Another lawsuit

DeAnne Toto

If you subscribe to the SDB e-newsletter, you might have seen the news item in our Aug. 28, 2014, edition about a federal class-action lawsuit stemming from a data breach that involved the personal information of more than 4 million individuals. The lawsuit, which was filed on behalf of five Alabama residents who were treated at four different Community Health Systems (CHS) hospitals in the state, brought to mind the settlement earlier this year in the class-action lawsuit involving a potential data breach at AvMed, a Florida-based health insurer.

CHS is a Tennessee-based hospital system that operates 12 facilities throughout Alabama. The health care provider said its computer system had been attacked in April, May and June. Nonmedical personal information that included names, addresses, birth dates, telephone numbers and Social Security numbers was obtained. CHS operates 206 hospitals in 29 states, and 4.5 million people across the U.S. were affected by the breach.

According to an article on AL.com, available at http://bit.ly/1vJDEnZ , “The suit alleges breach of contract, breach of implied contract, breach of implied covenant of good faith and fair dealing, unjust enrichment, money had and received, negligence, negligence per se, wantonness, invasion of privacy and violations of the Fair Credit Reporting Act.”

As in the AvMed case, the class-action suit claims that the plaintiffs’ information was compromised because the hospital system failed “to implement and follow basic security procedures” and that CHS was enriched unjustly because it failed to allocate a portion of its fees to ensuring data security. Hospital officials did not adequately protect or encrypt patients’ sensitive information, according to the plaintiffs.

The suit also claims that patients and former patients of CHS face an increased risk of identity theft and must spend time and money to protect themselves against this risk.

In addition, the suit alleges that CHS and its hospitals did not promptly notify patients who were affected by the breach. (Under HIPAA [Health Insurance Portability and Accountability Act], organizations are required to report a data breach to affected parties within 60 days of its discovery.) CHS’ corporate compliance and privacy officer posted a letter Aug. 19 on the hospital systems corporate website that informed clients that individuals whose information was taken in the attack would be mailed a letter informing them about the data breach and how to enroll in free identity theft protection and credit monitoring services.

Professionals in the health care and information management industries undoubtedly will monitor this case closely to see if a settlement is reached as in the AvMed case or if the lawsuit goes to trial.