[BreachExchange] Mount Sinai St. Luke’s Hospital sued for faxing HIV status to patient’s employer

[Destry Winant]

http://www.fiercehealthcare.com/healthcare/mount-sinai-st-luke-s-hospital-sued-for-faxing-hiv-status-to-patient-s-employer

Mount Sinai St. Luke’s hospital was hit Friday with a $2.5 million
lawsuit for negligently faxing a patient’s HIV diagnosis to his
employer’s fax machine three years ago, an action that left the man
devastated, forcing him to quit his job and lose his health insurance.

The patient, a man in his 30s, is known in the court documents as
“John Doe” and the lawsuit was brought forward by the law offices of
Jeffrey Lichtman so the man’s identity can remain confidential.

Earlier this year the Department of Health and Human Services found
the hospital—Spencer Cox Center for Health, now the Institute for
Advanced Medicine run by St. Luke’s-Roosevelt Hospital Center in New
York City­—failed to appropriately safeguard the patient’s private
health information and violated the patient’s right under HIPAA and
agreed to pay a $387,000 fine. HHS’ Office of Civil Rights also
discovered during the investigation that Spencer Cox Center had
experienced a data breach nine months prior to the one in the
complaint but failed to implement safeguards or otherwise address gaps
in its compliance.

The law firm said it was forced to sue the hospital, however, because
the organization refuses to enter settlement negotiations with its
client over the damages he suffered due to its negligence.But

The lawsuit, obtained by FierceHealthcare, states that the patient
asked St. Luke’s to mail a copy of his medical records to his post
office box or his New York home. But Spencer Cox kept its records
separate and apart from St. Luke’s general medical record department
so the patient again faxed a request to Spencer Cox asking staff to
mail his records to the P.O. box or his home. Three days later the
man’s manager handed him a copy of his complete medical records, which
the mail room supervisor discovered via the fax sent to the mail room.

The stress of believing his coworkers were aware of his condition
forced the man to quit his job and lose substantial health benefits
and insurance. Lichtman said that because of the increased costs
associated with his medical insurance at this new job, the man has had
to discontinue seeing his therapist to cope with the stress, which he
blames on the actions of St. Luke’s.

Mount Sinai St. Luke’s said in a statement sent to FierceHealthcare
late Monday that patient privacy and security is a top priority at the
organization and Mount Sinai West.

"We stand deeply committed to preventing any breaches. We are working
with HHS to meticulously review privacy and security policies and
procedures, ensuring all necessary safeguards are in place to protect
patient privacy," the statement said. "Compliance with the Health
Insurance Portability and Accountability Act is a core tenent of the
work of our medical professionals; and we will continue to be vigilant
and committed in our adherence to the policy."

The hospital privacy breach is the latest in a series of accidental
disclosures of patient’s confidential health information by the
healthcare industry. Last month Aetna was hit with a class-action
lawsuit filed on behalf of customers who claim their privacy was
breached when they received a letter containing a reference to filling
HIV medications that was visible through a window in the envelope.
Days later CVS Health announced it has halted mailings that
inadvertently made a reference to HIV visible through a window in the
envelope.