A hospital medical center in the state of Washington has proposed a settlement to resolve a class action lawsuit filed by victims of a December 2019 data breach that exposed patients’ demographic information, health insurance coverage, and health data. A total of 109,000 individuals were notified regarding the breach, although only 24,000 individuals are included in the class action lawsuit, as it was determined that all other patients did not have their personal health information (PHI) exposed.
The class action lawsuit alleged that the hospital medical center was negligent for failing to prevent unauthorized individuals from gaining access to its systems. Additionally, the lawsuit alleged intrusion upon seclusion/invasion of privacy, breach of fiduciary duty, breach of confidence of express contract, and breach of implied contract.
The breach was a phishing attack that was discovered on December 9, 2019. The investigation revealed unauthorized individuals gained access to the email accounts of several employees. One of those email accounts was compromised between December 6, 2019, and December 9, 2019. The other email accounts were compromised for several hours on December 9, 2019. The investigation did not uncover evidence of data theft or misuse of patient data. However, it was not possible to rule out unauthorized access to PHI and the exfiltration of data.
The lawsuit alleged that the hospital failed to implement reasonable safeguards to ensure the privacy of HIPAA-covered data and failed to provide adequate notice about the data breach. The hospital medical center has denied all claims made in the lawsuit and all charges of wrongdoing. The decision was made to settle the lawsuit with no admission of liability.
Under the terms of the settlement, two types of claims can be submitted. Class action members are entitled to claim up to $250 for certain out-of-pocket expenses incurred as a result of the breach, including bank fees, phone calls, postage costs, fuel for local travel and up to three hours of documented time at $20 per hour provided at least one full hour was spent on mitigations. Additionally, it is also possible to recover the cost of credit report fees and credit monitoring and identity theft protection services taken out between February 4, 2020, and the date of the Court’s preliminary approval of the settlement.
Claims for extraordinary expense reimbursement may be submitted for up to $2,500. These claims must include evidence of losses that were more likely than not suffered as a result of the breach between December 1, 2019, and the end of the claim period.
A fairness hearing has been scheduled for September 10, 2021.
Issue:
All healthcare workers must understand HIPAA requirements and their obligation to secure protected health information (PHI). The Privacy Rule allows access to information needed to ensure high quality healthcare and to protect the public, while ensuring an individual’s health information is properly protected. All staff members at all levels must demonstrate understanding of the Privacy Rule, HIPAA, and how to protect PHI. Additional information is available in the Med-Net Corporate Compliance and Ethics Manual, Chapter 5 Privacy Plan, PP 2.0 Privacy Policy and Procedure.
Discussion Points:
- Review policies and procedures related to HIPAA, PHI, and Privacy. Ensure that they address how health information exchanges should be conducted between healthcare associates and timely response to requests from authorized individuals.
- Train all staff minimally upon hire and annually on HIPAA, PHI, and Privacy, including responding timely to requests for records and how to report concerns of potential breaches of PHI. Document that these trainings occurred and file the signed training document in the employees’ education files.
- Periodically audit to ensure that your facility’s policies and procedures for HIPAA, PHI, privacy, and record release are being followed by all staff, and that each person demonstrates understanding and competence.
