Healthcare Information Security

Patient Privacy News

Tampa General Hospital Data Breach Settlement Reached

A settlement was reached for a Florida hospital, stemming from an alleged data breach where one or more former employees inappropriately accessed patient information.

By Elizabeth Snell

A settlement was recently reached for Tampa General Hospital, following allegations of a health data breach where employees inappropriately accessed patient information.

Health data breach settlement reached for Tampa General Hospital

The hospital will pay $10,000 into a Settlement Fund, where payments to Settlement Class Members will be for actual losses caused by fraudulent use of patient information, according to the settlement website.

Tampa General will also pay for one year of credit monitoring to Settlement Class Members who successfully make a claim for monetary payment.  

“The settlement provides that, to get a payment, you must have suffered an actual loss occurring after, and as a result of, a ‘stolen identity event’ that you reasonably believe is traceable to the matters described in a letter that you received from the Hospital (dated August 5, 2013, August 12, 2013, or September 12, 2014) notifying you that you may be at increased risk of identity theft as a result of inappropriate access to your patient information,” the website explains.

The initial complaint alleged that patients provided PHI and PII to Tampa General, and that one or more former hospital employees “engaged in unauthorized or improper access to such PHI and PII.” Along with negligence, the hospital was accused of breach of fiduciary duty, breach of implied contract, and violation of the Florida Deceptive and Unfair Trade Practices Act.

“[Tampa General] denies the allegations of the Complaint and believes that the Action is without merit,” the settlement reads. “Nevertheless, in order to avoid the burden, expense, risk, and uncertainty of continuing to litigate the Action, and to put to rest the controversies engendered by the Action, and without any admission of any liability or wrongdoing whatsoever, [Tampa General] wishes to settle the Action and all Released Claims on the terms and' conditions set forth in this Agreement.”

In May 2014, Tampa General reportedly had actual or constructive knowledge that unknown individuals wrongfully accessed and obtained patient PHI and PII, according to the amended complaint. This data included names, addresses, dates of birth, Social Security numbers, admitting diagnoses, and insurers.

The data breach was discovered when Tampa Police arrested an individual who was not employed at Tampa General but had hospital patient records in their possession.

Plaintiffs claimed that the hospital’s failure to keep PHI and PII secure could lead to identity theft for the involved patients.

Tampa General also had a history of failing to protect patient information, according to the complaint. The complaint cited a January 2012 incident where data integrity specialist Tigi Moore “accessed without authorization the personal information of present and/or former patients of Defendant for the purpose of engaging in a fraudulent scheme to steal the identities of patients and filing false tax returns on behalf of those patients.”

Additionally, a University of South Florida employee was pulled over by Hillsborough County Sheriff’s deputies in May 2013. Upon searching the vehicle, deputies discovered PHI that the employee should not have had access to.

There was also a June 2013 incident where a Tampa General nurse accessed patient records without authorization and discovered that the patient had given up a baby for adoption in October, 2008.

“The nurse informed the family of this patient of this fact at a family reunion,” the claim said. “The nurse was terminated for this intrusion into the privacy of the patient.”

In numerous cases, Tampa General’s only action to protect patient data was to send out letters to those affected by the breach which offered one year of free credit monitoring, according to the documents.

The Court will hold a Final Fairness Hearing on March 23, 2017 to decide whether or not to approve the settlement.

“The Court also may decide how much the Hospital must pay Class Counsel and the Plaintiff for fees and costs,” the website states. “After the hearing, the Court will decide whether to finally approve the settlement, finally certify the Settlement Class, and enter a final judgment directing that the settlement be carried out.”

Dig Deeper:

X

SIGN UP and gain free access to articles, white papers, webcasts and exclusive interviews on

HIPAA Compliance
BYOD
Cybersecurity
Data Breaches
Ransomware

Our privacy policy

no, thanks