Share this article on:
A lawsuit filed by five plaintiffs following a breach of protected health information at Flowers Hospital in 2013 has finally been awarded class-action status.
The lawsuit was filed against Triad of Alabama, the parent company of Flowers Hospital, in 2014. Triad of Alabama submitted motions to dismiss the lawsuit in 2014 and 2015, but the lawsuit survived.
In contrast to many healthcare data breach lawsuits that are filed following cyberattacks by hackers, this incident involved an insider. A phlebotomist employed at Flowers Hospital – Kamarian Millender – stole non-hospital records stored at the hospital. The information in those records was used to file fraudulent tax returns in the names of 124 individuals over two years.
Millender was arrested in 2014 and was found to be in possession of 54 patient records. Millender was subsequently charged with trafficking stolen identities and aggravated identity theft and pled guilty to stealing 73 identities for the purpose of filing fraudulent tax returns.
In total, prosecutors alleged tax returns totaling around $536,000 were submitted to the IRS, although most of those returns were stopped and just $18,915 in refunds were issued. Millender was sentenced to serve 2 years in prison after pleading guilty. Millender is not believed to have acted alone, but his suspected accomplice remains at large.
While there is no doubt that PHI was stolen and misused and losses were suffered as a direct result, there is some debate as to how many individuals have been impacted. Flowers hospital sent breach notification letters to 1,208 patients after discovering five files were missing, each of which were understood to contain the records of around 100 to 150 patients.
While patients were notified that they were potentially affected, Flowers Hospital only sent the letters to all of those patients ‘out of an abundance of caution’. Not all of those individuals have necessarily had their information stolen and misused. The breach report submitted to OCR indicates 629 individuals were impacted by the breach.
Earlier this week, Chief United States District Judge W. Keith Watkins awarded class action status to the lawsuit, even though it was unclear how many individuals were impacted. The plaintiffs had not shown how many punitive class members were affected, although it is probable that they will number in the hundreds. Judge Watkins said, “[Even if] the class is limited to the 73 victims identified in Millender’s plea agreement, the named plaintiffs have easily satisfied the numerosity requirement.”
Many data breach lawsuits ultimately fail as the plaintiffs are unable to demonstrate that losses have been suffered as a direct result of the theft or exposure of protected health information. In this case, the perpetrator was convicted and it is clear that at least some of the plaintiffs have suffered losses. How many of the class members will be able to demonstrate that harm has been suffered remains to be seen. The lawsuit alleges negligence, breach of contract, violation of the Fair Credit Reporting Act and an invasion of privacy, although the latter claims have now been dismissed.
It is possible that the Judge’s ruling may be challenged so there are potential hurdles ahead. If the lawsuit survives a challenge it will move to the discovery phase. Flowers Hospital/Triad of Alabama have not yet announced their next course of action.