Settlement in Tampa General Hospital Insider Breach LawsuitPlaintiffs Alleged a 'History of Poor Data Protection'
In a rare settlement of a data breach class action lawsuit, Tampa General Hospital has agreed to pay a total of just $10,000 to plaintiffs who alleged they're at risk for identity theft as a result of insider incidents.
See Also: HIPAA Audits: A Revised Game Plan
The plaintiffs argued that a series of breaches involving insiders at the organization was the result of the hospital inadequately safeguarding patient data. The lawsuit against Florida Health Sciences Center, which does business under the name Tampa General Hospital, alleged that unauthorized access to the hospital's computer systems put 1,179 individuals at risk for identity theft. To file for a piece of the settlement, individuals affected must demonstrate an "actual loss" due to the breaches.
John Yanchunis, an attorney representing the plaintiffs, tells Information Security Media Group that the case spotlights "a continuing problem" in many hospitals of insiders accessing data without authorization "and then using this [information] for illegal purposes."
Bucking the Trend
While the amount of the settlement is quite small, very few breach-related class action lawsuits are settled for any amount.
"Most healthcare data breach cases still are getting dismissed without a real showing of specific damages," says privacy attorney Kirk Nahra of the law firm Wiley Rein, who was not involved in the case. The Tampa General case makes reference to the filing of false tax returns, "which at least implies some actual impact on some subset of the people."
Nahra says the case highlights that "insider threats are real and an ongoing problem, and companies across the board need to pay attention to this," Nahra says.
Under the settlement, the hospital will also pay up to $7,500 in costs related to the plaintiffs' attorney fees and other litigation expenses. "This also involves a broader issue with many class action cases - not focused on data breaches - where the class - and specifically class members - get very little and attorneys get most of the actual dollars," Nahra says.
An amended complaint filed in February 2015 says that in May 2014, the hospital "had actual or constructive knowledge that unknown individuals wrongfully accessed and obtained plaintiff's and class members' [information] ... which included names, addresses, dates of birth, Social Security numbers, admitting diagnoses and insurers."
The Department of Health and Human Services' "wall of shame" tally of major health data breaches affecting 500 or more individuals includes an unauthorized disclosure/access breach reported on Sept. 12, 2014, by Tampa General affecting 675 individuals and involving electronic medical records.
But the class action complaint lists several data security and privacy incidents, some involving hospital employees, alleging that Tampa General's "history of protecting patient information has been poor."
The lawsuit alleges that in June 2013, "it was discovered that a nurse who worked at TGH had accessed without authorization ... records of a patient and discovered that the patient had given up a baby for adoption in October 2008. The nurse informed the family of this patient of this fact at a family reunion." The nurse was later terminated for the violation, the complaint notes.
The suit alleges that as a result of the hospital's "failure to adequately protect and secure ... protected health information and personally identifiable information," another TGH employee "gained access to and obtained PHI and PII belonging to plaintiff and class members in disregard of [their] privacy rights ... and for the purpose of using this information for the personal gain of the employee and others to whom the employee transferred this protected information."
The data breach central to the complaint "was discovered after Tampa Police arrested a person who was not employed at the hospital but had Tampa General Hospital patient records in their possession." The complaint alleges that the identity of one plaintiff "was stolen and an unknown individual attempted to purchase goods using [the] plaintiff's personal information."
The complaint also cites a criminal case involving Tigi Moor, a former data integrity specialist employed by the hospital. The complaint alleges beginning in January 2012 the employee accessed "without authorization the personal information of present and/or former patients ... for the purpose of engaging in a fraudulent scheme to steal the identities of patients and filing false tax returns on behalf of those patients."
The scheme allegedly netted $671,000 "and undoubtedly damaged the patients whose identities were stolen and now have to face the threat of continued repercussions of this identity theft." Moor and three others involved pleaded guilty to an array of federal criminal charges, the complaint notes.
In another sentencing not specifically referenced in the complaint, Shanakia Benton, a former worker at Tampa General Hospital in August was sentenced to 37 months in federal prison for wrongful disclosure of individual identifiable health information and wire fraud for her part in a tax refund fraud scheme (see HIPAA Criminal Prosecutions on the Rise).
The settlement agreement indicates the hospital denied the lawsuit's allegations, but decided to settle in order "to put to rest the controversies engendered by the action."
Tampa General Hospital declined to comment about the settlement.
Among other recent settlements involving data breach class action lawsuits was a $28 million settlement in March of a suit stemming from a data breach at St. Joseph Health System in California. Legal experts say the comparatively hefty settlement in that St. Joseph Health case illustrates that egregious breaches can have serious financial consequences.
Another class action lawsuit against health plan AvMed tied to a data breach in 2009 that affected 1.2 million individuals ended with a $3 million settlement in 2013.