Tampa General Hospital Settles Class Action Data Breach Lawsuit

According to figures from the Federal Trade Commission, Florida is one of the top three states for fraud and identity theft. Criminals in the state use stolen consumer data to steal identities and file fraudulent tax returns, with the data often coming from healthcare organizations.

Fraudsters often target the lowest paid healthcare workers and pay them to steal patients’ personal information and Social Security numbers. Many Florida hospitals have fired employees who have been discovered to have abused their access to patient health information and passed stolen information on to identity thieves.

Victims of fraud can suffer considerable losses which can prove difficult to recover. Legal action can be taken against the healthcare organizations that experience internal data breaches, although the lawsuits very rarely succeed.

One such lawsuit was filed against Tampa General Hospital. The class action lawsuit – John Doe v. Florida Health Sciences Center Inc. d/b/a Tampa General Hospital – alleged the hospital had been negligent for failing to protect patient data; breached its fiduciary duty, breached an implied contract, and violated Florida’s Deceptive and Unfair Trade Practices Act.

The plaintiffs claimed that in May 2014, the hospital had “actual or constructive knowledge that unknown individuals wrongfully accessed and obtained Plaintiff’s and Class Members’ PHI and PII in Defendant’s possession which included names, addresses, dates of birth, Social Security numbers, admitting diagnoses, and insurers.”

The lawsuit listed numerous cases of data theft at the hospital between 2012 and 2015, including an incident in 2014 that was uncovered by the Tampa Police Department. An individual was arrested and found to be in possession of patient records that had been stolen from Tampa General. The individual did not work at the hospital but had allegedly obtained the data from a hospital employee.

According to the lawsuit, many patients had suffered losses due to identity theft following the theft of data from the hospital. Even if losses had not been suffered, patients now face an increased risk of identity theft and fraud due to the hospital’s failure to protect their sensitive information. The lawsuit claims Tampa General Hospital’s “history of protecting patient information has been poor.”

Lawsuits filed against organizations that have experienced data breaches rarely succeed, even when plaintiffs can prove losses have been suffered following a data breach. However, the lawsuit against Tampa General Hospital was successful. Tampa General has recently agreed to a settlement with the plaintiff and class members.

Tampa General has agreed to pay the plaintiffs $10,000 in damages and up to $7,500 to cover the plaintiffs’ attorney fees and litigation expenses. In order to qualify for a percentage of the settlement, plaintiffs must be able to demonstrate that they have suffered actual losses as a result of the breach.

Tampa General Hospital denies any wrongdoing and maintains that it is not responsible for the alleged actions of some of its former employees. The decision to settle the case was taken to avoid the expense and burden of taking the case to trial.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.