Santa Rosa Memorial Hospital Sued Over HIPAA Breach

A class-action lawsuit has been filed in the Sonoma County Superior Court on behalf of two California residents affected by a data breach suffered by 6 hospitals in the St. Joseph Health System in California. The data breach exposed the records of 31,800 patients throughout the state of California

The lawsuit has been filed naming two patients of the Santa Rosa Memorial Hospital, where 6,235 individuals were affected. The breach also exposed the records of 4,263 patients of Queen of the Valley Hospital in Napa and patients from four other hospitals. The suit is being filed on behalf of all 31,800 patients affected by the breach and seeks damages of $1,000 per patient.

The HIPAA breach was discovered when a patient, Deanna DeBaek, ran a search in Google and discovered her healthcare information had been listed in the search engines. That was on January 24, with the records she found relating to treatment she had through the St. Joseph hospital system in 2011.

The lawsuit alleges that the St. Joseph Health System acted with negligence and unlawfully released medical information without first obtaining prior permission from patients. It also alleges that St. Joseph did not “implement and maintain appropriate and reasonable security procedures and practices” to protect PHI.

Brian Greene, a spokesperson for the St. Joseph Health System in Orange County, indicated that the probability of any information being used was relatively low and that he knew of no patient who had been negatively affected by the data breach.

He pointed out that while some healthcare data was exposed, no Social Security numbers were disclosed and financial information was protected. The breach involved medical reports rather than electronic medical records.

Class-action lawsuits for damages rarely succeed unless there is some evidence of actual harm or loss suffered as a result of a data breach. Proof that third parties have used information illegally and have obtained credit, goods, services or benefits is usually required in order for the claims to be successful.

Even though the risk is perceived to be low, St. Joseph has provided credit monitoring services to all affected individuals to monitor for any fraudulent activity.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.