Eastern Ozarks Regional Health Sued by Arkansas AG for Failure to Secure Patient Data

Share this article on:

Arkansas Attorney General Leslie Rutledge announced this week that legal action is being taken against Country Medical Services Inc., the former operator of Eastern Ozarks Regional Health System in Cherokee Village, and owners Robert Becht of Hartsville, TN, and Theresa Hanson of Deland, FL, for mishandling the sensitive personal and protected information of thousands of individuals.

In December 2004, Eastern Ozarks Regional Health’s 40-bed hospital was permanently closed. Country Medical Services had run the hospital for 9 years; however, an investigation by the state Department of Health identified almost 3 dozen potential violations of the Emergency Medical Treatment and Labor Act, as the hospital was unable to provide emergency services. Rather than face the financial penalties, the hospital immediately terminated its hospital license in 2004.

6 years later, the property was transferred to the state after the owners failed to pay their taxes. An inspection of the property by the office of the Attorney General identified boxes of files in the property that contained sensitive personal data. Unauthorized individuals had gained access to the property and files stored throughout the facility appeared to have been examined, potentially by individuals looking for sensitive personal data. At this stage, it is unclear how many former patients of the facility have had their sensitive data exposed and potentially stolen. Files left unsecured at the property included a range of sensitive employee and patient information, including names, contact information, Social Security numbers, driver’s license numbers, financial account information, medical information, and biometric data.

According to the lawsuit, which was filed in Sharp County Circuit Court, the investigation uncovered no evidence to suggest the hospital took any reasonable measures to permanently destroy or secure sensitive files. The failure to ensure the confidentiality of patient data is a violation of the Health Insurance Portability and Accountability Act (HIPAA); however, as is often the case, legal action is being taken for equivalent violations of state laws. The lawsuit alleges the defendants were in violation of the Arkansas Personal Information Protection Act (PIPA) and the Arkansas Deceptive Trade Practices Act (ADTPA). Country Medical Services and the owners now face civil penalties of up to $10,000 for each violation of PIPA and the ADTPA.

“Consumers must be able to trust their healthcare providers and employers to protect their personal information,” said AG Rutledge. “Eastern Ozarks Regional Health System betrayed that trust and left patients and employees vulnerable to scams and identity theft. I am holding the hospital and its owners accountable.”

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.

Share This Post On