- More than 1,200 people could receive up to $150,000 in payments following the tentative settlement of a class-action lawsuit against Alabama-based Flowers Hospital for a 2014 healthcare data breach, TV station WTVY reported on July 23.
Back in 2014, Kamarian Millender, a former Flowers Hospital lab technician, was indicted on charges that he stole patients’ PHI as part of an alleged tax fraud scheme from June 2013 to February 2014. Millender pled guilty to stealing the records and served time in prison.
The breach compromised patient names, addresses, dates of birth, Social Security numbers, and health plan policy numbers. The hospital sent data breach notification letters on April 15, 2014.
Affected patients filed a punitive class-action lawsuit in federal court, referencing a violation of the Fair Credit Reporting Act and increased risks of identity theft and medical fraud.
Under the tentative settlement, those who were affected by the breach would be reimbursed out-of-pocket credit monitoring costs and receive up to four hours in lost wages. They would also be paid interest on delayed tax refunds caused by the data breach, TV station WTVY reported.
The cap on damages is $5,000 per person and $150,000 total for all claims. All claims must be filed by December 13. No punitive damages will be awarded.
If a federal judge approves the plan, the agreement would end the four-year old suit against Flowers Hospital.
In response to the original suit, Flowers Hospital filed a motion to dismiss it, arguing that the plaintiffs had failed to link the data breach to any actual economic harm they had suffered and the claims lacked standing. However, the judge allowed the plaintiffs to amend their complaint, which also meant that the motion to dismiss would not carry over to the updated filing.
“Any motion to dismiss filed in response to plaintiffs’ amended complaint, and any response in opposition thereto, shall fully set forth any arguments in support of or in opposition to such motion, and shall not simply renew or incorporate arguments made in previous motions and responses thereto,” the judge wrote.
Two recent class action lawsuits highlight the legal jeopardy that healthcare organizations place themselves by having inadequate security programs.
In January, EHR vendor Allscripts suffered a SamSam ransomware attack that prevented around 1,500 customers from accessing its cloud EHR applications.
“The affected tools are part of a patient engagement platform and are used to support and connect 45,000 physician practices, 180,000 physicians, 19,000 post-acute agencies, 2,500 hospitals, 100,000 electronic prescribing physicians, 40,000 in-home clinicians, and 7.2 million patients,” a report by HHS concerning the SamSam ransomware threat stated.
One of its customers, Florida-based Surfside Non-Surgical Orthopedics, filed a class-action lawsuit against Allscripts, arguing that it suffered economic damage and other harm from the interruption in Allscripts services.
“This attack hurt both patients and their healthcare providers using the Allscripts systems in that providers were unable to e-prescribe drugs, and patients were unable to obtain drugs e-prescribed for them by those providers,” the Surfside lawsuit stated.
“Allscripts breached its duties by failing to implement, monitor, and audit the security of its data and systems, resulting in a ransomware attack that significantly impeded and/or prevented its clients’ ability to conduct business,” the class-action lawsuit stated.
Allscripts is asking a judge to dismiss the Surfside class-action lawsuit.
In addition, Missouri-based Children’s Mercy Hospital is facing a class action lawsuit for a data breach that affected more than 60,000 individuals earlier this year.
The law firm of McShane and Brady filed the lawsuit, accusing Children’s Mercy Hospital of breaching its fiduciary duty to protect patient privacy under Missouri law.
The information possibly accessed by hackers included patient names, medical record numbers, dates of hospital stays and procedures, diagnoses and conditions, and other clinical information.
Children’s Mercy reported to OCR in January that 63,049 individuals were affected by the breach.
This is the fourth class action lawsuit McShane and Brady has filed against Children’s Mercy over a patient data breach.
It behooves healthcare organizations to beef up their security programs and practices to avoid the immediate costs of a data breach or ransomware attack and the possible longer term costs of class-action lawsuits.