- After receiving $8.5 million in a medical negligence lawsuit, a Washington couple is filing another lawsuit against Virginia Mason Medical Center for its alleged actions following a patient data privacy breach.
Matthew and Sarah Hipps, MD, claim that they received notification letters of the incident in question on May 1, 2017. The hospital had reported the month prior that they had discovered 21 hospital employees inappropriately accessed patient health records from around October 2016 to January 2017.
Employees had reportedly improperly accessed the health information of 419 emergency room patients over a period of about three months. Patient medical and demographic information was viewed, but financial information was not accessed, according to Virginia Mason.
The hospital’s chief compliance and privacy officer Trent Belliston told the Yakima Herald that investigators have no reason to believe the staff members had any malicious intent in viewing the patient records.
“No evidence that the information’s being used in an improper way,” Belliston explained. “We believe this to be a case of snooping, or individuals who were bored.”
Virginia Mason CEO Russ Myers maintained that labor and confidentiality laws prevented him from explicitly naming which employees accessed the information or how the employees were disciplined.
This is part of what led to the Hipps filing the second lawsuit. The couple explained that not knowing enough about the breach, or whether their information was shared or sold helped push them to file a second lawsuit, according to local news source KING-TV.
"After having our lives completely turned upside down by Virginia Mason's dishonesty and unethical practices, and then believing our rights had finally been restored, we're back in the same place," Matthew Hipps said a statement. "It boggles my mind that, not once, were they willing to sit down and explain the story of what happened face-to-face. We just want this resolved."
Delayed data breach notifications can have severe ramifications for healthcare organizations.
Earlier this year, Presence Health agreed to a $475,000 OCR HIPAA settlement following a reported data breach and a subsequent delayed breach notification process.
Presence Health first discovered in 2014 that paper-based operating room schedules containing the PHI of 836 individuals was missing from the Presence Surgery Center at the Presence St. Joseph Medical Center in Joliet, Illinois. The incident had reportedly taken place a few months earlier in 2013.
OCR determined that “Presence Health failed to notify, without unreasonable delay and within 60 days of discovering the breach, each of the 836 individuals affected by the breach, prominent media outlets (as required for breaches affecting 500 or more individuals), and OCR.”
The investigation found that other reported breaches from 2015 and 2016 were not reported in a timely fashion.
“HHS learned that, with regard to several of those reported breaches, the Presence Health entities had failed to provide timely written breach notifications to the individuals whose PHI had been compromised as a result of those breaches,” the Corrective Action Plan said.
Individual notification must take place without unreasonable delay or no later than 60 days following the breach discover, regardless of the size of a data breach, according to the HIPAA Breach Notification Rule.
When an incident involves fewer than 500 people, covered entities must make an annual report. However, these notices are due to the Secretary “no later than 60 days after the end of the calendar year in which the breaches are discovered.”
“A covered entity is not required to wait until the end of the calendar year to report breaches affecting fewer than 500 individuals; a covered entity may report such breaches at the time they are discovered,” HHS states on its website. “The covered entity may report all of its breaches affecting fewer than 500 individuals on one date, but the covered entity must complete a separate notice for each breach incident.”