Lawsuit Filed Against Children’s National Medical Center for 2014 Data Breach

Children’s National Medical Center has been named in a new class-action lawsuit filed by a victim of a data breach that occurred in 2014. The plaintiff, Fardoes Khan, has not suffered any harm or loss as a result of the exposure of her PHI, but she is seeking damages for the increased risk of suffering identity theft and fraud. The lawsuit was originally filed in Montgomery County, although last week it was moved to the Maryland federal court.

The lawsuit concerns a data breach that occurred during the second half of 2014, when hackers gained access to a number of hospital email accounts after a number of employees responded to phishing emails sent by hackers. As a result of the responses, hackers potentially gained access to email accounts on July 26, 2014. The data breach was discovered by Children’s National Medical Center on December 26, 2014.

As soon as the breach was discovered and the affected email accounts identified, they were closed and secured. The hospital recruited the help of an external computer forensics company and a thorough investigation was conducted to determine the extent of the breach, the patients affected, and the data potentially compromised. The forensics company determined that some Social Security numbers had been exposed along with patient names.

When the data breach was announced, the hospital released a statement apologizing for the breach. A spokesperson for the hospital also said, “Importantly, neither our patient charts nor our electronic medical records system were compromised. Only the discrete information contained in the email accounts was potentially affected.” In total 18,000 individuals were affected by the data breach, although only a small number of Social Security numbers were exposed, according to the breach notice issued by the hospital.

The volume of healthcare data breaches has increased in recent months. Hackers have targeted healthcare providers looking for Protected Health Information, which can be used to steal identities, fraudulently obtain credit, and make bogus tax and insurance claims. However, since the data exposed in the Children’s National Medical Center was limited, so too would be the opportunities for hackers to use the data.

At this stage, the data does not appear to have been used inappropriately, although oftentimes thieves do not use stolen information immediately. Patients therefore face an elevated risk of harm or loss, which could potentially last a lifetime. That said, the courts do not usually rule in favor of data breach victims unless there is evidence that actual harm or losses have been suffered.

In this case, the plaintiff alleges the hospital violated HIPAA laws, making patients vulnerable to identify theft, fraud, credit damage and targeted marketing, and that the breach victims could potentially have to cover increased insurance premiums as a result of the data exposure. Khan alleges the hospital violated patient privacy rights by “intentionally, willfully and recklessly failing to take the necessary precautions required to safeguard and protect their PII/PHI from unauthorized disclosure.”

The lawsuit seeks unspecified punitive, statuary, and compensatory damages, in addition to the cost of credit monitoring services.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.