Share this article on:
A class action lawsuit has been filed in the Kanawha Circuit Court against Charleston Area Medical Center, for a data breach that occurred between August 2013 and February 2014.
The lawsuit has been filed by two plaintiffs who were patients of the medical center at the time of the data breach and had their data exposed. Tiffany Mallion and Nickole Pullen claim they entered into an agreement with the hospital to receive treatment, and that agreement also included securing their health information. They claim their Protected Health Information (PHI) was exposed as a result of a number of security failures at the medical center.
It is alleged that the protections put in place to secure data were insufficient, and left highly sensitive information “unprotected, unguarded and unsecured.” A catalog of security failings have been cited, such as the failure to train staff on privacy and data security matters, a failure to protect data, as well as a there being a lack of physical protections to secure the equipment on which the data was stored. As a result, the plaintiffs claim “their physician-patient confidential relationship has been breached.”
Under the Health Insurance Portability and Accountability Act, all covered entities are required to implement physical, administrative and technical safeguards to keep stored data secure. HIPAA does not specify the exact protections that must be put in place; instead this is left to the discretion of the covered entity.
HIPAA also requires covered entities to respond to data breaches in a timely manner, and notify patients of a data breach “without unnecessary delay,” and certainly within 60 days of discovery. The plaintiffs allege that HIPAA Rules were violated when the medical center failed to notify patients within the appropriate timescale.
The data breach was discovered in February 2014. Under HIPAA Rules, breach notification letters should have been sent to the victims in April. The plaintiffs claim they did not received their letters until May 2014, more than two years after their records were first breached and more than two months after the breach was discovered.
The delay in notification placed the plaintiffs at an increased risk of suffering identity fraud, and stopped them from taking precautions to secure their credit and identities. It is not clear if the plaintiffs actually suffered any harm or damage as a result of the breach. Class certification and compensatory damages are being sought by the two patients.