[BreachExchange] Tampa General Hospital Data Breach Settlement Reached

Fri Dec 9 13:58:44 EST 2016

http://healthitsecurity.com/news/tampa-general-hospital-
data-breach-settlement-reached

A settlement was recently reached for Tampa General Hospital, following
allegations of a health data breach where employees inappropriately
accessed patient information.

The hospital will pay $10,000 into a Settlement Fund, where payments to
Settlement Class Members will be for actual losses caused by fraudulent use
of patient information, according to the settlement website.

Tampa General will also pay for one year of credit monitoring to Settlement
Class Members who successfully make a claim for monetary payment.

“The settlement provides that, to get a payment, you must have suffered an
actual loss occurring after, and as a result of, a ‘stolen identity event’
that you reasonably believe is traceable to the matters described in a
letter that you received from the Hospital (dated August 5, 2013, August
12, 2013, or September 12, 2014) notifying you that you may be at increased
risk of identity theft as a result of inappropriate access to your patient
information,” the website explains.

The initial complaint alleged that patients provided PHI and PII to Tampa
General, and that one or more former hospital employees “engaged in
unauthorized or improper access to such PHI and PII.” Along with
negligence, the hospital was accused of breach of fiduciary duty, breach of
implied contract, and violation of the Florida Deceptive and Unfair Trade
Practices Act.

“[Tampa General] denies the allegations of the Complaint and believes that
the Action is without merit,” the settlement reads. “Nevertheless, in order
to avoid the burden, expense, risk, and uncertainty of continuing to
litigate the Action, and to put to rest the controversies engendered by the
Action, and without any admission of any liability or wrongdoing
whatsoever, [Tampa General] wishes to settle the Action and all Released
Claims on the terms and' conditions set forth in this Agreement.”

In May 2014, Tampa General reportedly had actual or constructive knowledge
that unknown individuals wrongfully accessed and obtained patient PHI and
PII, according to the amended complaint. This data included names,
addresses, dates of birth, Social Security numbers, admitting diagnoses,
and insurers.

The data breach was discovered when Tampa Police arrested an individual who
was not employed at Tampa General but had hospital patient records in their
possession.

Plaintiffs claimed that the hospital’s failure to keep PHI and PII secure
could lead to identity theft for the involved patients.

Tampa General also had a history of failing to protect patient information,
according to the complaint. The complaint cited a January 2012 incident
where data integrity specialist Tigi Moore “accessed without authorization
the personal information of present and/or former patients of Defendant for
the purpose of engaging in a fraudulent scheme to steal the identities of
patients and filing false tax returns on behalf of those patients.”

Additionally, a University of South Florida employee was pulled over by
Hillsborough County Sheriff’s deputies in May 2013. Upon searching the
vehicle, deputies discovered PHI that the employee should not have had
access to.

There was also a June 2013 incident where a Tampa General nurse accessed
patient records without authorization and discovered that the patient had
given up a baby for adoption in October, 2008.

“The nurse informed the family of this patient of this fact at a family
reunion,” the claim said. “The nurse was terminated for this intrusion into
the privacy of the patient.”

In numerous cases, Tampa General’s only action to protect patient data was
to send out letters to those affected by the breach which offered one year
of free credit monitoring, according to the documents.

The Court will hold a Final Fairness Hearing on March 23, 2017 to decide
whether or not to approve the settlement.

“The Court also may decide how much the Hospital must pay Class Counsel and
the Plaintiff for fees and costs,” the website states. “After the hearing,
the Court will decide whether to finally approve the settlement, finally
certify the Settlement Class, and enter a final judgment directing that the
settlement be carried out.”
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20161209/b443c7ab/attachment.html>