HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Flowers Hospital Data Breach Settlement Approved by Judge

A class action data breach lawsuit filed against Flowers Hospital in Dothan, AL, in 2014 has finally been settled.

In 2014, an employee of Flowers Hospital stole the personal information of patients from the hospital laboratory and used the information to file fraudulent tax returns in the names of patients.

A deputy sheriff discovered patient files in the vehicle of laboratory employee, Karmarian Millender, during a traffic stop. The investigation revealed that Millender had been stealing patient records from the laboratory and had sold the information to tax fraudsters who filed fraudulent tax returns in patients’ names. Millender pleaded guilty to the theft of patient data and was sentenced to two years in prison.

Many patients incurred out-of-pocket expenses from paying for credit monitoring services, lost earnings from arranging those services and combatting identity theft, and lost interest from delayed tax refunds. A class action lawsuit was filed against the hospital to recover those costs.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

The lawsuit alleged the hospital had been negligent by failing to implement adequate measures to prevent data theft. Flowers Hospital attempted to have the lawsuit dismissed for lack of standing and claimed that the plaintiffs failed to link the data breach to economic harm. A judge allowed the plaintiffs to amend the complaint and the motion to dismiss was not carried over to the updated filing.

It has taken nearly five years, but the lawsuit has finally been dismissed and Flowers Hospital has agreed to a settlement of up to $150,000. That settlement was recently approved by a judge. Up to 1,208 patients potentially had their protected health information stolen and those who filed claims will be awarded a proportion of the settlement amount.

The maximum claim per patient is $5,000, which covers loss of interest on delayed tax returns, the cost of credit monitoring services, and compensation from loss of earnings arranging those services; up to a maximum of 4 hours. The majority of breach victims are expected to be awarded up to $250 in damages.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.