- A federal judge has approved a settlement between Flowers Hospital and the 1,200 patients whose data was stolen from the hospital in 2014, according to Alabama news station WTVY.
The Alabama-based provider will pay the victims up to $150,000. The damages for each victim are capped at $5,000, and no punitive damages will be awarded. The attorneys proposed the settlement in July, which was finalized by the judge last week.
The federal lawsuit claimed the hospital’s negligence resulted in the theft of 1,200 patient records in 2014. A deputy sheriff discovered the patient records from Flowers Hospital in a car that belonged to Karmarian Millender, during a traffic stop. Millender was a lab employee of the hospital.
Millender later pleaded guilty to routinely removing files from the hospital to then sell the data to others who used the information to complete fraudulent income tax returns. The data contained names, addresses, Social Security numbers, and health plan numbers.
Law enforcement notified the hospital about the data theft in February 2014. And the hospital sent notifications to the affected patients in April 2014.
Two hospital patients filed a lawsuit against Flowers Hospital in June 2014, arguing that the provider did not properly safeguard patient information. In March 2017, a judge approved the case as a class-action lawsuit.
Flowers Hospital attempted to have the case dismissed on several occasions, citing that patients failed to link the breach to actual harm. A judge denied those motions.
Under the settlement, those patients impacted by the breach can be reimbursed for verified and document out-of-pocket expenses related to the theft, along with credit monitoring services. Patients can also be reimbursed for time spent dealing with the theft and the interest related to delayed tax refunds caused by a fraudulent tax return.
Flowers Hospital denied any wrongdoing in the case and maintains its security was sufficient in protecting patient data. The settlement is not an admission of any wrongdoing.
The settlement should serve as a warning to healthcare providers to bolster security programs and policies. Lawsuits filed by victims of healthcare breaches have increased in recent years, as cyberattacks have continued to pummel the industry.
In August, a judge finalized the Anthem settlement between the insurer and the 79 million of the victims of its 2015 data breach. Meanwhile, Allscripts, Missouri-based Children’s Mercy Hospital, and LifeBridge, among others, are currently in the midst of lawsuits filed by patients impacted by breaches and or EHR outages caused by ransomware.