- Children’s National Health System is facing a class-action lawsuit following a health data breach where 18,000 patients potentially had their information compromised. The incident took place toward the end of 2014, and occurred when Children’s National employees fell victim to a phishing scam.
Fardoes Khan was one of the patients who received a data breach notification from Children’s National, and has since filed a lawsuit. Khan alleges that the hospital betrayed her trust, along with the other patients, by failing to properly safeguard patient PII and PHI. Moreover, the hospital disclosed that sensitive information without patient authorization, according to the suit.
“As a result of the data breach, sensitive personal information including patient demographics and clinical information were leaked,” the lawsuit states. “Defendant failed to maintain a secure data network and consequently, data hackers were able to access confidential patient information.”
The original health data breach was first discovered by Children’s National on December 26, 2014. However, the unauthorized access may have taken place from July 26, 2014 to Dec. 26, 2014. Exposed information included names, addresses, dates of birth, and telephone numbers. Diagnoses, treatment received, medical record numbers, medical service codes or health insurance information, were also potentially accessed, according to Children’s National. Social Security numbers were also included in a few cases.
Khan’s suit also states that the information that was accessed in the phishing scam was “unencrypted and unsecured by any passwords or other security measures.” The health system allegedly disregarded patients’ rights and privacy by “intentionally, willfully and recklessly failing to take the necessary precautions required to safeguard and protect their PII/PHI from unauthorized disclosure.
The case was first filed in Montgomery, Maryland circuit court, but was moved to the US District Court of Maryland last week.
When the health data breach was first reported, Children’s National said that there was no evidence showing that the information contained in the employee emails has been used maliciously. The health system added that it was reinforcing its staff training over how to handle suspicious emails and that its technical safeguards would be enhanced.
Class-action lawsuits are potential results of a health data breach, and several healthcare organizations have been recently dealing with them. For example, UCLA Health System is facing charges following a data breach where 4.5 million individuals potentially had their information exposed. In that case, UCLA Health discovered suspicious activity on its network. The lawsuit claims that the organization did not take the necessary precautionary steps to prevent unauthorized cyber activity.
Florida Hospital is facing two class-action lawsuits following two separate health data breach incidents. In both cases, healthcare employees were reportedly accessing patient information outside of their normal duties. Florida Hospital claims for one of the lawsuits that “no Florida court has recognized a fiduciary duty between a hospital and a patient” and that their employees were willfully violating HIPAA regulations.