New Mexico Hospital Hit with Class Action Lawsuit over 2020 Data Breach

San Juan Regional Medical Center in Farmington, New Mexico is facing a class action lawsuit over a data breach that was announced in June 2021. The breach investigation confirmed an unauthorized individual gained access to its network and exfiltrated files containing sensitive patient data between September 7, 2020, and September 8, 2020.

The data breach was initially reported to the HHS’ Office for Civil Rights as affecting 500 individuals, with San Juan Regional Medical Center saying at the time that at least 500 individuals had been affected. When the total number of individuals affected by a security breach is not known, breaches can be reported to OCR and the breach report updated when further information is known. The breach investigation later confirmed that the protected health information (PHI) of 68,792 individuals had potentially been stolen in the attack.

While data theft was confirmed, the hospital has not uncovered any evidence to suggest any patient’s PHI has been misused and individuals whose Social Security number was compromised have been offered complimentary credit monitoring and identity theft protection services for 12 months.

The lawsuit was filed on October 7, 2021, on behalf of Jeremy Henderson and all other San Juan Regional Medical Center patients affected by the data breach. The lawsuit alleges the way San Juan Regional Medical Center handled patient data was negligent, which resulted in sensitive information being exposed and stolen by hackers. The lawsuit also alleges the hospital failed to implement appropriate safeguards to protect patient data, in violation of the Health Insurance Portability and Accountability (HIPAA) Act.

The lawsuit also takes issue with the length of time it took to issue notifications. Henderson said he was notified about the breach on September 13, 2021, more than a year after his PHI was stolen.

The lawsuit alleges the plaintiff and class members face a substantial risk of identity theft and fraud as a result of the theft of their protected health information and will be required to spend time and effort monitoring their accounts and statements and taking other steps to protect against identity theft and fraud, and that 12 months of credit monitoring and identity theft protection services is insufficient. The lawsuit seeks unspecified damages.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.