Share this article on:
Last month, the Florida Hospital group reported a data breach had exposed the records – including Social Security numbers – of 94 individuals. A data breach class-action lawsuit for this year’s breach almost certain to be filed; however, the hospital group’s legal team is already busy with two class action lawsuits.
The two potential lawsuits have been filed for two separate data breaches that occurred in 2011 and 2012; the latter was not discovered for two years. Recently the healthcare provider’s lawyers have made the move to have booth class-action motions thrown out, according to a recent report in the Orlando Sentinel. The class-action lawsuits are currently pending in the Florida Orange County Circuit Court.
Motions Submitted to Toss the Data Breach Lawsuits
Both cases are viewed by the Florida Hospital Group as being speculative claims for non-existent damages. Patient data was exposed, and in one case also sold on; however there is perceived to be only a low risk of losses or damage being suffered.
In the 2011 breach, Patient information was obtained and sold on to lawyers and chiropractors, who used the information to try to solicit business from road traffic accident victims; not for the purposes of committing fraud.
While the plaintiffs may have been contacted by a chiropractor and/or a lawyer; that is where the harm ends. It is unlikely that any permanent loss or damage was caused and without any actual damages, it is highly unlikely that a judge would rule in favor of the plaintiffs. The hospital maintains that it is not possible to file a case on the grounds of facing a higher risk of suffering identity theft.
The type of data stolen or exposed in the incident can be used by criminals to commit identity fraud, Medicare fraud, insurance fraud, tax fraud, and identity theft. In Florida criminals have targeted healthcare providers to obtain data to allow them to file fraudulent tax returns. While the risk of this occurring is certainly elevated as a result of the data breach, no evidence has so far been uncovered to indicate any information has been used inappropriately.
The suits allege that the plaintiffs paid for data security measures to be put in place, and the hospital failed to honor its duty in this regard; although, in Florida at least, it may be difficult for a successful case to be filed on that basis. There has been no known successful lawsuit filed on that basis, and as Florida Hospital’s lawyers argue, there is no fiduciary duty between a hospital and a patient.
Three Data Breaches Caused by Florida Hospital Employees
All three data breaches have resulted from the same cause: employees accessing the hospital computer system to copy patient records. The first data breach in 2011 was caused by two employees: Dale Munroe and Katrina Munroe. The pair accessed healthcare records and selected individuals and copied their data which was subsequently passed on for financial gain. The Monroes are currently facing criminal charges for the accessing, copying and disclosing PHI for financial gain. The pair received $10,000 for supplying the data to chiropractor, Sergei Kusyakov. They now potentially face up to 10 years in jail.
The second data breach involved an individual accessing approximately 9,000 records over a two year period. The employee concerned is no longer employed at the hospital, but has escaped criminal charges so far.
In both of these cases the hospital agrees that there was a HIPAA violation, but that it was the employees concerned willfully breached HIPAA Rules.