25% off all training courses Offer ends May 8, 2026
View HIPAA Courses
Learner Login Learner Support
Learner Login Learner Support
25% off all training courses
View HIPAA Courses
Offer ends May 8, 2026

The HIPAA Journal is the leading provider of HIPAA training, news, regulatory updates, and independent compliance advice.

Santa Rosa Memorial Hospital Sued Over HIPAA Breach

Posted By on Apr 9, 2012

A class-action lawsuit has been filed in the Sonoma County Superior Court on behalf of two California residents affected by a data breach suffered by 6 hospitals in the St. Joseph Health System in California. The data breach exposed the records of 31,800 patients throughout the state of California

The lawsuit has been filed naming two patients of the Santa Rosa Memorial Hospital, where 6,235 individuals were affected. The breach also exposed the records of 4,263 patients of Queen of the Valley Hospital in Napa and patients from four other hospitals. The suit is being filed on behalf of all 31,800 patients affected by the breach and seeks damages of $1,000 per patient.

The HIPAA breach was discovered when a patient, Deanna DeBaek, ran a search in Google and discovered her healthcare information had been listed in the search engines. That was on January 24, with the records she found relating to treatment she had through the St. Joseph hospital system in 2011.

The lawsuit alleges that the St. Joseph Health System acted with negligence and unlawfully released medical information without first obtaining prior permission from patients. It also alleges that St. Joseph did not “implement and maintain appropriate and reasonable security procedures and practices” to protect PHI.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

Brian Greene, a spokesperson for the St. Joseph Health System in Orange County, indicated that the probability of any information being used was relatively low and that he knew of no patient who had been negatively affected by the data breach.

He pointed out that while some healthcare data was exposed, no Social Security numbers were disclosed and financial information was protected. The breach involved medical reports rather than electronic medical records.

Class-action lawsuits for damages rarely succeed unless there is some evidence of actual harm or loss suffered as a result of a data breach. Proof that third parties have used information illegally and have obtained credit, goods, services or benefits is usually required in order for the claims to be successful.

Even though the risk is perceived to be low, St. Joseph has provided credit monitoring services to all affected individuals to monitor for any fraudulent activity.

Author: Steve Alder is the editor-in-chief of The HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist