This is an important reminder to make sure that paper records are protected as well," says privacy attorney Nahra. "All of the attention on hackers may distract from the just as realistic threats involving paper, insiders, etc."

The Radiology Regional case is also a reminder that "covered entities and business associates must do a better job of understanding what processes their contractors and vendors will use in handling their PHI," Holtzman notes. "In this case, the healthcare provider should have asked how the trash service would have secured the paper records while in transit to the disposal site and what process would have been used to destroy the paper records."

Also, while incidents involving paper records typically affect fewer individuals than breaches involving electronic PHI, "this case is an example where the volume of paper is still pretty high," Nahra notes.

In fact, as of May 10, the U.S. Department of Health and Human Services' "wall of shame" website listing health data breaches affecting 500 or more individuals shows that the Radiology Regional incident is the largest breach involving lost, stolen or improperly disposed paper or film records since HHS began keeping tabs in 2009.

Regulatory Wrath?

Government regulators, including the HHS' Office for Civil Rights, which enforces HIPAA, have taken action against organizations after breaches involving improper disposal of PHI.

For example, OCR in June 2014 announced an $800,000 HIPAA settlement with Parkview Health Systems, an Indiana community health system, after paper medical records for up to 8,000 patients were dumped in the driveway of a retiring physician's home.

Also, in a 2010 settlement with OCR and the Federal Trade Commission, Rite Aid Corp. agreed to pay a $1 million fine and take corrective action after some of its stores improperly disposed of prescription information in dumpsters. In February 2009, a $2.25 million settlement was reached in a similar case brought by the FTC and OCR against CVS Caremark.

The incident involving Radiology Regional is also ripe for intense OCR scrutiny, Holtzman contends. "I believe this is the type of incident in which OCR would take a long, hard look. The issues for review would be to ensure that the covered entity had a business associate agreement in place with the disposal company, as well as the policies of the trash hauler in how they planned to safeguard the paper records while they were in transit to the disposal site."

But Nahra doubts regulators will smack Radiology Regional with a financial penalty. "This seems like just a random screw-up. Unless there is some broader failure to develop policies and procedures, I doubt this will lead to [OCR] enforcement [actions]."


About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity

McGee is executive editor of Information Security Media Group's HealthcareInfoSecurity.com media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site, and played a lead role in the launch of InformationWeek's healthcare IT media site.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing healthcareinfosecurity.com, you agree to our use of cookies.