Class-Action Lawsuit for Flowers Hospital Data Breach Moves to Discovery Phase

A class-action lawsuit filed after a Flowers Hospital data breach has survived a motion to dismiss. The case, which was filed against Flowers Hospital’s then parent company, Triad of Alabama, will now progress to the discovery stage, with most of the plaintiffs’ claims carried over.

Last month the case went before a magistrate judge who ruled in favor of the plaintiffs. Lawyers for Triad had submitted a motion to dismiss the lawsuit claiming there were not sufficient legal grounds to justify the plaintiffs’ claims; however Magistrate Judge, Paul Greene, said in his recommendations, “Though they were given careful consideration, defendant’s arguments are ultimately unpersuasive.”

The plaintiffs claim that Flowers Hospital, now owned by Community Health Systems, failed to put sufficient measures in place to protect patients’ data, and as a result, breached its contract with patients. They also claim the healthcare provider violated the Federal Credit Reporting Act, state laws and was negligent.

The lawsuit was filed after a former employee of the hospital, Kamarian Deshaun Millender, allegedly stole data from the hospital with the intention of filing fraudulent tax returns in the names of the victims. The data was stolen between June 2013 and February 2014. After being apprehended and charged for the crimes, Millender admitted the theft and pleaded guilty to one count of felony identity theft and received two years jail time.

Data breach lawsuits are often filed against healthcare providers who have suffered data breaches that exposed the Protected Health Information of patients. The cases are often tossed due to a lack of evidence that the plaintiffs suffered actual harm as a result of the exposure of their data. While it depends on the court and state where the lawsuit is filed, in many cases the suits are ruled in favor of the defendants unless evidence can be supplied to show actual losses or damage has been suffered.

In this case, lawyers for Triad submitted a motion to dismiss the case for this reason. The lawyers claimed that the plaintiffs’ contention that they faced additional risk of suffering future injuries as a result of the exposure of their PHI did not give them sufficient legal grounds to justify a claim for damages. Following on from the data breach, Flowers Hospital contacted all victims affected by the breach and offered them a year of credit monitoring services without charge in an effort to mitigate risk.

This was deemed to be sufficient protection for the plaintiffs, as the person responsible for the data theft had admitted the crimes, and was now behind bars. The data was used to submit fraudulent tax returns, but the lawyers for Triad maintained that even though fraud had been committed and tax returns submitted in their names, the plaintiffs had not actually suffered any losses as a result. They were unable to show any evidence that losses had actually been suffered.

The plaintiffs maintained that they had had to cover expenses as a result of the fraudulent claims. They also claimed that they are likely to suffer losses in the future, as their data has been exposed and is now in the hands of criminals. They also claimed they have had to cover costs in an effort to mitigate the risk of fraud they now face.

Five plaintiffs were named on the lawsuit; however the suit also includes other data breach victims “similarly situated”. As a result, should the case ultimately be ruled in favor of the plaintiffs, thousands of others could be added to the lawsuit. The damages could therefore be considerable.

Late last month, following the magistrate judge’s decision to allow the case to stand, Triad’s lawyers urged the courts to toss the case for a lack of standing; however U.S. District Judge, William Keith Watkins, also sided with the plaintiffs, adopting judge Greene’s recommendations. The lawsuit will now move onto the discovery stage.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.