Tenet Healthcare Sued Over Data Breach; San Francisco Settles Data Breach Lawsuit

Tenet Healthcare and Baptist Health are facing a class action lawsuit over a recently reported data breach that affected 1.2 million patients. The breach was detected on April 20, 2022, with the forensic investigation confirming an unauthorized third-party had accessed the IT networks of Baptist Medical Center or Resolute Health Hospital between March 31 and April 24, 2022, and removed files containing sensitive patient data. The information potentially compromised included names, addresses, Social Security numbers, health insurance information, medical information, and billing and claims data.

Tenet Healthcare issued a public notification about the cyberattack and data breach on April 26, 2022, while the investigation into the breach was ongoing. Notifications were sent to affected individuals in mid-June, less than two months after the discovery of the cyberattack. Affected individuals were offered complimentary credit monitoring and identity theft protection services.

The lawsuit was filed in Dallas County and names Texas resident, Troy Contreras, as the lead plaintiff. The lawsuit alleges the defendants were negligent for failing to protect the privacy of patients by implementing appropriate safeguards that met industry standards, such as multi-layered security, malware detection software, and providing sufficient security awareness education to the workforce, and that the data security practices of the defendants were not aligned with the guidelines issued by the Federal Trade Commission. The lawsuit also alleges a failure to issue proper notifications.

The plaintiff claims to have spent a significant amount of time ensuring his personal and protected health information is safe and that he is protected against fraud, and will continue to have to spend time doing so in the future. The lawsuit does not allege any actual misuse of the plaintiff’s data. The lawsuit seeks damages in excess of $1 million.

Please see the HIPAA Journal Privacy Policy

San Francisco Settles Medical Data Breach Lawsuit

The city and county of San Francisco have settled a long-running class action data breach lawsuit – Jane Doe, et al. vs. The City and County of San Francisco, et al – and have agreed to make $400,000 available to cover claims from the 8,884 class members. The lawsuit was filed following the impermissible disclosure of the private medical information of patients of Zuckerberg San Francisco General Hospital and Trauma Center, whose medical records were kept by neurosurgeon Dr. Shirley Stiver.

The case was filed in April 2016 in San Francisco Superior Court over the disclosure of highly sensitive data such as names, medical records, diagnoses – including HIV diagnoses – surgical notes, consultation notes, and radiologic films. The disclosures occurred without written consent from patients. The lawsuit alleged violations of the Confidential Medical Information Act and the California Health & Safety Code.

Class members are entitled to submit claims for up to $599. Claims must be submitted by August 30, 2022. The final approval hearing has been scheduled for September 29, 2022.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.