[BreachExchange] Settlement in Tampa General Hospital Insider Breach Lawsuit

[Audrey McNeil]

http://www.careersinfosecurity.com/settlement-in-tampa-general-
hospital-insider-breach-lawsuit-a-9580

In a rare settlement of a data breach class action lawsuit, Tampa General
Hospital has agreed to pay a total of just $10,000 to plaintiffs who
alleged they're at risk for identity theft as a result of insider incidents.

The plaintiffs argued that a series of breaches involving insiders at the
organization was the result of the hospital inadequately safeguarding
patient data. The lawsuit against Florida Health Sciences Center, which
does business under the name Tampa General Hospital, alleged that
unauthorized access to the hospital's computer systems put 1,179
individuals at risk for identity theft. To file for a piece of the
settlement, individuals affected must demonstrate an "actual loss" due to
the breaches.

John Yanchunis, an attorney representing the plaintiffs, tells Information
Security Media Group that the case spotlights "a continuing problem" in
many hospitals of insiders accessing data without authorization "and then
using this [information] for illegal purposes."

Bucking the Trend

While the amount of the settlement is quite small, very few breach-related
class action lawsuits are settled for any amount.

"Most healthcare data breach cases still are getting dismissed without a
real showing of specific damages," says privacy attorney Kirk Nahra of the
law firm Wiley Rein, who was not involved in the case. The Tampa General
case makes reference to the filing of false tax returns, "which at least
implies some actual impact on some subset of the people."

Nahra says the case highlights that "insider threats are real and an
ongoing problem, and companies across the board need to pay attention to
this," Nahra says.

Under the settlement, the hospital will also pay up to $7,500 in costs
related to the plaintiffs' attorney fees and other litigation expenses.
"This also involves a broader issue with many class action cases - not
focused on data breaches - where the class - and specifically class members
- get very little and attorneys get most of the actual dollars," Nahra says.

The Allegations

An amended complaint filed in February 2015 says that in May 2014, the
hospital "had actual or constructive knowledge that unknown individuals
wrongfully accessed and obtained plaintiff's and class members'
[information] ... which included names, addresses, dates of birth, Social
Security numbers, admitting diagnoses and insurers."

The Department of Health and Human Services' "wall of shame" tally of major
health data breaches affecting 500 or more individuals includes an
unauthorized disclosure/access breach reported on Sept. 12, 2014, by Tampa
General affecting 675 individuals and involving electronic medical records.

But the class action complaint lists several data security and privacy
incidents, some involving hospital employees, alleging that Tampa General's
"history of protecting patient information has been poor."

The lawsuit alleges that in June 2013, "it was discovered that a nurse who
worked at TGH had accessed without authorization ... records of a patient
and discovered that the patient had given up a baby for adoption in October
2008. The nurse informed the family of this patient of this fact at a
family reunion." The nurse was later terminated for the violation, the
complaint notes.

The suit alleges that as a result of the hospital's "failure to adequately
protect and secure ... protected health information and personally
identifiable information," another TGH employee "gained access to and
obtained PHI and PII belonging to plaintiff and class members in disregard
of [their] privacy rights ... and for the purpose of using this information
for the personal gain of the employee and others to whom the employee
transferred this protected information."

The data breach central to the complaint "was discovered after Tampa Police
arrested a person who was not employed at the hospital but had Tampa
General Hospital patient records in their possession." The complaint
alleges that the identity of one plaintiff "was stolen and an unknown
individual attempted to purchase goods using [the] plaintiff's personal
information."

The complaint also cites a criminal case involving Tigi Moor, a former data
integrity specialist employed by the hospital. The complaint alleges
beginning in January 2012 the employee accessed "without authorization the
personal information of present and/or former patients ... for the purpose
of engaging in a fraudulent scheme to steal the identities of patients and
filing false tax returns on behalf of those patients."

The scheme allegedly netted $671,000 "and undoubtedly damaged the patients
whose identities were stolen and now have to face the threat of continued
repercussions of this identity theft." Moor and three others involved
pleaded guilty to an array of federal criminal charges, the complaint notes.

In another sentencing not specifically referenced in the complaint,
Shanakia Benton, a former worker at Tampa General Hospital in August was
sentenced to 37 months in federal prison for wrongful disclosure of
individual identifiable health information and wire fraud for her part in a
tax refund fraud scheme (see HIPAA Criminal Prosecutions on the Rise).

The settlement agreement indicates the hospital denied the lawsuit's
allegations, but decided to settle in order "to put to rest the
controversies engendered by the action."

Tampa General Hospital declined to comment about the settlement.

Other Settlements

Among other recent settlements involving data breach class action lawsuits
was a $28 million settlement in March of a suit stemming from a data breach
at St. Joseph Health System in California. Legal experts say the
comparatively hefty settlement in that St. Joseph Health case illustrates
that egregious breaches can have serious financial consequences.

Another class action lawsuit against health plan AvMed tied to a data
breach in 2009 that affected 1.2 million individuals ended with a $3
million settlement in 2013.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20161206/963c474a/attachment.html>