Healthcare Information Security

HIPAA and Compliance News

Mount Sinai St. Luke’s Sued Following HIPAA Violation

Mount Sinai St. Luke’s Hospital is facing a lawsuit following a HIPAA violation when the provider faxed patient data to his employer.

hipaa violation leads to negligence lawsuit for mount sinai st. luke's

Source: Thinkstock

By Elizabeth Snell

- New York-based Mount Sinai St. Luke’s Hospital is being sued for faxing patient PHI to the patient’s employer, a reported HIPAA violation that has already resulted in an OCR HIPAA settlement.

The Law Offices of Jeffrey Lichtman represent the client whose PHI was exposed, and explained in a blog post that the incident caused the man stress and forced him to quit his job.

“Despite admitting its wrongdoing and paying a $387,000 fine to the government, Mount Sinai St. Luke’s Hospital has refused to even discuss a financial settlement with our client due to its unlawful actions,” the blog post read. “For these reasons, we have been forced to initiate this lawsuit, suing the hospital for negligence and negligent infliction of emotional distress.”

Formerly Spencer Cox Center for Health (the Spencer Cox Center), St. Luke’s specializes in services for individuals living with HIV or AIDS and other chronic diseases.

OCR received a complaint in September 2014 that St. Luke’s faxed an individual’s information to his employer. The Spencer Cox Center employee faxed the information to the individual’s employer rather than to the requested personal post office box, OCR found.

READ MORE: HIPAA Data Breaches: What Covered Entities Must Know

“St. Luke's impermissibly disclosed PHI of two identified patients when Spencer Cox staff members faxed one individual's PHI to his workplace and the other individual's PHI to an office at which he volunteered,” said the Corrective Action Plan. “Given the type of PHI involved, specifically information about HIV, AIDS, and mental health, the impermissible disclosures were egregious.”

OCR added that St. Luke’s must review and revise as necessary its policies and procedures concerning proper PHI disclosure. Current employee training materials on safeguarding PII will also need to be reviewed and revised as necessary, the agency said.

“St. Luke's shall not provide access to PHI to any member of its workforce if that workforce member has not signed or provided the written or electronic certification required… within three months of distribution,” the CAP stated.

The individual had not yet told the majority of his family and friends about his HIV diagnosis, explained the law office blog post.

“The stress of believing that his coworkers were aware of his condition forced him to quit his job, and cost him substantial health benefits and insurance,” the post stated. “Because of the increased costs associated with his medical insurance at his new job, our client has been forced to discontinue seeing his therapist to help cope with the actions of St. Luke’s Hospital which leaked his condition.”

READ MORE: Ensuring Security, Access to Protected Health Information (PHI)

Even though the hospital HIPAA officer called the incident an “egregious” “breach,” the law firm said that employee also “tried to assuage our client by claiming that he was lucky just a mail room employee had received the fax with his health issues contained therein.”

The negligence lawsuit is for $2.5 million, according to a NY Daily News article.  

A similar lawsuit was recently filed against Aetna, after the organization reportedly experienced a data breach where 12,000 individuals were notified.

The Legal Action Center, AIDS Law Project of Pennsylvania, and Berger & Montague, P.C. filed a federal class action lawsuit in the U.S. District Court for the Eastern District of Pennsylvania in August 2017.

Aetna has experienced multiple data breaches, the lawsuit maintained, the most recent of which occurred in July 2017. Aetna sent a letter in the mail where information about ordering prescription HIV drugs was clearly visible through the envelope's clear window, the lawsuit stated.

READ MORE: 2017 OCR HIPAA Settlements Focus on Risk Analyses, Safeguards

“…the instructions for the recipient to fill their HIV medication prescription was plainly visible through the large-window section of the envelope,” the documents explained. “Specifically, the visible portion of the letter clearly indicated that it was from Aetna, included a claims number and information for the addressee, and stated ‘[t]he purpose of this letter is to advise you of the options…Aetna health plan when filling prescriptions for HIV Medic…’”

While Aetna did not immediately specify how many individuals had their information potentially exposed, the provider sent notifications to approximately 12,000 individuals in at least 23 states.

"We sincerely apologize to those affected by a mailing issue that inadvertently exposed the personal health information of some Aetna members," Aetna said in a statement. "This type of mistake is unacceptable, and we are undertaking a full review of our processes to ensure something like this never happens again."


SIGN UP and gain free access to articles, white papers, webcasts and exclusive interviews on

HIPAA Compliance
Data Breaches

Our privacy policy

no, thanks

Continue to site...