HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Florida Hospital Submits Motions to Dismiss Two Data Breach Lawsuits

Last month, the Florida Hospital group reported a data breach had exposed the records – including Social Security numbers – of 94 individuals. A data breach class-action lawsuit for this year’s breach almost certain to be filed; however, the hospital group’s legal team is already busy with two class action lawsuits.

The two potential lawsuits have been filed for two separate data breaches that occurred in 2011 and 2012; the latter was not discovered for two years. Recently the healthcare provider’s lawyers have made the move to have booth class-action motions thrown out, according to a recent report in the Orlando Sentinel. The class-action lawsuits are currently pending in the Florida Orange County Circuit Court.

Motions Submitted to Toss the Data Breach Lawsuits


Both cases are viewed by the Florida Hospital Group as being speculative claims for non-existent damages. Patient data was exposed, and in one case also sold on; however there is perceived to be only a low risk of losses or damage being suffered.

In the 2011 breach, Patient information was obtained and sold on to lawyers and chiropractors, who used the information to try to solicit business from road traffic accident victims; not for the purposes of committing fraud.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

While the plaintiffs may have been contacted by a chiropractor and/or a lawyer; that is where the harm ends. It is unlikely that any permanent loss or damage was caused and without any actual damages, it is highly unlikely that a judge would rule in favor of the plaintiffs. The hospital maintains that it is not possible to file a case on the grounds of facing a higher risk of suffering identity theft.

The type of data stolen or exposed in the incident can be used by criminals to commit identity fraud, Medicare fraud, insurance fraud, tax fraud, and identity theft. In Florida criminals have targeted healthcare providers to obtain data to allow them to file fraudulent tax returns. While the risk of this occurring is certainly elevated as a result of the data breach, no evidence has so far been uncovered to indicate any information has been used inappropriately.

The suits allege that the plaintiffs paid for data security measures to be put in place, and the hospital failed to honor its duty in this regard; although, in Florida at least, it may be difficult for a successful case to be filed on that basis. There has been no known successful lawsuit filed on that basis, and as Florida Hospital’s lawyers argue, there is no fiduciary duty between a hospital and a patient.

Three Data Breaches Caused by Florida Hospital Employees

All three data breaches have resulted from the same cause: employees accessing the hospital computer system to copy patient records. The first data breach in 2011 was caused by two employees: Dale Munroe and Katrina Munroe. The pair accessed healthcare records and selected individuals and copied their data which was subsequently passed on for financial gain. The Monroes are currently facing criminal charges for the accessing, copying and disclosing PHI for financial gain. The pair received $10,000 for supplying the data to chiropractor, Sergei Kusyakov. They now potentially face up to 10 years in jail.

The second data breach involved an individual accessing approximately 9,000 records over a two year period. The employee concerned is no longer employed at the hospital, but has escaped criminal charges so far.

In both of these cases the hospital agrees that there was a HIPAA violation, but that it was the employees concerned willfully breached HIPAA Rules.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.