HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Eastern Ozarks Regional Health Sued by Arkansas AG for Failure to Secure Patient Data

Arkansas Attorney General Leslie Rutledge announced this week that legal action is being taken against Country Medical Services Inc., the former operator of Eastern Ozarks Regional Health System in Cherokee Village, and owners Robert Becht of Hartsville, TN, and Theresa Hanson of Deland, FL, for mishandling the sensitive personal and protected information of thousands of individuals.

In December 2004, Eastern Ozarks Regional Health’s 40-bed hospital was permanently closed. Country Medical Services had run the hospital for 9 years; however, an investigation by the state Department of Health identified almost 3 dozen potential violations of the Emergency Medical Treatment and Labor Act, as the hospital was unable to provide emergency services. Rather than face the financial penalties, the hospital immediately terminated its hospital license in 2004.

6 years later, the property was transferred to the state after the owners failed to pay their taxes. An inspection of the property by the office of the Attorney General identified boxes of files in the property that contained sensitive personal data. Unauthorized individuals had gained access to the property and files stored throughout the facility appeared to have been examined, potentially by individuals looking for sensitive personal data. At this stage, it is unclear how many former patients of the facility have had their sensitive data exposed and potentially stolen. Files left unsecured at the property included a range of sensitive employee and patient information, including names, contact information, Social Security numbers, driver’s license numbers, financial account information, medical information, and biometric data.

According to the lawsuit, which was filed in Sharp County Circuit Court, the investigation uncovered no evidence to suggest the hospital took any reasonable measures to permanently destroy or secure sensitive files. The failure to ensure the confidentiality of patient data is a violation of the Health Insurance Portability and Accountability Act (HIPAA); however, as is often the case, legal action is being taken for equivalent violations of state laws. The lawsuit alleges the defendants were in violation of the Arkansas Personal Information Protection Act (PIPA) and the Arkansas Deceptive Trade Practices Act (ADTPA). Country Medical Services and the owners now face civil penalties of up to $10,000 for each violation of PIPA and the ADTPA.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

“Consumers must be able to trust their healthcare providers and employers to protect their personal information,” said AG Rutledge. “Eastern Ozarks Regional Health System betrayed that trust and left patients and employees vulnerable to scams and identity theft. I am holding the hospital and its owners accountable.”

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.